From 9e48488eb3d3ea890ad1816b2bf1e6b25cb9243c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 4 Aug 2018 09:33:30 +0200 Subject: [PATCH] 4.14-stable patches added patches: bonding-avoid-lockdep-confusion-in-bond_get_stats.patch inet-frag-enforce-memory-limits-earlier.patch ipv4-frags-handle-possible-skb-truesize-change.patch net-dsa-do-not-suspend-resume-closed-slave_dev.patch net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch net-stmmac-fix-wol-for-pci-based-setups.patch netlink-fix-spectre-v1-gadget-in-netlink_create.patch rxrpc-fix-user-call-id-check-in-rxrpc_service_prealloc_one.patch --- ...-lockdep-confusion-in-bond_get_stats.patch | 174 ++++++++++++++++++ ...t-frag-enforce-memory-limits-earlier.patch | 60 ++++++ ...-handle-possible-skb-truesize-change.patch | 50 +++++ ...-not-suspend-resume-closed-slave_dev.patch | 43 +++++ ...lize-eswitch-only-if-eswitch-manager.patch | 41 +++++ ...-stmmac-fix-wol-for-pci-based-setups.patch | 84 +++++++++ ...-spectre-v1-gadget-in-netlink_create.patch | 51 +++++ ...-check-in-rxrpc_service_prealloc_one.patch | 37 ++++ 8 files changed, 540 insertions(+) create mode 100644 queue-4.14/bonding-avoid-lockdep-confusion-in-bond_get_stats.patch create mode 100644 queue-4.14/inet-frag-enforce-memory-limits-earlier.patch create mode 100644 queue-4.14/ipv4-frags-handle-possible-skb-truesize-change.patch create mode 100644 queue-4.14/net-dsa-do-not-suspend-resume-closed-slave_dev.patch create mode 100644 queue-4.14/net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch create mode 100644 queue-4.14/net-stmmac-fix-wol-for-pci-based-setups.patch create mode 100644 queue-4.14/netlink-fix-spectre-v1-gadget-in-netlink_create.patch create mode 100644 queue-4.14/rxrpc-fix-user-call-id-check-in-rxrpc_service_prealloc_one.patch diff --git a/queue-4.14/bonding-avoid-lockdep-confusion-in-bond_get_stats.patch b/queue-4.14/bonding-avoid-lockdep-confusion-in-bond_get_stats.patch new file mode 100644 index 00000000000..5341b821493 --- /dev/null +++ b/queue-4.14/bonding-avoid-lockdep-confusion-in-bond_get_stats.patch @@ -0,0 +1,174 @@ +From foo@baz Sat Aug 4 09:10:30 CEST 2018 +From: Eric Dumazet +Date: Tue, 31 Jul 2018 06:30:54 -0700 +Subject: bonding: avoid lockdep confusion in bond_get_stats() + +From: Eric Dumazet + +[ Upstream commit 7e2556e40026a1b0c16f37446ab398d5a5a892e4 ] + +syzbot found that the following sequence produces a LOCKDEP splat [1] + +ip link add bond10 type bond +ip link add bond11 type bond +ip link set bond11 master bond10 + +To fix this, we can use the already provided nest_level. + +This patch also provides correct nesting for dev->addr_list_lock + +[1] +WARNING: possible recursive locking detected +4.18.0-rc6+ #167 Not tainted +-------------------------------------------- +syz-executor751/4439 is trying to acquire lock: +(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] +(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 + +but task is already holding lock: +(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] +(____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 + +other info that might help us debug this: + Possible unsafe locking scenario: + + CPU0 + ---- + lock(&(&bond->stats_lock)->rlock); + lock(&(&bond->stats_lock)->rlock); + + *** DEADLOCK *** + + May be due to missing lock nesting notation + +3 locks held by syz-executor751/4439: + #0: (____ptrval____) (rtnl_mutex){+.+.}, at: rtnl_lock+0x17/0x20 net/core/rtnetlink.c:77 + #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: spin_lock include/linux/spinlock.h:310 [inline] + #1: (____ptrval____) (&(&bond->stats_lock)->rlock){+.+.}, at: bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 + #2: (____ptrval____) (rcu_read_lock){....}, at: bond_get_stats+0x0/0x560 include/linux/compiler.h:215 + +stack backtrace: +CPU: 0 PID: 4439 Comm: syz-executor751 Not tainted 4.18.0-rc6+ #167 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x2b4 lib/dump_stack.c:113 + print_deadlock_bug kernel/locking/lockdep.c:1765 [inline] + check_deadlock kernel/locking/lockdep.c:1809 [inline] + validate_chain kernel/locking/lockdep.c:2405 [inline] + __lock_acquire.cold.64+0x1fb/0x486 kernel/locking/lockdep.c:3435 + lock_acquire+0x1e4/0x540 kernel/locking/lockdep.c:3924 + __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline] + _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:144 + spin_lock include/linux/spinlock.h:310 [inline] + bond_get_stats+0xb4/0x560 drivers/net/bonding/bond_main.c:3426 + dev_get_stats+0x10f/0x470 net/core/dev.c:8316 + bond_get_stats+0x232/0x560 drivers/net/bonding/bond_main.c:3432 + dev_get_stats+0x10f/0x470 net/core/dev.c:8316 + rtnl_fill_stats+0x4d/0xac0 net/core/rtnetlink.c:1169 + rtnl_fill_ifinfo+0x1aa6/0x3fb0 net/core/rtnetlink.c:1611 + rtmsg_ifinfo_build_skb+0xc8/0x190 net/core/rtnetlink.c:3268 + rtmsg_ifinfo_event.part.30+0x45/0xe0 net/core/rtnetlink.c:3300 + rtmsg_ifinfo_event net/core/rtnetlink.c:3297 [inline] + rtnetlink_event+0x144/0x170 net/core/rtnetlink.c:4716 + notifier_call_chain+0x180/0x390 kernel/notifier.c:93 + __raw_notifier_call_chain kernel/notifier.c:394 [inline] + raw_notifier_call_chain+0x2d/0x40 kernel/notifier.c:401 + call_netdevice_notifiers_info+0x3f/0x90 net/core/dev.c:1735 + call_netdevice_notifiers net/core/dev.c:1753 [inline] + netdev_features_change net/core/dev.c:1321 [inline] + netdev_change_features+0xb3/0x110 net/core/dev.c:7759 + bond_compute_features.isra.47+0x585/0xa50 drivers/net/bonding/bond_main.c:1120 + bond_enslave+0x1b25/0x5da0 drivers/net/bonding/bond_main.c:1755 + bond_do_ioctl+0x7cb/0xae0 drivers/net/bonding/bond_main.c:3528 + dev_ifsioc+0x43c/0xb30 net/core/dev_ioctl.c:327 + dev_ioctl+0x1b5/0xcc0 net/core/dev_ioctl.c:493 + sock_do_ioctl+0x1d3/0x3e0 net/socket.c:992 + sock_ioctl+0x30d/0x680 net/socket.c:1093 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1de/0x1720 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + __do_sys_ioctl fs/ioctl.c:708 [inline] + __se_sys_ioctl fs/ioctl.c:706 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:706 + do_syscall_64+0x1b9/0x820 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x440859 +Code: e8 2c af 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 3b 10 fc ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007ffc51a92878 EFLAGS: 00000213 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 0000000000440859 +RDX: 0000000020000040 RSI: 0000000000008990 RDI: 0000000000000003 +RBP: 0000000000000000 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000022d5880 R11: 0000000000000213 R12: 0000000000007390 +R13: 0000000000401db0 R14: 0000000000000000 R15: 0000000000000000 + +Signed-off-by: Eric Dumazet +Cc: Jay Vosburgh +Cc: Veaceslav Falico +Cc: Andy Gospodarek + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1687,6 +1687,8 @@ int bond_enslave(struct net_device *bond + goto err_upper_unlink; + } + ++ bond->nest_level = dev_get_nest_level(bond_dev) + 1; ++ + /* If the mode uses primary, then the following is handled by + * bond_change_active_slave(). + */ +@@ -1734,7 +1736,6 @@ int bond_enslave(struct net_device *bond + if (bond_mode_uses_xmit_hash(bond)) + bond_update_slave_arr(bond, NULL); + +- bond->nest_level = dev_get_nest_level(bond_dev); + + netdev_info(bond_dev, "Enslaving %s as %s interface with %s link\n", + slave_dev->name, +@@ -3379,6 +3380,13 @@ static void bond_fold_stats(struct rtnl_ + } + } + ++static int bond_get_nest_level(struct net_device *bond_dev) ++{ ++ struct bonding *bond = netdev_priv(bond_dev); ++ ++ return bond->nest_level; ++} ++ + static void bond_get_stats(struct net_device *bond_dev, + struct rtnl_link_stats64 *stats) + { +@@ -3387,7 +3395,7 @@ static void bond_get_stats(struct net_de + struct list_head *iter; + struct slave *slave; + +- spin_lock(&bond->stats_lock); ++ spin_lock_nested(&bond->stats_lock, bond_get_nest_level(bond_dev)); + memcpy(stats, &bond->bond_stats, sizeof(*stats)); + + rcu_read_lock(); +@@ -4182,6 +4190,7 @@ static const struct net_device_ops bond_ + .ndo_neigh_setup = bond_neigh_setup, + .ndo_vlan_rx_add_vid = bond_vlan_rx_add_vid, + .ndo_vlan_rx_kill_vid = bond_vlan_rx_kill_vid, ++ .ndo_get_lock_subclass = bond_get_nest_level, + #ifdef CONFIG_NET_POLL_CONTROLLER + .ndo_netpoll_setup = bond_netpoll_setup, + .ndo_netpoll_cleanup = bond_netpoll_cleanup, +@@ -4680,6 +4689,7 @@ static int bond_init(struct net_device * + if (!bond->wq) + return -ENOMEM; + ++ bond->nest_level = SINGLE_DEPTH_NESTING; + netdev_lockdep_set_classes(bond_dev); + + list_add_tail(&bond->bond_list, &bn->dev_list); diff --git a/queue-4.14/inet-frag-enforce-memory-limits-earlier.patch b/queue-4.14/inet-frag-enforce-memory-limits-earlier.patch new file mode 100644 index 00000000000..a6582009642 --- /dev/null +++ b/queue-4.14/inet-frag-enforce-memory-limits-earlier.patch @@ -0,0 +1,60 @@ +From foo@baz Sat Aug 4 09:10:30 CEST 2018 +From: Eric Dumazet +Date: Mon, 30 Jul 2018 20:09:11 -0700 +Subject: inet: frag: enforce memory limits earlier + +From: Eric Dumazet + +[ Upstream commit 56e2c94f055d328f5f6b0a5c1721cca2f2d4e0a1 ] + +We currently check current frags memory usage only when +a new frag queue is created. This allows attackers to first +consume the memory budget (default : 4 MB) creating thousands +of frag queues, then sending tiny skbs to exceed high_thresh +limit by 2 to 3 order of magnitude. + +Note that before commit 648700f76b03 ("inet: frags: use rhashtables +for reassembly units"), work queue could be starved under DOS, +getting no cpu cycles. +After commit 648700f76b03, only the per frag queue timer can eventually +remove an incomplete frag queue and its skbs. + +Fixes: b13d3cbfb8e8 ("inet: frag: move eviction of queues to work queue") +Signed-off-by: Eric Dumazet +Reported-by: Jann Horn +Cc: Florian Westphal +Cc: Peter Oskolkov +Cc: Paolo Abeni +Acked-by: Florian Westphal +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/inet_fragment.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/ipv4/inet_fragment.c ++++ b/net/ipv4/inet_fragment.c +@@ -356,11 +356,6 @@ static struct inet_frag_queue *inet_frag + { + struct inet_frag_queue *q; + +- if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) { +- inet_frag_schedule_worker(f); +- return NULL; +- } +- + q = kmem_cache_zalloc(f->frags_cachep, GFP_ATOMIC); + if (!q) + return NULL; +@@ -397,6 +392,11 @@ struct inet_frag_queue *inet_frag_find(s + struct inet_frag_queue *q; + int depth = 0; + ++ if (!nf->high_thresh || frag_mem_limit(nf) > nf->high_thresh) { ++ inet_frag_schedule_worker(f); ++ return NULL; ++ } ++ + if (frag_mem_limit(nf) > nf->low_thresh) + inet_frag_schedule_worker(f); + diff --git a/queue-4.14/ipv4-frags-handle-possible-skb-truesize-change.patch b/queue-4.14/ipv4-frags-handle-possible-skb-truesize-change.patch new file mode 100644 index 00000000000..f380ee532f3 --- /dev/null +++ b/queue-4.14/ipv4-frags-handle-possible-skb-truesize-change.patch @@ -0,0 +1,50 @@ +From foo@baz Sat Aug 4 09:10:30 CEST 2018 +From: Eric Dumazet +Date: Mon, 30 Jul 2018 21:50:29 -0700 +Subject: ipv4: frags: handle possible skb truesize change + +From: Eric Dumazet + +[ Upstream commit 4672694bd4f1aebdab0ad763ae4716e89cb15221 ] + +ip_frag_queue() might call pskb_pull() on one skb that +is already in the fragment queue. + +We need to take care of possible truesize change, or we +might have an imbalance of the netns frags memory usage. + +IPv6 is immune to this bug, because RFC5722, Section 4, +amended by Errata ID 3089 states : + + When reassembling an IPv6 datagram, if + one or more its constituent fragments is determined to be an + overlapping fragment, the entire datagram (and any constituent + fragments) MUST be silently discarded. + +Fixes: 158f323b9868 ("net: adjust skb->truesize in pskb_expand_head()") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_fragment.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/ipv4/ip_fragment.c ++++ b/net/ipv4/ip_fragment.c +@@ -447,11 +447,16 @@ found: + int i = end - FRAG_CB(next)->offset; /* overlap is 'i' bytes */ + + if (i < next->len) { ++ int delta = -next->truesize; ++ + /* Eat head of the next overlapped fragment + * and leave the loop. The next ones cannot overlap. + */ + if (!pskb_pull(next, i)) + goto err; ++ delta += next->truesize; ++ if (delta) ++ add_frag_mem_limit(qp->q.net, delta); + FRAG_CB(next)->offset += i; + qp->q.meat -= i; + if (next->ip_summed != CHECKSUM_UNNECESSARY) diff --git a/queue-4.14/net-dsa-do-not-suspend-resume-closed-slave_dev.patch b/queue-4.14/net-dsa-do-not-suspend-resume-closed-slave_dev.patch new file mode 100644 index 00000000000..12e6d6f8f0b --- /dev/null +++ b/queue-4.14/net-dsa-do-not-suspend-resume-closed-slave_dev.patch @@ -0,0 +1,43 @@ +From foo@baz Sat Aug 4 09:10:30 CEST 2018 +From: Florian Fainelli +Date: Tue, 31 Jul 2018 17:12:52 -0700 +Subject: net: dsa: Do not suspend/resume closed slave_dev + +From: Florian Fainelli + +[ Upstream commit a94c689e6c9e72e722f28339e12dff191ee5a265 ] + +If a DSA slave network device was previously disabled, there is no need +to suspend or resume it. + +Fixes: 2446254915a7 ("net: dsa: allow switch drivers to implement suspend/resume hooks") +Signed-off-by: Florian Fainelli +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dsa/slave.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/dsa/slave.c ++++ b/net/dsa/slave.c +@@ -1219,6 +1219,9 @@ int dsa_slave_suspend(struct net_device + { + struct dsa_slave_priv *p = netdev_priv(slave_dev); + ++ if (!netif_running(slave_dev)) ++ return 0; ++ + netif_device_detach(slave_dev); + + if (p->phy) { +@@ -1236,6 +1239,9 @@ int dsa_slave_resume(struct net_device * + { + struct dsa_slave_priv *p = netdev_priv(slave_dev); + ++ if (!netif_running(slave_dev)) ++ return 0; ++ + netif_device_attach(slave_dev); + + if (p->phy) { diff --git a/queue-4.14/net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch b/queue-4.14/net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch new file mode 100644 index 00000000000..1824d183c6f --- /dev/null +++ b/queue-4.14/net-mlx5e-e-switch-initialize-eswitch-only-if-eswitch-manager.patch @@ -0,0 +1,41 @@ +From foo@baz Sat Aug 4 09:10:30 CEST 2018 +From: Eli Cohen +Date: Mon, 16 Jul 2018 11:49:27 +0300 +Subject: net/mlx5e: E-Switch, Initialize eswitch only if eswitch manager + +From: Eli Cohen + +[ Upstream commit 5f5991f36dce1e69dd8bd7495763eec2e28f08e7 ] + +Execute mlx5_eswitch_init() only if we have MLX5_ESWITCH_MANAGER +capabilities. +Do the same for mlx5_eswitch_cleanup(). + +Fixes: a9f7705ffd66 ("net/mlx5: Unify vport manager capability check") +Signed-off-by: Eli Cohen +Signed-off-by: Saeed Mahameed +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c ++++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c +@@ -1616,7 +1616,7 @@ int mlx5_eswitch_init(struct mlx5_core_d + int vport_num; + int err; + +- if (!MLX5_VPORT_MANAGER(dev)) ++ if (!MLX5_ESWITCH_MANAGER(dev)) + return 0; + + esw_info(dev, +@@ -1689,7 +1689,7 @@ abort: + + void mlx5_eswitch_cleanup(struct mlx5_eswitch *esw) + { +- if (!esw || !MLX5_VPORT_MANAGER(esw->dev)) ++ if (!esw || !MLX5_ESWITCH_MANAGER(esw->dev)) + return; + + esw_info(esw->dev, "cleanup\n"); diff --git a/queue-4.14/net-stmmac-fix-wol-for-pci-based-setups.patch b/queue-4.14/net-stmmac-fix-wol-for-pci-based-setups.patch new file mode 100644 index 00000000000..d4fbf1f3ad7 --- /dev/null +++ b/queue-4.14/net-stmmac-fix-wol-for-pci-based-setups.patch @@ -0,0 +1,84 @@ +From foo@baz Sat Aug 4 09:10:30 CEST 2018 +From: Jose Abreu +Date: Tue, 31 Jul 2018 15:08:20 +0100 +Subject: net: stmmac: Fix WoL for PCI-based setups + +From: Jose Abreu + +[ Upstream commit b7d0f08e9129c45ed41bc0cfa8e77067881e45fd ] + +WoL won't work in PCI-based setups because we are not saving the PCI EP +state before entering suspend state and not allowing D3 wake. + +Fix this by using a wrapper around stmmac_{suspend/resume} which +correctly sets the PCI EP state. + +Signed-off-by: Jose Abreu +Cc: David S. Miller +Cc: Joao Pinto +Cc: Giuseppe Cavallaro +Cc: Alexandre Torgue +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c | 40 +++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c ++++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_pci.c +@@ -257,7 +257,7 @@ static int stmmac_pci_probe(struct pci_d + return -ENOMEM; + + /* Enable pci device */ +- ret = pcim_enable_device(pdev); ++ ret = pci_enable_device(pdev); + if (ret) { + dev_err(&pdev->dev, "%s: ERROR: failed to enable device\n", + __func__); +@@ -300,9 +300,45 @@ static int stmmac_pci_probe(struct pci_d + static void stmmac_pci_remove(struct pci_dev *pdev) + { + stmmac_dvr_remove(&pdev->dev); ++ pci_disable_device(pdev); + } + +-static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_suspend, stmmac_resume); ++static int stmmac_pci_suspend(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ int ret; ++ ++ ret = stmmac_suspend(dev); ++ if (ret) ++ return ret; ++ ++ ret = pci_save_state(pdev); ++ if (ret) ++ return ret; ++ ++ pci_disable_device(pdev); ++ pci_wake_from_d3(pdev, true); ++ return 0; ++} ++ ++static int stmmac_pci_resume(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ int ret; ++ ++ pci_restore_state(pdev); ++ pci_set_power_state(pdev, PCI_D0); ++ ++ ret = pci_enable_device(pdev); ++ if (ret) ++ return ret; ++ ++ pci_set_master(pdev); ++ ++ return stmmac_resume(dev); ++} ++ ++static SIMPLE_DEV_PM_OPS(stmmac_pm_ops, stmmac_pci_suspend, stmmac_pci_resume); + + /* synthetic ID, no official vendor */ + #define PCI_VENDOR_ID_STMMAC 0x700 diff --git a/queue-4.14/netlink-fix-spectre-v1-gadget-in-netlink_create.patch b/queue-4.14/netlink-fix-spectre-v1-gadget-in-netlink_create.patch new file mode 100644 index 00000000000..63e3029b754 --- /dev/null +++ b/queue-4.14/netlink-fix-spectre-v1-gadget-in-netlink_create.patch @@ -0,0 +1,51 @@ +From foo@baz Sat Aug 4 09:10:30 CEST 2018 +From: Jeremy Cline +Date: Tue, 31 Jul 2018 21:13:16 +0000 +Subject: netlink: Fix spectre v1 gadget in netlink_create() + +From: Jeremy Cline + +[ Upstream commit bc5b6c0b62b932626a135f516a41838c510c6eba ] + +'protocol' is a user-controlled value, so sanitize it after the bounds +check to avoid using it for speculative out-of-bounds access to arrays +indexed by it. + +This addresses the following accesses detected with the help of smatch: + +* net/netlink/af_netlink.c:654 __netlink_create() warn: potential + spectre issue 'nlk_cb_mutex_keys' [w] + +* net/netlink/af_netlink.c:654 __netlink_create() warn: potential + spectre issue 'nlk_cb_mutex_key_strings' [w] + +* net/netlink/af_netlink.c:685 netlink_create() warn: potential spectre + issue 'nl_table' [w] (local cap) + +Cc: Josh Poimboeuf +Signed-off-by: Jeremy Cline +Reviewed-by: Josh Poimboeuf +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -63,6 +63,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -647,6 +648,7 @@ static int netlink_create(struct net *ne + + if (protocol < 0 || protocol >= MAX_LINKS) + return -EPROTONOSUPPORT; ++ protocol = array_index_nospec(protocol, MAX_LINKS); + + netlink_lock_table(); + #ifdef CONFIG_MODULES diff --git a/queue-4.14/rxrpc-fix-user-call-id-check-in-rxrpc_service_prealloc_one.patch b/queue-4.14/rxrpc-fix-user-call-id-check-in-rxrpc_service_prealloc_one.patch new file mode 100644 index 00000000000..0033fde9e91 --- /dev/null +++ b/queue-4.14/rxrpc-fix-user-call-id-check-in-rxrpc_service_prealloc_one.patch @@ -0,0 +1,37 @@ +From foo@baz Sat Aug 4 09:10:30 CEST 2018 +From: YueHaibing +Date: Wed, 1 Aug 2018 13:27:23 +0100 +Subject: rxrpc: Fix user call ID check in rxrpc_service_prealloc_one + +From: YueHaibing + +[ Upstream commit c01f6c9b3207e52fc9973a066a856ddf7a0538d8 ] + +There just check the user call ID isn't already in use, hence should +compare user_call_ID with xcall->user_call_ID, which is current +node's user_call_ID. + +Fixes: 540b1c48c37a ("rxrpc: Fix deadlock between call creation and sendmsg/recvmsg") +Suggested-by: David Howells +Signed-off-by: YueHaibing +Signed-off-by: David Howells +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rxrpc/call_accept.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/rxrpc/call_accept.c ++++ b/net/rxrpc/call_accept.c +@@ -115,9 +115,9 @@ static int rxrpc_service_prealloc_one(st + while (*pp) { + parent = *pp; + xcall = rb_entry(parent, struct rxrpc_call, sock_node); +- if (user_call_ID < call->user_call_ID) ++ if (user_call_ID < xcall->user_call_ID) + pp = &(*pp)->rb_left; +- else if (user_call_ID > call->user_call_ID) ++ else if (user_call_ID > xcall->user_call_ID) + pp = &(*pp)->rb_right; + else + goto id_in_use; -- 2.47.3