From cf03d7d8c228538f729d69d78a7a386e5fa6d587 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 6 Feb 2020 14:13:54 +0000 Subject: [PATCH] 4.4-stable patches added patches: cls_rsvp-fix-rsvp_policy.patch net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch net_sched-fix-an-oob-access-in-cls_tcindex.patch tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch tcp-clear-tp-total_retrans-in-tcp_disconnect.patch --- queue-4.4/cls_rsvp-fix-rsvp_policy.patch | 101 +++++++++++++++++ ...sible-null-deref-in-hsr_handle_frame.patch | 62 +++++++++++ ...hed-fix-an-oob-access-in-cls_tcindex.patch | 102 ++++++++++++++++++ queue-4.4/series | 5 + ...ar-tp-segs_-in-out-in-tcp_disconnect.patch | 36 +++++++ ...r-tp-total_retrans-in-tcp_disconnect.patch | 32 ++++++ 6 files changed, 338 insertions(+) create mode 100644 queue-4.4/cls_rsvp-fix-rsvp_policy.patch create mode 100644 queue-4.4/net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch create mode 100644 queue-4.4/net_sched-fix-an-oob-access-in-cls_tcindex.patch create mode 100644 queue-4.4/tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch create mode 100644 queue-4.4/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch diff --git a/queue-4.4/cls_rsvp-fix-rsvp_policy.patch b/queue-4.4/cls_rsvp-fix-rsvp_policy.patch new file mode 100644 index 00000000000..fa9d1e6e5ad --- /dev/null +++ b/queue-4.4/cls_rsvp-fix-rsvp_policy.patch @@ -0,0 +1,101 @@ +From foo@baz Thu 06 Feb 2020 12:41:15 PM GMT +From: Eric Dumazet +Date: Fri, 31 Jan 2020 15:27:04 -0800 +Subject: cls_rsvp: fix rsvp_policy + +From: Eric Dumazet + +[ Upstream commit cb3c0e6bdf64d0d124e94ce43cbe4ccbb9b37f51 ] + +NLA_BINARY can be confusing, since .len value represents +the max size of the blob. + +cls_rsvp really wants user space to provide long enough data +for TCA_RSVP_DST and TCA_RSVP_SRC attributes. + +BUG: KMSAN: uninit-value in rsvp_get net/sched/cls_rsvp.h:258 [inline] +BUG: KMSAN: uninit-value in gen_handle net/sched/cls_rsvp.h:402 [inline] +BUG: KMSAN: uninit-value in rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572 +CPU: 1 PID: 13228 Comm: syz-executor.1 Not tainted 5.5.0-rc5-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x1c9/0x220 lib/dump_stack.c:118 + kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 + __msan_warning+0x58/0xa0 mm/kmsan/kmsan_instr.c:215 + rsvp_get net/sched/cls_rsvp.h:258 [inline] + gen_handle net/sched/cls_rsvp.h:402 [inline] + rsvp_change+0x1ae9/0x4220 net/sched/cls_rsvp.h:572 + tc_new_tfilter+0x31fe/0x5010 net/sched/cls_api.c:2104 + rtnetlink_rcv_msg+0xcb7/0x1570 net/core/rtnetlink.c:5415 + netlink_rcv_skb+0x451/0x650 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x50/0x60 net/core/rtnetlink.c:5442 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0xf9e/0x1100 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x1248/0x14d0 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 +RIP: 0033:0x45b349 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f269d43dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e +RAX: ffffffffffffffda RBX: 00007f269d43e6d4 RCX: 000000000045b349 +RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003 +RBP: 000000000075bfc8 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 00000000000009c2 R14: 00000000004cb338 R15: 000000000075bfd4 + +Uninit was created at: + kmsan_save_stack_with_flags mm/kmsan/kmsan.c:144 [inline] + kmsan_internal_poison_shadow+0x66/0xd0 mm/kmsan/kmsan.c:127 + kmsan_slab_alloc+0x8a/0xe0 mm/kmsan/kmsan_hooks.c:82 + slab_alloc_node mm/slub.c:2774 [inline] + __kmalloc_node_track_caller+0xb40/0x1200 mm/slub.c:4382 + __kmalloc_reserve net/core/skbuff.c:141 [inline] + __alloc_skb+0x2fd/0xac0 net/core/skbuff.c:209 + alloc_skb include/linux/skbuff.h:1049 [inline] + netlink_alloc_large_skb net/netlink/af_netlink.c:1174 [inline] + netlink_sendmsg+0x7d3/0x14d0 net/netlink/af_netlink.c:1892 + sock_sendmsg_nosec net/socket.c:639 [inline] + sock_sendmsg net/socket.c:659 [inline] + ____sys_sendmsg+0x12b6/0x1350 net/socket.c:2330 + ___sys_sendmsg net/socket.c:2384 [inline] + __sys_sendmsg+0x451/0x5f0 net/socket.c:2417 + __do_sys_sendmsg net/socket.c:2426 [inline] + __se_sys_sendmsg+0x97/0xb0 net/socket.c:2424 + __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2424 + do_syscall_64+0xb8/0x160 arch/x86/entry/common.c:296 + entry_SYSCALL_64_after_hwframe+0x44/0xa9 + +Fixes: 6fa8c0144b77 ("[NET_SCHED]: Use nla_policy for attribute validation in classifiers") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Acked-by: Cong Wang +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_rsvp.h | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/sched/cls_rsvp.h ++++ b/net/sched/cls_rsvp.h +@@ -455,10 +455,8 @@ static u32 gen_tunnel(struct rsvp_head * + + static const struct nla_policy rsvp_policy[TCA_RSVP_MAX + 1] = { + [TCA_RSVP_CLASSID] = { .type = NLA_U32 }, +- [TCA_RSVP_DST] = { .type = NLA_BINARY, +- .len = RSVP_DST_LEN * sizeof(u32) }, +- [TCA_RSVP_SRC] = { .type = NLA_BINARY, +- .len = RSVP_DST_LEN * sizeof(u32) }, ++ [TCA_RSVP_DST] = { .len = RSVP_DST_LEN * sizeof(u32) }, ++ [TCA_RSVP_SRC] = { .len = RSVP_DST_LEN * sizeof(u32) }, + [TCA_RSVP_PINFO] = { .len = sizeof(struct tc_rsvp_pinfo) }, + }; + diff --git a/queue-4.4/net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch b/queue-4.4/net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch new file mode 100644 index 00000000000..9831889d265 --- /dev/null +++ b/queue-4.4/net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch @@ -0,0 +1,62 @@ +From foo@baz Thu 06 Feb 2020 12:41:15 PM GMT +From: Eric Dumazet +Date: Mon, 3 Feb 2020 10:15:07 -0800 +Subject: net: hsr: fix possible NULL deref in hsr_handle_frame() + +From: Eric Dumazet + +[ Upstream commit 2b5b8251bc9fe2f9118411f037862ee17cf81e97 ] + +hsr_port_get_rcu() can return NULL, so we need to be careful. + +general protection fault, probably for non-canonical address 0xdffffc0000000006: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000030-0x0000000000000037] +CPU: 1 PID: 10249 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:__read_once_size include/linux/compiler.h:199 [inline] +RIP: 0010:hsr_addr_is_self+0x86/0x330 net/hsr/hsr_framereg.c:44 +Code: 04 00 f3 f3 f3 65 48 8b 04 25 28 00 00 00 48 89 45 d0 31 c0 e8 6b ff 94 f9 4c 89 f2 48 b8 00 00 00 00 00 fc ff df 48 c1 ea 03 <80> 3c 02 00 0f 85 75 02 00 00 48 8b 43 30 49 39 c6 49 89 47 c0 0f +RSP: 0018:ffffc90000da8a90 EFLAGS: 00010206 +RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffffff87e0cc33 +RDX: 0000000000000006 RSI: ffffffff87e035d5 RDI: 0000000000000000 +RBP: ffffc90000da8b20 R08: ffff88808e7de040 R09: ffffed1015d2707c +R10: ffffed1015d2707b R11: ffff8880ae9383db R12: ffff8880a689bc5e +R13: 1ffff920001b5153 R14: 0000000000000030 R15: ffffc90000da8af8 +FS: 00007fd7a42be700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000001b32338000 CR3: 00000000a928c000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + + hsr_handle_frame+0x1c5/0x630 net/hsr/hsr_slave.c:31 + __netif_receive_skb_core+0xfbc/0x30b0 net/core/dev.c:5099 + __netif_receive_skb_one_core+0xa8/0x1a0 net/core/dev.c:5196 + __netif_receive_skb+0x2c/0x1d0 net/core/dev.c:5312 + process_backlog+0x206/0x750 net/core/dev.c:6144 + napi_poll net/core/dev.c:6582 [inline] + net_rx_action+0x508/0x1120 net/core/dev.c:6650 + __do_softirq+0x262/0x98c kernel/softirq.c:292 + do_softirq_own_stack+0x2a/0x40 arch/x86/entry/entry_64.S:1082 + + +Fixes: c5a759117210 ("net/hsr: Use list_head (and rcu) instead of array for slave devices.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/hsr/hsr_slave.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/hsr/hsr_slave.c ++++ b/net/hsr/hsr_slave.c +@@ -30,6 +30,8 @@ static rx_handler_result_t hsr_handle_fr + + rcu_read_lock(); /* hsr->node_db, hsr->ports */ + port = hsr_port_get_rcu(skb->dev); ++ if (!port) ++ goto finish_pass; + + if (hsr_addr_is_self(port->hsr, eth_hdr(skb)->h_source)) { + /* Directly kill frames sent by ourselves */ diff --git a/queue-4.4/net_sched-fix-an-oob-access-in-cls_tcindex.patch b/queue-4.4/net_sched-fix-an-oob-access-in-cls_tcindex.patch new file mode 100644 index 00000000000..fdbfca7ddc4 --- /dev/null +++ b/queue-4.4/net_sched-fix-an-oob-access-in-cls_tcindex.patch @@ -0,0 +1,102 @@ +From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT +From: Cong Wang +Date: Sun, 2 Feb 2020 21:14:35 -0800 +Subject: net_sched: fix an OOB access in cls_tcindex + +From: Cong Wang + +[ Upstream commit 599be01ee567b61f4471ee8078870847d0a11e8e ] + +As Eric noticed, tcindex_alloc_perfect_hash() uses cp->hash +to compute the size of memory allocation, but cp->hash is +set again after the allocation, this caused an out-of-bound +access. + +So we have to move all cp->hash initialization and computation +before the memory allocation. Move cp->mask and cp->shift together +as cp->hash may need them for computation too. + +Reported-and-tested-by: syzbot+35d4dea36c387813ed31@syzkaller.appspotmail.com +Fixes: 331b72922c5f ("net: sched: RCU cls_tcindex") +Cc: Eric Dumazet +Cc: John Fastabend +Cc: Jamal Hadi Salim +Cc: Jiri Pirko +Cc: Jakub Kicinski +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/cls_tcindex.c | 40 ++++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 20 deletions(-) + +--- a/net/sched/cls_tcindex.c ++++ b/net/sched/cls_tcindex.c +@@ -267,6 +267,25 @@ tcindex_set_parms(struct net *net, struc + cp->fall_through = p->fall_through; + cp->tp = tp; + ++ if (tb[TCA_TCINDEX_HASH]) ++ cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]); ++ ++ if (tb[TCA_TCINDEX_MASK]) ++ cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]); ++ ++ if (tb[TCA_TCINDEX_SHIFT]) ++ cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]); ++ ++ if (!cp->hash) { ++ /* Hash not specified, use perfect hash if the upper limit ++ * of the hashing index is below the threshold. ++ */ ++ if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD) ++ cp->hash = (cp->mask >> cp->shift) + 1; ++ else ++ cp->hash = DEFAULT_HASH_SIZE; ++ } ++ + if (p->perfect) { + int i; + +@@ -274,7 +293,7 @@ tcindex_set_parms(struct net *net, struc + sizeof(*r) * cp->hash, GFP_KERNEL); + if (!cp->perfect) + goto errout; +- for (i = 0; i < cp->hash; i++) ++ for (i = 0; i < min(cp->hash, p->hash); i++) + tcf_exts_init(&cp->perfect[i].exts, + TCA_TCINDEX_ACT, TCA_TCINDEX_POLICE); + balloc = 1; +@@ -286,15 +305,6 @@ tcindex_set_parms(struct net *net, struc + if (old_r) + cr.res = r->res; + +- if (tb[TCA_TCINDEX_HASH]) +- cp->hash = nla_get_u32(tb[TCA_TCINDEX_HASH]); +- +- if (tb[TCA_TCINDEX_MASK]) +- cp->mask = nla_get_u16(tb[TCA_TCINDEX_MASK]); +- +- if (tb[TCA_TCINDEX_SHIFT]) +- cp->shift = nla_get_u32(tb[TCA_TCINDEX_SHIFT]); +- + err = -EBUSY; + + /* Hash already allocated, make sure that we still meet the +@@ -312,16 +322,6 @@ tcindex_set_parms(struct net *net, struc + if (tb[TCA_TCINDEX_FALL_THROUGH]) + cp->fall_through = nla_get_u32(tb[TCA_TCINDEX_FALL_THROUGH]); + +- if (!cp->hash) { +- /* Hash not specified, use perfect hash if the upper limit +- * of the hashing index is below the threshold. +- */ +- if ((cp->mask >> cp->shift) < PERFECT_HASH_THRESHOLD) +- cp->hash = (cp->mask >> cp->shift) + 1; +- else +- cp->hash = DEFAULT_HASH_SIZE; +- } +- + if (!cp->perfect && !cp->h) + cp->alloc_hash = cp->hash; + diff --git a/queue-4.4/series b/queue-4.4/series index cd9c53d43a2..03b407b2ccb 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -2,3 +2,8 @@ media-iguanair-fix-endpoint-sanity-check.patch x86-cpu-update-cached-hle-state-on-write-to-tsx_ctrl.patch sparc32-fix-struct-ipc64_perm-type-definition.patch asoc-qcom-fix-of-node-refcount-unbalance-to-link-codec_of_node.patch +cls_rsvp-fix-rsvp_policy.patch +net-hsr-fix-possible-null-deref-in-hsr_handle_frame.patch +net_sched-fix-an-oob-access-in-cls_tcindex.patch +tcp-clear-tp-total_retrans-in-tcp_disconnect.patch +tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch diff --git a/queue-4.4/tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch b/queue-4.4/tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch new file mode 100644 index 00000000000..65dcd4929dd --- /dev/null +++ b/queue-4.4/tcp-clear-tp-segs_-in-out-in-tcp_disconnect.patch @@ -0,0 +1,36 @@ +From foo@baz Thu 06 Feb 2020 12:17:21 PM GMT +From: Eric Dumazet +Date: Fri, 31 Jan 2020 10:44:50 -0800 +Subject: tcp: clear tp->segs_{in|out} in tcp_disconnect() + +From: Eric Dumazet + +[ Upstream commit 784f8344de750a41344f4bbbebb8507a730fc99c ] + +tp->segs_in and tp->segs_out need to be cleared in tcp_disconnect(). + +tcp_disconnect() is rarely used, but it is worth fixing it. + +Fixes: 2efd055c53c0 ("tcp: add tcpi_segs_in and tcpi_segs_out to tcp_info") +Signed-off-by: Eric Dumazet +Cc: Marcelo Ricardo Leitner +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Neal Cardwell +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2273,6 +2273,8 @@ int tcp_disconnect(struct sock *sk, int + dst_release(sk->sk_rx_dst); + sk->sk_rx_dst = NULL; + tcp_saved_syn_free(tp); ++ tp->segs_in = 0; ++ tp->segs_out = 0; + tp->bytes_acked = 0; + tp->bytes_received = 0; + diff --git a/queue-4.4/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch b/queue-4.4/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch new file mode 100644 index 00000000000..ec456a80841 --- /dev/null +++ b/queue-4.4/tcp-clear-tp-total_retrans-in-tcp_disconnect.patch @@ -0,0 +1,32 @@ +From foo@baz Thu 06 Feb 2020 12:41:15 PM GMT +From: Eric Dumazet +Date: Fri, 31 Jan 2020 09:14:47 -0800 +Subject: tcp: clear tp->total_retrans in tcp_disconnect() + +From: Eric Dumazet + +[ Upstream commit c13c48c00a6bc1febc73902505bdec0967bd7095 ] + +total_retrans needs to be cleared in tcp_disconnect(). + +tcp_disconnect() is rarely used, but it is worth fixing it. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: SeongJae Park +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2261,6 +2261,7 @@ int tcp_disconnect(struct sock *sk, int + tp->window_clamp = 0; + tcp_set_ca_state(sk, TCP_CA_Open); + tcp_clear_retrans(tp); ++ tp->total_retrans = 0; + inet_csk_delack_init(sk); + /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 + * issue in __tcp_select_window() -- 2.47.3