--- /dev/null
+From 257a525fe2e49584842c504a92c27097407f778f Mon Sep 17 00:00:00 2001
+From: Martin KaFai Lau <kafai@fb.com>
+Date: Fri, 31 May 2019 15:29:13 -0700
+Subject: bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+commit 257a525fe2e49584842c504a92c27097407f778f upstream.
+
+When the commit a6024562ffd7 ("udp: Add GRO functions to UDP socket")
+added udp[46]_lib_lookup_skb to the udp_gro code path, it broke
+the reuseport_select_sock() assumption that skb->data is pointing
+to the transport header.
+
+This patch follows an earlier __udp6_lib_err() fix by
+passing a NULL skb to avoid calling the reuseport's bpf_prog.
+
+Fixes: a6024562ffd7 ("udp: Add GRO functions to UDP socket")
+Cc: Tom Herbert <tom@herbertland.com>
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/udp.c | 6 +++++-
+ net/ipv6/udp.c | 2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -569,7 +569,11 @@ static inline struct sock *__udp4_lib_lo
+ struct sock *udp4_lib_lookup_skb(struct sk_buff *skb,
+ __be16 sport, __be16 dport)
+ {
+- return __udp4_lib_lookup_skb(skb, sport, dport, &udp_table);
++ const struct iphdr *iph = ip_hdr(skb);
++
++ return __udp4_lib_lookup(dev_net(skb->dev), iph->saddr, sport,
++ iph->daddr, dport, inet_iif(skb),
++ &udp_table, NULL);
+ }
+ EXPORT_SYMBOL_GPL(udp4_lib_lookup_skb);
+
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -294,7 +294,7 @@ struct sock *udp6_lib_lookup_skb(struct
+
+ return __udp6_lib_lookup(dev_net(skb->dev), &iph->saddr, sport,
+ &iph->daddr, dport, inet6_iif(skb),
+- &udp_table, skb);
++ &udp_table, NULL);
+ }
+ EXPORT_SYMBOL_GPL(udp6_lib_lookup_skb);
+
--- /dev/null
+From 4ac30c4b3659efac031818c418beb51e630d512d Mon Sep 17 00:00:00 2001
+From: Martin KaFai Lau <kafai@fb.com>
+Date: Fri, 31 May 2019 15:29:11 -0700
+Subject: bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+commit 4ac30c4b3659efac031818c418beb51e630d512d upstream.
+
+__udp6_lib_err() may be called when handling icmpv6 message. For example,
+the icmpv6 toobig(type=2). __udp6_lib_lookup() is then called
+which may call reuseport_select_sock(). reuseport_select_sock() will
+call into a bpf_prog (if there is one).
+
+reuseport_select_sock() is expecting the skb->data pointing to the
+transport header (udphdr in this case). For example, run_bpf_filter()
+is pulling the transport header.
+
+However, in the __udp6_lib_err() path, the skb->data is pointing to the
+ipv6hdr instead of the udphdr.
+
+One option is to pull and push the ipv6hdr in __udp6_lib_err().
+Instead of doing this, this patch follows how the original
+commit 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+was done in IPv4, which has passed a NULL skb pointer to
+reuseport_select_sock().
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Cc: Craig Gallek <kraig@google.com>
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Craig Gallek <kraig@google.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/udp.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -479,7 +479,7 @@ void __udp6_lib_err(struct sk_buff *skb,
+ struct net *net = dev_net(skb->dev);
+
+ sk = __udp6_lib_lookup(net, daddr, uh->dest, saddr, uh->source,
+- inet6_iif(skb), udptable, skb);
++ inet6_iif(skb), udptable, NULL);
+ if (!sk) {
+ __ICMP6_INC_STATS(net, __in6_dev_get(skb->dev),
+ ICMP6_MIB_INERRORS);
--- /dev/null
+From jelsasser@appneta.com Tue Jul 2 07:47:19 2019
+From: Josh Elsasser <jelsasser@appneta.com>
+Date: Mon, 1 Jul 2019 16:41:43 -0700
+Subject: net: check before dereferencing netdev_ops during busy poll
+To: stable@vger.kernel.org
+Cc: Josh Elsasser <jelsasser@appneta.com>, gregkh@linuxfoundation.org, netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Matteo Croce <mcroce@redhat.com>
+Message-ID: <20190701234143.72631-1-jelsasser@appneta.com>
+
+From: Josh Elsasser <jelsasser@appneta.com>
+
+init_dummy_netdev() leaves its netdev_ops pointer zeroed. This leads
+to a NULL pointer dereference when sk_busy_loop fires against an iwlwifi
+wireless adapter and checks napi->dev->netdev_ops->ndo_busy_poll.
+
+Avoid this by ensuring napi->dev->netdev_ops is valid before following
+the pointer, avoiding the following panic when busy polling on a dummy
+netdev:
+
+ BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8
+ IP: [<ffffffff817b4b72>] sk_busy_loop+0x92/0x2f0
+ Call Trace:
+ [<ffffffff815a3134>] ? uart_write_room+0x74/0xf0
+ [<ffffffff817964a9>] sock_poll+0x99/0xa0
+ [<ffffffff81223142>] do_sys_poll+0x2e2/0x520
+ [<ffffffff8118d3fc>] ? get_page_from_freelist+0x3bc/0xa30
+ [<ffffffff810ada22>] ? update_curr+0x62/0x140
+ [<ffffffff811ea671>] ? __slab_free+0xa1/0x2a0
+ [<ffffffff811ea671>] ? __slab_free+0xa1/0x2a0
+ [<ffffffff8179dbb1>] ? skb_free_head+0x21/0x30
+ [<ffffffff81221bd0>] ? poll_initwait+0x50/0x50
+ [<ffffffff811eaa36>] ? kmem_cache_free+0x1c6/0x1e0
+ [<ffffffff815a4884>] ? uart_write+0x124/0x1d0
+ [<ffffffff810bd1cd>] ? remove_wait_queue+0x4d/0x60
+ [<ffffffff810bd224>] ? __wake_up+0x44/0x50
+ [<ffffffff81582731>] ? tty_write_unlock+0x31/0x40
+ [<ffffffff8158c5c6>] ? tty_ldisc_deref+0x16/0x20
+ [<ffffffff81584820>] ? tty_write+0x1e0/0x2f0
+ [<ffffffff81587e50>] ? process_echoes+0x80/0x80
+ [<ffffffff8120c17b>] ? __vfs_write+0x2b/0x130
+ [<ffffffff8120d09a>] ? vfs_write+0x15a/0x1a0
+ [<ffffffff81223455>] SyS_poll+0x75/0x100
+ [<ffffffff819a6524>] entry_SYSCALL_64_fastpath+0x24/0xcf
+
+Commit 79e7fff47b7b ("net: remove support for per driver ndo_busy_poll()")
+indirectly fixed this upstream in linux-4.11 by removing the offending
+pointer usage. No other users of napi->dev touch its netdev_ops.
+
+Fixes: ce6aea93f751 ("net: network drivers no longer need to implement ndo_busy_poll()") # 4.9.y
+Signed-off-by: Josh Elsasser <jelsasser@appneta.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+
+No changes since V2[1], resent as per discussiond on -stable[2]. I hope
+this is the correct way to send net fixes for older LTS releases, I'm
+going off of the latest netdev FAQ:
+
+ For earlier stable releases, each stable branch maintainer is supposed
+ to take care of them. If you find any patch is missing from an earlier
+ stable branch, please notify stable@vger.kernel.org with either a commit
+ ID or a formal patch backported, and CC Dave and other relevant networking
+ developers.
+
+[1]: https://patchwork.ozlabs.org/patch/884986/
+[2]: https://lore.kernel.org/stable/CAGnkfhx3ykbEsW+=FtpMFWU=_Vnie7RpPYWpWqa1S1HPMXj9kw@mail.gmail.com/
+
+
+ net/core/dev.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5083,7 +5083,10 @@ bool sk_busy_loop(struct sock *sk, int n
+ goto out;
+
+ /* Note: ndo_busy_poll method is optional in linux-4.5 */
+- busy_poll = napi->dev->netdev_ops->ndo_busy_poll;
++ if (napi->dev->netdev_ops)
++ busy_poll = napi->dev->netdev_ops->ndo_busy_poll;
++ else
++ busy_poll = NULL;
+
+ do {
+ rc = 0;
team-always-enable-vlan-tx-offload.patch
bonding-always-enable-vlan-tx-offload.patch
ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch
+net-check-before-dereferencing-netdev_ops-during-busy-poll.patch
+bpf-udp-avoid-calling-reuseport-s-bpf_prog-from-udp_gro.patch
+bpf-udp-ipv6-avoid-running-reuseport-s-bpf_prog-from-__udp6_lib_err.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
