From e6c75312aa03da164d9b9972b6b3a8d6c75d5abe Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 28 Mar 2019 23:27:14 +0100 Subject: [PATCH] 3.18-stable patches added patches: add-hlist_add_tail_rcu-merge-git-git.kernel.org-pub-scm-linux-kernel-git-davem-net.patch dccp-do-not-use-ipv6-header-for-ipv4-flow.patch mac8390-fix-mmio-access-size-probe.patch misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch net-rose-fix-a-possible-stack-overflow.patch net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch packets-always-register-packet-sk-in-the-same-order.patch sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch tcp-do-not-use-ipv6-header-for-ipv4-flow.patch --- ...g-pub-scm-linux-kernel-git-davem-net.patch | 65 +++++++++ ...do-not-use-ipv6-header-for-ipv4-flow.patch | 34 +++++ .../mac8390-fix-mmio-access-size-probe.patch | 74 ++++++++++ ...th-vendor-device-id-for-digium-hfc4s.patch | 36 +++++ ...warn-upon-allocation-in-alloc_pg_vec.patch | 81 +++++++++++ ...t-rose-fix-a-possible-stack-overflow.patch | 131 ++++++++++++++++++ ...mory-leak-in-netdev_register_kobject.patch | 86 ++++++++++++ ...register-packet-sk-in-the-same-order.patch | 71 ++++++++++ ...phdr-by-offset-in-sctp_compute_cksum.patch | 40 ++++++ queue-3.18/series | 10 ++ ...do-not-use-ipv6-header-for-ipv4-flow.patch | 40 ++++++ 11 files changed, 668 insertions(+) create mode 100644 queue-3.18/add-hlist_add_tail_rcu-merge-git-git.kernel.org-pub-scm-linux-kernel-git-davem-net.patch create mode 100644 queue-3.18/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch create mode 100644 queue-3.18/mac8390-fix-mmio-access-size-probe.patch create mode 100644 queue-3.18/misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch create mode 100644 queue-3.18/net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch create mode 100644 queue-3.18/net-rose-fix-a-possible-stack-overflow.patch create mode 100644 queue-3.18/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch create mode 100644 queue-3.18/packets-always-register-packet-sk-in-the-same-order.patch create mode 100644 queue-3.18/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch create mode 100644 queue-3.18/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch diff --git a/queue-3.18/add-hlist_add_tail_rcu-merge-git-git.kernel.org-pub-scm-linux-kernel-git-davem-net.patch b/queue-3.18/add-hlist_add_tail_rcu-merge-git-git.kernel.org-pub-scm-linux-kernel-git-davem-net.patch new file mode 100644 index 0000000000..fdcd0a3703 --- /dev/null +++ b/queue-3.18/add-hlist_add_tail_rcu-merge-git-git.kernel.org-pub-scm-linux-kernel-git-davem-net.patch @@ -0,0 +1,65 @@ +From 1602f49b58abcb0d34a5f0a29d68e7c1769547aa Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Sat, 23 Apr 2016 18:26:24 -0400 +Subject: Add hlist_add_tail_rcu() (Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net) + +From: David S. Miller + +commit 1602f49b58abcb0d34a5f0a29d68e7c1769547aa upstream. + +[This commit was a merge, but it added hlist_add_tail_rcu(), which is what we + need in this stable tree, so I've changed the subject to be more descriptive + - gregkh] + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/rculist.h | 36 ++++++++++++++++++++++++++++++++++++ + 1 file changed, 36 insertions(+) + +--- a/include/linux/rculist.h ++++ b/include/linux/rculist.h +@@ -405,6 +405,42 @@ static inline void hlist_add_head_rcu(st + } + + /** ++ * hlist_add_tail_rcu ++ * @n: the element to add to the hash list. ++ * @h: the list to add to. ++ * ++ * Description: ++ * Adds the specified element to the specified hlist, ++ * while permitting racing traversals. ++ * ++ * The caller must take whatever precautions are necessary ++ * (such as holding appropriate locks) to avoid racing ++ * with another list-mutation primitive, such as hlist_add_head_rcu() ++ * or hlist_del_rcu(), running on this same list. ++ * However, it is perfectly legal to run concurrently with ++ * the _rcu list-traversal primitives, such as ++ * hlist_for_each_entry_rcu(), used to prevent memory-consistency ++ * problems on Alpha CPUs. Regardless of the type of CPU, the ++ * list-traversal primitive must be guarded by rcu_read_lock(). ++ */ ++static inline void hlist_add_tail_rcu(struct hlist_node *n, ++ struct hlist_head *h) ++{ ++ struct hlist_node *i, *last = NULL; ++ ++ for (i = hlist_first_rcu(h); i; i = hlist_next_rcu(i)) ++ last = i; ++ ++ if (last) { ++ n->next = last->next; ++ n->pprev = &last->next; ++ rcu_assign_pointer(hlist_next_rcu(last), n); ++ } else { ++ hlist_add_head_rcu(n, h); ++ } ++} ++ ++/** + * hlist_add_before_rcu + * @n: the new element to add to the hash list. + * @next: the existing element to add the new element before. diff --git a/queue-3.18/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch b/queue-3.18/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch new file mode 100644 index 0000000000..7bef438531 --- /dev/null +++ b/queue-3.18/dccp-do-not-use-ipv6-header-for-ipv4-flow.patch @@ -0,0 +1,34 @@ +From foo@baz Thu Mar 28 23:25:55 CET 2019 +From: Eric Dumazet +Date: Tue, 19 Mar 2019 05:46:18 -0700 +Subject: dccp: do not use ipv6 header for ipv4 flow + +From: Eric Dumazet + +[ Upstream commit e0aa67709f89d08c8d8e5bdd9e0b649df61d0090 ] + +When a dual stack dccp listener accepts an ipv4 flow, +it should not attempt to use an ipv6 header or +inet6_iif() helper. + +Fixes: 3df80d9320bc ("[DCCP]: Introduce DCCPv6") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/dccp/ipv6.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/dccp/ipv6.c ++++ b/net/dccp/ipv6.c +@@ -490,8 +490,8 @@ static struct sock *dccp_v6_request_recv + newnp->ipv6_mc_list = NULL; + newnp->ipv6_ac_list = NULL; + newnp->ipv6_fl_list = NULL; +- newnp->mcast_oif = inet6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count diff --git a/queue-3.18/mac8390-fix-mmio-access-size-probe.patch b/queue-3.18/mac8390-fix-mmio-access-size-probe.patch new file mode 100644 index 0000000000..d2a8e1e76a --- /dev/null +++ b/queue-3.18/mac8390-fix-mmio-access-size-probe.patch @@ -0,0 +1,74 @@ +From foo@baz Thu Mar 28 21:57:57 CET 2019 +From: Finn Thain +Date: Sat, 16 Mar 2019 14:21:19 +1100 +Subject: mac8390: Fix mmio access size probe + +From: Finn Thain + +[ Upstream commit bb9e5c5bcd76f4474eac3baf643d7a39f7bac7bb ] + +The bug that Stan reported is as follows. After a restart, a 16-bit NIC +may be incorrectly identified as a 32-bit NIC and stop working. + +mac8390 slot.E: Memory length resource not found, probing +mac8390 slot.E: Farallon EtherMac II-C (type farallon) +mac8390 slot.E: MAC 00:00:c5:30:c2:99, IRQ 61, 32 KB shared memory at 0xfeed0000, 32-bit access. + +The bug never arises after a cold start and only intermittently after a +warm start. (I didn't investigate why the bug is intermittent.) + +It turns out that memcpy_toio() is deprecated and memcmp_withio() also +has issues. Replacing these calls with mmio accessors fixes the problem. + +Reported-and-tested-by: Stan Johnson +Fixes: 2964db0f5904 ("m68k: Mac DP8390 update") +Signed-off-by: Finn Thain +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/8390/mac8390.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/net/ethernet/8390/mac8390.c ++++ b/drivers/net/ethernet/8390/mac8390.c +@@ -156,8 +156,6 @@ static void dayna_block_output(struct ne + #define memcpy_fromio(a, b, c) memcpy((a), (void *)(b), (c)) + #define memcpy_toio(a, b, c) memcpy((void *)(a), (b), (c)) + +-#define memcmp_withio(a, b, c) memcmp((a), (void *)(b), (c)) +- + /* Slow Sane (16-bit chunk memory read/write) Cabletron uses this */ + static void slow_sane_get_8390_hdr(struct net_device *dev, + struct e8390_pkt_hdr *hdr, int ring_page); +@@ -237,19 +235,26 @@ static enum mac8390_type __init mac8390_ + + static enum mac8390_access __init mac8390_testio(volatile unsigned long membase) + { +- unsigned long outdata = 0xA5A0B5B0; +- unsigned long indata = 0x00000000; ++ u32 outdata = 0xA5A0B5B0; ++ u32 indata = 0; ++ + /* Try writing 32 bits */ +- memcpy_toio(membase, &outdata, 4); +- /* Now compare them */ +- if (memcmp_withio(&outdata, membase, 4) == 0) ++ nubus_writel(outdata, membase); ++ /* Now read it back */ ++ indata = nubus_readl(membase); ++ if (outdata == indata) + return ACCESS_32; ++ ++ outdata = 0xC5C0D5D0; ++ indata = 0; ++ + /* Write 16 bit output */ + word_memcpy_tocard(membase, &outdata, 4); + /* Now read it back */ + word_memcpy_fromcard(&indata, membase, 4); + if (outdata == indata) + return ACCESS_16; ++ + return ACCESS_UNKNOWN; + } + diff --git a/queue-3.18/misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch b/queue-3.18/misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch new file mode 100644 index 0000000000..c3a040e868 --- /dev/null +++ b/queue-3.18/misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch @@ -0,0 +1,36 @@ +From foo@baz Thu Mar 28 23:25:55 CET 2019 +From: Bjorn Helgaas +Date: Mon, 18 Mar 2019 08:51:06 -0500 +Subject: mISDN: hfcpci: Test both vendor & device ID for Digium HFC4S + +From: Bjorn Helgaas + +[ Upstream commit fae846e2b7124d4b076ef17791c73addf3b26350 ] + +The device ID alone does not uniquely identify a device. Test both the +vendor and device ID to make sure we don't mistakenly think some other +vendor's 0xB410 device is a Digium HFC4S. Also, instead of the bare hex +ID, use the same constant (PCI_DEVICE_ID_DIGIUM_HFC4S) used in the device +ID table. + +No functional change intended. + +Signed-off-by: Bjorn Helgaas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/isdn/hardware/mISDN/hfcmulti.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/isdn/hardware/mISDN/hfcmulti.c ++++ b/drivers/isdn/hardware/mISDN/hfcmulti.c +@@ -4370,7 +4370,8 @@ setup_pci(struct hfc_multi *hc, struct p + if (m->clock2) + test_and_set_bit(HFC_CHIP_CLOCK2, &hc->chip); + +- if (ent->device == 0xB410) { ++ if (ent->vendor == PCI_VENDOR_ID_DIGIUM && ++ ent->device == PCI_DEVICE_ID_DIGIUM_HFC4S) { + test_and_set_bit(HFC_CHIP_B410P, &hc->chip); + test_and_set_bit(HFC_CHIP_PCM_MASTER, &hc->chip); + test_and_clear_bit(HFC_CHIP_PCM_SLAVE, &hc->chip); diff --git a/queue-3.18/net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch b/queue-3.18/net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch new file mode 100644 index 0000000000..dfeddbcfc5 --- /dev/null +++ b/queue-3.18/net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch @@ -0,0 +1,81 @@ +From foo@baz Thu Mar 28 23:25:55 CET 2019 +From: Christoph Paasch +Date: Mon, 18 Mar 2019 23:14:52 -0700 +Subject: net/packet: Set __GFP_NOWARN upon allocation in alloc_pg_vec + +From: Christoph Paasch + +[ Upstream commit 398f0132c14754fcd03c1c4f8e7176d001ce8ea1 ] + +Since commit fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check") +one can now allocate packet ring buffers >= UINT_MAX. However, syzkaller +found that that triggers a warning: + +[ 21.100000] WARNING: CPU: 2 PID: 2075 at mm/page_alloc.c:4584 __alloc_pages_nod0 +[ 21.101490] Modules linked in: +[ 21.101921] CPU: 2 PID: 2075 Comm: syz-executor.0 Not tainted 5.0.0 #146 +[ 21.102784] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 0.5.1 01/01/2011 +[ 21.103887] RIP: 0010:__alloc_pages_nodemask+0x2a0/0x630 +[ 21.104640] Code: fe ff ff 65 48 8b 04 25 c0 de 01 00 48 05 90 0f 00 00 41 bd 01 00 00 00 48 89 44 24 48 e9 9c fe 3 +[ 21.107121] RSP: 0018:ffff88805e1cf920 EFLAGS: 00010246 +[ 21.107819] RAX: 0000000000000000 RBX: ffffffff85a488a0 RCX: 0000000000000000 +[ 21.108753] RDX: 0000000000000000 RSI: dffffc0000000000 RDI: 0000000000000000 +[ 21.109699] RBP: 1ffff1100bc39f28 R08: ffffed100bcefb67 R09: ffffed100bcefb67 +[ 21.110646] R10: 0000000000000001 R11: ffffed100bcefb66 R12: 000000000000000d +[ 21.111623] R13: 0000000000000000 R14: ffff88805e77d888 R15: 000000000000000d +[ 21.112552] FS: 00007f7c7de05700(0000) GS:ffff88806d100000(0000) knlGS:0000000000000000 +[ 21.113612] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 21.114405] CR2: 000000000065c000 CR3: 000000005e58e006 CR4: 00000000001606e0 +[ 21.115367] Call Trace: +[ 21.115705] ? __alloc_pages_slowpath+0x21c0/0x21c0 +[ 21.116362] alloc_pages_current+0xac/0x1e0 +[ 21.116923] kmalloc_order+0x18/0x70 +[ 21.117393] kmalloc_order_trace+0x18/0x110 +[ 21.117949] packet_set_ring+0x9d5/0x1770 +[ 21.118524] ? packet_rcv_spkt+0x440/0x440 +[ 21.119094] ? lock_downgrade+0x620/0x620 +[ 21.119646] ? __might_fault+0x177/0x1b0 +[ 21.120177] packet_setsockopt+0x981/0x2940 +[ 21.120753] ? __fget+0x2fb/0x4b0 +[ 21.121209] ? packet_release+0xab0/0xab0 +[ 21.121740] ? sock_has_perm+0x1cd/0x260 +[ 21.122297] ? selinux_secmark_relabel_packet+0xd0/0xd0 +[ 21.123013] ? __fget+0x324/0x4b0 +[ 21.123451] ? selinux_netlbl_socket_setsockopt+0x101/0x320 +[ 21.124186] ? selinux_netlbl_sock_rcv_skb+0x3a0/0x3a0 +[ 21.124908] ? __lock_acquire+0x529/0x3200 +[ 21.125453] ? selinux_socket_setsockopt+0x5d/0x70 +[ 21.126075] ? __sys_setsockopt+0x131/0x210 +[ 21.126533] ? packet_release+0xab0/0xab0 +[ 21.127004] __sys_setsockopt+0x131/0x210 +[ 21.127449] ? kernel_accept+0x2f0/0x2f0 +[ 21.127911] ? ret_from_fork+0x8/0x50 +[ 21.128313] ? do_raw_spin_lock+0x11b/0x280 +[ 21.128800] __x64_sys_setsockopt+0xba/0x150 +[ 21.129271] ? lockdep_hardirqs_on+0x37f/0x560 +[ 21.129769] do_syscall_64+0x9f/0x450 +[ 21.130182] entry_SYSCALL_64_after_hwframe+0x49/0xbe + +We should allocate with __GFP_NOWARN to handle this. + +Cc: Kal Conley +Cc: Andrey Konovalov +Fixes: fc62814d690c ("net/packet: fix 4gb buffer limit due to overflow check") +Signed-off-by: Christoph Paasch +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/packet/af_packet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -3807,7 +3807,7 @@ static struct pgv *alloc_pg_vec(struct t + struct pgv *pg_vec; + int i; + +- pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL); ++ pg_vec = kcalloc(block_nr, sizeof(struct pgv), GFP_KERNEL | __GFP_NOWARN); + if (unlikely(!pg_vec)) + goto out; + diff --git a/queue-3.18/net-rose-fix-a-possible-stack-overflow.patch b/queue-3.18/net-rose-fix-a-possible-stack-overflow.patch new file mode 100644 index 0000000000..693b42dc92 --- /dev/null +++ b/queue-3.18/net-rose-fix-a-possible-stack-overflow.patch @@ -0,0 +1,131 @@ +From foo@baz Thu Mar 28 23:25:55 CET 2019 +From: Eric Dumazet +Date: Fri, 15 Mar 2019 10:41:14 -0700 +Subject: net: rose: fix a possible stack overflow + +From: Eric Dumazet + +[ Upstream commit e5dcc0c3223c45c94100f05f28d8ef814db3d82c ] + +rose_write_internal() uses a temp buffer of 100 bytes, but a manual +inspection showed that given arbitrary input, rose_create_facilities() +can fill up to 110 bytes. + +Lets use a tailroom of 256 bytes for peace of mind, and remove +the bounce buffer : we can simply allocate a big enough skb +and adjust its length as needed. + +syzbot report : + +BUG: KASAN: stack-out-of-bounds in memcpy include/linux/string.h:352 [inline] +BUG: KASAN: stack-out-of-bounds in rose_create_facilities net/rose/rose_subr.c:521 [inline] +BUG: KASAN: stack-out-of-bounds in rose_write_internal+0x597/0x15d0 net/rose/rose_subr.c:116 +Write of size 7 at addr ffff88808b1ffbef by task syz-executor.0/24854 + +CPU: 0 PID: 24854 Comm: syz-executor.0 Not tainted 5.0.0+ #97 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + print_address_description.cold+0x7c/0x20d mm/kasan/report.c:187 + kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317 + check_memory_region_inline mm/kasan/generic.c:185 [inline] + check_memory_region+0x123/0x190 mm/kasan/generic.c:191 + memcpy+0x38/0x50 mm/kasan/common.c:131 + memcpy include/linux/string.h:352 [inline] + rose_create_facilities net/rose/rose_subr.c:521 [inline] + rose_write_internal+0x597/0x15d0 net/rose/rose_subr.c:116 + rose_connect+0x7cb/0x1510 net/rose/af_rose.c:826 + __sys_connect+0x266/0x330 net/socket.c:1685 + __do_sys_connect net/socket.c:1696 [inline] + __se_sys_connect net/socket.c:1693 [inline] + __x64_sys_connect+0x73/0xb0 net/socket.c:1693 + do_syscall_64+0x103/0x610 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x458079 +Code: ad b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b8 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f47b8d9dc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002a +RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000458079 +RDX: 000000000000001c RSI: 0000000020000040 RDI: 0000000000000004 +RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00007f47b8d9e6d4 +R13: 00000000004be4a4 R14: 00000000004ceca8 R15: 00000000ffffffff + +The buggy address belongs to the page: +page:ffffea00022c7fc0 count:0 mapcount:0 mapping:0000000000000000 index:0x0 +flags: 0x1fffc0000000000() +raw: 01fffc0000000000 0000000000000000 ffffffff022c0101 0000000000000000 +raw: 0000000000000000 0000000000000000 00000000ffffffff 0000000000000000 +page dumped because: kasan: bad access detected + +Memory state around the buggy address: + ffff88808b1ffa80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88808b1ffb00: 00 00 00 00 00 00 00 00 f1 f1 f1 f1 00 00 00 03 +>ffff88808b1ffb80: f2 f2 00 00 00 00 00 00 00 00 00 00 00 00 04 f3 + ^ + ffff88808b1ffc00: f3 f3 f3 f3 00 00 00 00 00 00 00 00 00 00 00 00 + ffff88808b1ffc80: 00 00 00 00 00 00 00 f1 f1 f1 f1 f1 f1 01 f2 01 + +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/rose/rose_subr.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/rose/rose_subr.c ++++ b/net/rose/rose_subr.c +@@ -105,16 +105,17 @@ void rose_write_internal(struct sock *sk + struct sk_buff *skb; + unsigned char *dptr; + unsigned char lci1, lci2; +- char buffer[100]; +- int len, faclen = 0; ++ int maxfaclen = 0; ++ int len, faclen; ++ int reserve; + +- len = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + ROSE_MIN_LEN + 1; ++ reserve = AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1; ++ len = ROSE_MIN_LEN; + + switch (frametype) { + case ROSE_CALL_REQUEST: + len += 1 + ROSE_ADDR_LEN + ROSE_ADDR_LEN; +- faclen = rose_create_facilities(buffer, rose); +- len += faclen; ++ maxfaclen = 256; + break; + case ROSE_CALL_ACCEPTED: + case ROSE_CLEAR_REQUEST: +@@ -123,15 +124,16 @@ void rose_write_internal(struct sock *sk + break; + } + +- if ((skb = alloc_skb(len, GFP_ATOMIC)) == NULL) ++ skb = alloc_skb(reserve + len + maxfaclen, GFP_ATOMIC); ++ if (!skb) + return; + + /* + * Space for AX.25 header and PID. + */ +- skb_reserve(skb, AX25_BPQ_HEADER_LEN + AX25_MAX_HEADER_LEN + 1); ++ skb_reserve(skb, reserve); + +- dptr = skb_put(skb, skb_tailroom(skb)); ++ dptr = skb_put(skb, len); + + lci1 = (rose->lci >> 8) & 0x0F; + lci2 = (rose->lci >> 0) & 0xFF; +@@ -146,7 +148,8 @@ void rose_write_internal(struct sock *sk + dptr += ROSE_ADDR_LEN; + memcpy(dptr, &rose->source_addr, ROSE_ADDR_LEN); + dptr += ROSE_ADDR_LEN; +- memcpy(dptr, buffer, faclen); ++ faclen = rose_create_facilities(dptr, rose); ++ skb_put(skb, faclen); + dptr += faclen; + break; + diff --git a/queue-3.18/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch b/queue-3.18/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch new file mode 100644 index 0000000000..5dc2e72f09 --- /dev/null +++ b/queue-3.18/net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch @@ -0,0 +1,86 @@ +From foo@baz Thu Mar 28 23:25:55 CET 2019 +From: Wang Hai +Date: Wed, 20 Mar 2019 14:25:05 -0400 +Subject: net-sysfs: Fix memory leak in netdev_register_kobject + +From: Wang Hai + +[ Upstream commit 6b70fc94afd165342876e53fc4b2f7d085009945 ] + +When registering struct net_device, it will call + register_netdevice -> + netdev_register_kobject -> + device_initialize(dev); + dev_set_name(dev, "%s", ndev->name) + device_add(dev) + register_queue_kobjects(ndev) + +In netdev_register_kobject(), if device_add(dev) or +register_queue_kobjects(ndev) failed. Register_netdevice() +will return error, causing netdev_freemem(ndev) to be +called to free net_device, however put_device(&dev->dev)->..-> +kobject_cleanup() won't be called, resulting in a memory leak. + +syzkaller report this: +BUG: memory leak +unreferenced object 0xffff8881f4fad168 (size 8): +comm "syz-executor.0", pid 3575, jiffies 4294778002 (age 20.134s) +hex dump (first 8 bytes): + 77 70 61 6e 30 00 ff ff wpan0... +backtrace: + [<000000006d2d91d7>] kstrdup_const+0x3d/0x50 mm/util.c:73 + [<00000000ba9ff953>] kvasprintf_const+0x112/0x170 lib/kasprintf.c:48 + [<000000005555ec09>] kobject_set_name_vargs+0x55/0x130 lib/kobject.c:281 + [<0000000098d28ec3>] dev_set_name+0xbb/0xf0 drivers/base/core.c:1915 + [<00000000b7553017>] netdev_register_kobject+0xc0/0x410 net/core/net-sysfs.c:1727 + [<00000000c826a797>] register_netdevice+0xa51/0xeb0 net/core/dev.c:8711 + [<00000000857bfcfd>] cfg802154_update_iface_num.isra.2+0x13/0x90 [ieee802154] + [<000000003126e453>] ieee802154_llsec_fill_key_id+0x1d5/0x570 [ieee802154] + [<00000000e4b3df51>] 0xffffffffc1500e0e + [<00000000b4319776>] platform_drv_probe+0xc6/0x180 drivers/base/platform.c:614 + [<0000000037669347>] really_probe+0x491/0x7c0 drivers/base/dd.c:509 + [<000000008fed8862>] driver_probe_device+0xdc/0x240 drivers/base/dd.c:671 + [<00000000baf52041>] device_driver_attach+0xf2/0x130 drivers/base/dd.c:945 + [<00000000c7cc8dec>] __driver_attach+0x10e/0x210 drivers/base/dd.c:1022 + [<0000000057a757c2>] bus_for_each_dev+0x154/0x1e0 drivers/base/bus.c:304 + [<000000005f5ae04b>] bus_add_driver+0x427/0x5e0 drivers/base/bus.c:645 + +Reported-by: Hulk Robot +Fixes: 1fa5ae857bb1 ("driver core: get rid of struct device's bus_id string array") +Signed-off-by: Wang Hai +Reviewed-by: Andy Shevchenko +Reviewed-by: Stephen Hemminger +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/net-sysfs.c | 14 +++++++++----- + 1 file changed, 9 insertions(+), 5 deletions(-) + +--- a/net/core/net-sysfs.c ++++ b/net/core/net-sysfs.c +@@ -1398,16 +1398,20 @@ int netdev_register_kobject(struct net_d + + error = device_add(dev); + if (error) +- return error; ++ goto error_put_device; + + error = register_queue_kobjects(ndev); +- if (error) { +- device_del(dev); +- return error; +- } ++ if (error) ++ goto error_device_del; + + pm_runtime_set_memalloc_noio(dev, true); + ++ return 0; ++ ++error_device_del: ++ device_del(dev); ++error_put_device: ++ put_device(dev); + return error; + } + diff --git a/queue-3.18/packets-always-register-packet-sk-in-the-same-order.patch b/queue-3.18/packets-always-register-packet-sk-in-the-same-order.patch new file mode 100644 index 0000000000..efea8caa87 --- /dev/null +++ b/queue-3.18/packets-always-register-packet-sk-in-the-same-order.patch @@ -0,0 +1,71 @@ +From foo@baz Thu Mar 28 23:25:55 CET 2019 +From: Maxime Chevallier +Date: Sat, 16 Mar 2019 14:41:30 +0100 +Subject: packets: Always register packet sk in the same order + +From: Maxime Chevallier + +[ Upstream commit a4dc6a49156b1f8d6e17251ffda17c9e6a5db78a ] + +When using fanouts with AF_PACKET, the demux functions such as +fanout_demux_cpu will return an index in the fanout socket array, which +corresponds to the selected socket. + +The ordering of this array depends on the order the sockets were added +to a given fanout group, so for FANOUT_CPU this means sockets are bound +to cpus in the order they are configured, which is OK. + +However, when stopping then restarting the interface these sockets are +bound to, the sockets are reassigned to the fanout group in the reverse +order, due to the fact that they were inserted at the head of the +interface's AF_PACKET socket list. + +This means that traffic that was directed to the first socket in the +fanout group is now directed to the last one after an interface restart. + +In the case of FANOUT_CPU, traffic from CPU0 will be directed to the +socket that used to receive traffic from the last CPU after an interface +restart. + +This commit introduces a helper to add a socket at the tail of a list, +then uses it to register AF_PACKET sockets. + +Note that this changes the order in which sockets are listed in /proc and +with sock_diag. + +Fixes: dc99f600698d ("packet: Add fanout support") +Signed-off-by: Maxime Chevallier +Acked-by: Willem de Bruijn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sock.h | 6 ++++++ + net/packet/af_packet.c | 2 +- + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -626,6 +626,12 @@ static inline void sk_add_node_rcu(struc + hlist_add_head_rcu(&sk->sk_node, list); + } + ++static inline void sk_add_node_tail_rcu(struct sock *sk, struct hlist_head *list) ++{ ++ sock_hold(sk); ++ hlist_add_tail_rcu(&sk->sk_node, list); ++} ++ + static inline void __sk_nulls_add_node_rcu(struct sock *sk, struct hlist_nulls_head *list) + { + hlist_nulls_add_head_rcu(&sk->sk_nulls_node, list); +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2878,7 +2878,7 @@ static int packet_create(struct net *net + } + + mutex_lock(&net->packet.sklist_lock); +- sk_add_node_rcu(sk, &net->packet.sklist); ++ sk_add_node_tail_rcu(sk, &net->packet.sklist); + mutex_unlock(&net->packet.sklist_lock); + + preempt_disable(); diff --git a/queue-3.18/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch b/queue-3.18/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch new file mode 100644 index 0000000000..7a60846f6a --- /dev/null +++ b/queue-3.18/sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 28 21:57:57 CET 2019 +From: Xin Long +Date: Mon, 18 Mar 2019 19:47:00 +0800 +Subject: sctp: get sctphdr by offset in sctp_compute_cksum + +From: Xin Long + +[ Upstream commit 273160ffc6b993c7c91627f5a84799c66dfe4dee ] + +sctp_hdr(skb) only works when skb->transport_header is set properly. + +But in Netfilter, skb->transport_header for ipv6 is not guaranteed +to be right value for sctphdr. It would cause to fail to check the +checksum for sctp packets. + +So fix it by using offset, which is always right in all places. + +v1->v2: + - Fix the changelog. + +Fixes: e6d8b64b34aa ("net: sctp: fix and consolidate SCTP checksumming code") +Reported-by: Li Shuang +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/sctp/checksum.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/net/sctp/checksum.h ++++ b/include/net/sctp/checksum.h +@@ -60,7 +60,7 @@ static inline __wsum sctp_csum_combine(_ + static inline __le32 sctp_compute_cksum(const struct sk_buff *skb, + unsigned int offset) + { +- struct sctphdr *sh = sctp_hdr(skb); ++ struct sctphdr *sh = (struct sctphdr *)(skb->data + offset); + __le32 ret, old = sh->checksum; + const struct skb_checksum_ops ops = { + .update = sctp_csum_update, diff --git a/queue-3.18/series b/queue-3.18/series index 1df732657e..17c58baca4 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -25,3 +25,13 @@ video-fbdev-set-pixclock-0-in-goldfishfb.patch arm64-kconfig-drop-config_rtc_lib-dependency.patch mmc-mmc-fix-switch-timeout-issue-caused-by-jiffies-p.patch cfg80211-size-various-nl80211-messages-correctly.patch +dccp-do-not-use-ipv6-header-for-ipv4-flow.patch +misdn-hfcpci-test-both-vendor-device-id-for-digium-hfc4s.patch +net-packet-set-__gfp_nowarn-upon-allocation-in-alloc_pg_vec.patch +net-rose-fix-a-possible-stack-overflow.patch +net-sysfs-fix-memory-leak-in-netdev_register_kobject.patch +add-hlist_add_tail_rcu-merge-git-git.kernel.org-pub-scm-linux-kernel-git-davem-net.patch +packets-always-register-packet-sk-in-the-same-order.patch +tcp-do-not-use-ipv6-header-for-ipv4-flow.patch +sctp-get-sctphdr-by-offset-in-sctp_compute_cksum.patch +mac8390-fix-mmio-access-size-probe.patch diff --git a/queue-3.18/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch b/queue-3.18/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch new file mode 100644 index 0000000000..adc953ba71 --- /dev/null +++ b/queue-3.18/tcp-do-not-use-ipv6-header-for-ipv4-flow.patch @@ -0,0 +1,40 @@ +From foo@baz Thu Mar 28 23:25:55 CET 2019 +From: Eric Dumazet +Date: Tue, 19 Mar 2019 05:45:35 -0700 +Subject: tcp: do not use ipv6 header for ipv4 flow + +From: Eric Dumazet + +[ Upstream commit 89e4130939a20304f4059ab72179da81f5347528 ] + +When a dual stack tcp listener accepts an ipv4 flow, +it should not attempt to use an ipv6 header or tcp_v6_iif() helper. + +Fixes: 1397ed35f22d ("ipv6: add flowinfo for tcp6 pkt_options for all cases") +Fixes: df3687ffc665 ("ipv6: add the IPV6_FL_F_REFLECT flag to IPV6_FL_A_GET") +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/tcp_ipv6.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -1118,11 +1118,11 @@ static struct sock *tcp_v6_syn_recv_sock + newnp->ipv6_fl_list = NULL; + newnp->pktoptions = NULL; + newnp->opt = NULL; +- newnp->mcast_oif = tcp_v6_iif(skb); +- newnp->mcast_hops = ipv6_hdr(skb)->hop_limit; +- newnp->rcv_flowinfo = ip6_flowinfo(ipv6_hdr(skb)); ++ newnp->mcast_oif = inet_iif(skb); ++ newnp->mcast_hops = ip_hdr(skb)->ttl; ++ newnp->rcv_flowinfo = 0; + if (np->repflow) +- newnp->flow_label = ip6_flowlabel(ipv6_hdr(skb)); ++ newnp->flow_label = 0; + + /* + * No need to charge this sock to the relevant IPv6 refcnt debug socks count -- 2.39.5