From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 2 Jul 2019 06:14:37 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v5.1.16~15
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=1856d9eac9196bffce2d1437f6ae982c0253a210;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	bpf-udp-avoid-calling-reuseport-s-bpf_prog-from-udp_gro.patch
	bpf-udp-ipv6-avoid-running-reuseport-s-bpf_prog-from-__udp6_lib_err.patch
	net-check-before-dereferencing-netdev_ops-during-busy-poll.patch
---

diff --git a/queue-4.9/bpf-udp-avoid-calling-reuseport-s-bpf_prog-from-udp_gro.patch b/queue-4.9/bpf-udp-avoid-calling-reuseport-s-bpf_prog-from-udp_gro.patch
new file mode 100644
index 00000000000..b12bc7dbfb9
--- /dev/null
+++ b/queue-4.9/bpf-udp-avoid-calling-reuseport-s-bpf_prog-from-udp_gro.patch
@@ -0,0 +1,55 @@
+From 257a525fe2e49584842c504a92c27097407f778f Mon Sep 17 00:00:00 2001
+From: Martin KaFai Lau <kafai@fb.com>
+Date: Fri, 31 May 2019 15:29:13 -0700
+Subject: bpf: udp: Avoid calling reuseport's bpf_prog from udp_gro
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+commit 257a525fe2e49584842c504a92c27097407f778f upstream.
+
+When the commit a6024562ffd7 ("udp: Add GRO functions to UDP socket")
+added udp[46]_lib_lookup_skb to the udp_gro code path, it broke
+the reuseport_select_sock() assumption that skb->data is pointing
+to the transport header.
+
+This patch follows an earlier __udp6_lib_err() fix by
+passing a NULL skb to avoid calling the reuseport's bpf_prog.
+
+Fixes: a6024562ffd7 ("udp: Add GRO functions to UDP socket")
+Cc: Tom Herbert <tom@herbertland.com>
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/udp.c |    6 +++++-
+ net/ipv6/udp.c |    2 +-
+ 2 files changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/udp.c
++++ b/net/ipv4/udp.c
+@@ -569,7 +569,11 @@ static inline struct sock *__udp4_lib_lo
+ struct sock *udp4_lib_lookup_skb(struct sk_buff *skb,
+ 				 __be16 sport, __be16 dport)
+ {
+-	return __udp4_lib_lookup_skb(skb, sport, dport, &udp_table);
++	const struct iphdr *iph = ip_hdr(skb);
++
++	return __udp4_lib_lookup(dev_net(skb->dev), iph->saddr, sport,
++				 iph->daddr, dport, inet_iif(skb),
++				 &udp_table, NULL);
+ }
+ EXPORT_SYMBOL_GPL(udp4_lib_lookup_skb);
+ 
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -294,7 +294,7 @@ struct sock *udp6_lib_lookup_skb(struct
+ 
+ 	return __udp6_lib_lookup(dev_net(skb->dev), &iph->saddr, sport,
+ 				 &iph->daddr, dport, inet6_iif(skb),
+-				 &udp_table, skb);
++				 &udp_table, NULL);
+ }
+ EXPORT_SYMBOL_GPL(udp6_lib_lookup_skb);
+ 
diff --git a/queue-4.9/bpf-udp-ipv6-avoid-running-reuseport-s-bpf_prog-from-__udp6_lib_err.patch b/queue-4.9/bpf-udp-ipv6-avoid-running-reuseport-s-bpf_prog-from-__udp6_lib_err.patch
new file mode 100644
index 00000000000..f00766b83ad
--- /dev/null
+++ b/queue-4.9/bpf-udp-ipv6-avoid-running-reuseport-s-bpf_prog-from-__udp6_lib_err.patch
@@ -0,0 +1,50 @@
+From 4ac30c4b3659efac031818c418beb51e630d512d Mon Sep 17 00:00:00 2001
+From: Martin KaFai Lau <kafai@fb.com>
+Date: Fri, 31 May 2019 15:29:11 -0700
+Subject: bpf: udp: ipv6: Avoid running reuseport's bpf_prog from __udp6_lib_err
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+commit 4ac30c4b3659efac031818c418beb51e630d512d upstream.
+
+__udp6_lib_err() may be called when handling icmpv6 message. For example,
+the icmpv6 toobig(type=2).  __udp6_lib_lookup() is then called
+which may call reuseport_select_sock().  reuseport_select_sock() will
+call into a bpf_prog (if there is one).
+
+reuseport_select_sock() is expecting the skb->data pointing to the
+transport header (udphdr in this case).  For example, run_bpf_filter()
+is pulling the transport header.
+
+However, in the __udp6_lib_err() path, the skb->data is pointing to the
+ipv6hdr instead of the udphdr.
+
+One option is to pull and push the ipv6hdr in __udp6_lib_err().
+Instead of doing this, this patch follows how the original
+commit 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+was done in IPv4, which has passed a NULL skb pointer to
+reuseport_select_sock().
+
+Fixes: 538950a1b752 ("soreuseport: setsockopt SO_ATTACH_REUSEPORT_[CE]BPF")
+Cc: Craig Gallek <kraig@google.com>
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Acked-by: Song Liu <songliubraving@fb.com>
+Acked-by: Craig Gallek <kraig@google.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/udp.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv6/udp.c
++++ b/net/ipv6/udp.c
+@@ -479,7 +479,7 @@ void __udp6_lib_err(struct sk_buff *skb,
+ 	struct net *net = dev_net(skb->dev);
+ 
+ 	sk = __udp6_lib_lookup(net, daddr, uh->dest, saddr, uh->source,
+-			       inet6_iif(skb), udptable, skb);
++			       inet6_iif(skb), udptable, NULL);
+ 	if (!sk) {
+ 		__ICMP6_INC_STATS(net, __in6_dev_get(skb->dev),
+ 				  ICMP6_MIB_INERRORS);
diff --git a/queue-4.9/net-check-before-dereferencing-netdev_ops-during-busy-poll.patch b/queue-4.9/net-check-before-dereferencing-netdev_ops-during-busy-poll.patch
new file mode 100644
index 00000000000..53ec3fbf1e8
--- /dev/null
+++ b/queue-4.9/net-check-before-dereferencing-netdev_ops-during-busy-poll.patch
@@ -0,0 +1,86 @@
+From jelsasser@appneta.com  Tue Jul  2 07:47:19 2019
+From: Josh Elsasser <jelsasser@appneta.com>
+Date: Mon,  1 Jul 2019 16:41:43 -0700
+Subject: net: check before dereferencing netdev_ops during busy poll
+To: stable@vger.kernel.org
+Cc: Josh Elsasser <jelsasser@appneta.com>, gregkh@linuxfoundation.org, netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>, Eric Dumazet <edumazet@google.com>, Matteo Croce <mcroce@redhat.com>
+Message-ID: <20190701234143.72631-1-jelsasser@appneta.com>
+
+From: Josh Elsasser <jelsasser@appneta.com>
+
+init_dummy_netdev() leaves its netdev_ops pointer zeroed. This leads
+to a NULL pointer dereference when sk_busy_loop fires against an iwlwifi
+wireless adapter and checks napi->dev->netdev_ops->ndo_busy_poll.
+
+Avoid this by ensuring napi->dev->netdev_ops is valid before following
+the pointer, avoiding the following panic when busy polling on a dummy
+netdev:
+
+  BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8
+  IP: [<ffffffff817b4b72>] sk_busy_loop+0x92/0x2f0
+  Call Trace:
+   [<ffffffff815a3134>] ? uart_write_room+0x74/0xf0
+   [<ffffffff817964a9>] sock_poll+0x99/0xa0
+   [<ffffffff81223142>] do_sys_poll+0x2e2/0x520
+   [<ffffffff8118d3fc>] ? get_page_from_freelist+0x3bc/0xa30
+   [<ffffffff810ada22>] ? update_curr+0x62/0x140
+   [<ffffffff811ea671>] ? __slab_free+0xa1/0x2a0
+   [<ffffffff811ea671>] ? __slab_free+0xa1/0x2a0
+   [<ffffffff8179dbb1>] ? skb_free_head+0x21/0x30
+   [<ffffffff81221bd0>] ? poll_initwait+0x50/0x50
+   [<ffffffff811eaa36>] ? kmem_cache_free+0x1c6/0x1e0
+   [<ffffffff815a4884>] ? uart_write+0x124/0x1d0
+   [<ffffffff810bd1cd>] ? remove_wait_queue+0x4d/0x60
+   [<ffffffff810bd224>] ? __wake_up+0x44/0x50
+   [<ffffffff81582731>] ? tty_write_unlock+0x31/0x40
+   [<ffffffff8158c5c6>] ? tty_ldisc_deref+0x16/0x20
+   [<ffffffff81584820>] ? tty_write+0x1e0/0x2f0
+   [<ffffffff81587e50>] ? process_echoes+0x80/0x80
+   [<ffffffff8120c17b>] ? __vfs_write+0x2b/0x130
+   [<ffffffff8120d09a>] ? vfs_write+0x15a/0x1a0
+   [<ffffffff81223455>] SyS_poll+0x75/0x100
+   [<ffffffff819a6524>] entry_SYSCALL_64_fastpath+0x24/0xcf
+
+Commit 79e7fff47b7b ("net: remove support for per driver ndo_busy_poll()")
+indirectly fixed this upstream in linux-4.11 by removing the offending
+pointer usage. No other users of napi->dev touch its netdev_ops.
+
+Fixes: ce6aea93f751 ("net: network drivers no longer need to implement ndo_busy_poll()") # 4.9.y
+Signed-off-by: Josh Elsasser <jelsasser@appneta.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Tested-by: Matteo Croce <mcroce@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+
+No changes since V2[1], resent as per discussiond on -stable[2]. I hope
+this is the correct way to send net fixes for older LTS releases, I'm
+going off of the latest netdev FAQ:
+
+   For earlier stable releases, each stable branch maintainer is supposed
+   to take care of them. If you find any patch is missing from an earlier
+   stable branch, please notify stable@vger.kernel.org with either a commit
+   ID or a formal patch backported, and CC Dave and other relevant networking
+   developers.
+
+[1]: https://patchwork.ozlabs.org/patch/884986/
+[2]: https://lore.kernel.org/stable/CAGnkfhx3ykbEsW+=FtpMFWU=_Vnie7RpPYWpWqa1S1HPMXj9kw@mail.gmail.com/
+
+
+ net/core/dev.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -5083,7 +5083,10 @@ bool sk_busy_loop(struct sock *sk, int n
+ 		goto out;
+ 
+ 	/* Note: ndo_busy_poll method is optional in linux-4.5 */
+-	busy_poll = napi->dev->netdev_ops->ndo_busy_poll;
++	if (napi->dev->netdev_ops)
++		busy_poll = napi->dev->netdev_ops->ndo_busy_poll;
++	else
++		busy_poll = NULL;
+ 
+ 	do {
+ 		rc = 0;
diff --git a/queue-4.9/series b/queue-4.9/series
index f889934b348..7d5755f36c6 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -58,3 +58,6 @@ tun-wake-up-waitqueues-after-iff_up-is-set.patch
 team-always-enable-vlan-tx-offload.patch
 bonding-always-enable-vlan-tx-offload.patch
 ipv4-use-return-value-of-inet_iif-for-__raw_v4_lookup-in-the-while-loop.patch
+net-check-before-dereferencing-netdev_ops-during-busy-poll.patch
+bpf-udp-avoid-calling-reuseport-s-bpf_prog-from-udp_gro.patch
+bpf-udp-ipv6-avoid-running-reuseport-s-bpf_prog-from-__udp6_lib_err.patch