From: Greg Kroah-Hartman Date: Fri, 15 Sep 2017 17:35:35 +0000 (-0700) Subject: 3.18-stable patches X-Git-Tag: v4.9.51~24 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=55edd4e841b71e33329aebf3b6602094348cc75b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: ipv6-accept-64k-1-packet-length-in-ip6_find_1stfragopt.patch ipv6-fix-memory-leak-with-multiple-tables-during-netns-destruction.patch ipv6-fix-typo-in-fib6_net_exit.patch qlge-avoid-memcpy-buffer-overflow.patch revert-net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch --- diff --git a/queue-3.18/ipv6-accept-64k-1-packet-length-in-ip6_find_1stfragopt.patch b/queue-3.18/ipv6-accept-64k-1-packet-length-in-ip6_find_1stfragopt.patch new file mode 100644 index 00000000000..2d73ab51af0 --- /dev/null +++ b/queue-3.18/ipv6-accept-64k-1-packet-length-in-ip6_find_1stfragopt.patch @@ -0,0 +1,50 @@ +From foo@baz Fri Sep 15 10:12:30 PDT 2017 +From: Stefano Brivio +Date: Fri, 18 Aug 2017 14:40:53 +0200 +Subject: ipv6: accept 64k - 1 packet length in ip6_find_1stfragopt() + +From: Stefano Brivio + + +[ Upstream commit 3de33e1ba0506723ab25734e098cf280ecc34756 ] + +A packet length of exactly IPV6_MAXPLEN is allowed, we should +refuse parsing options only if the size is 64KiB or more. + +While at it, remove one extra variable and one assignment which +were also introduced by the commit that introduced the size +check. Checking the sum 'offset + len' and only later adding +'len' to 'offset' doesn't provide any advantage over directly +summing to 'offset' and checking it. + +Fixes: 6399f1fae4ec ("ipv6: avoid overflow of offset in ip6_find_1stfragopt") +Signed-off-by: Stefano Brivio +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/output_core.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/net/ipv6/output_core.c ++++ b/net/ipv6/output_core.c +@@ -52,7 +52,6 @@ int ip6_find_1stfragopt(struct sk_buff * + + while (offset <= packet_len) { + struct ipv6_opt_hdr *exthdr; +- unsigned int len; + + switch (**nexthdr) { + +@@ -78,10 +77,9 @@ int ip6_find_1stfragopt(struct sk_buff * + + exthdr = (struct ipv6_opt_hdr *)(skb_network_header(skb) + + offset); +- len = ipv6_optlen(exthdr); +- if (len + offset >= IPV6_MAXPLEN) ++ offset += ipv6_optlen(exthdr); ++ if (offset > IPV6_MAXPLEN) + return -EINVAL; +- offset += len; + *nexthdr = &exthdr->nexthdr; + } + diff --git a/queue-3.18/ipv6-fix-memory-leak-with-multiple-tables-during-netns-destruction.patch b/queue-3.18/ipv6-fix-memory-leak-with-multiple-tables-during-netns-destruction.patch new file mode 100644 index 00000000000..fd6aa865ecc --- /dev/null +++ b/queue-3.18/ipv6-fix-memory-leak-with-multiple-tables-during-netns-destruction.patch @@ -0,0 +1,76 @@ +From foo@baz Fri Sep 15 10:12:30 PDT 2017 +From: Sabrina Dubroca +Date: Fri, 8 Sep 2017 10:26:19 +0200 +Subject: ipv6: fix memory leak with multiple tables during netns destruction + +From: Sabrina Dubroca + + +[ Upstream commit ba1cc08d9488c94cb8d94f545305688b72a2a300 ] + +fib6_net_exit only frees the main and local tables. If another table was +created with fib6_alloc_table, we leak it when the netns is destroyed. + +Fix this in the same way ip_fib_net_exit cleans up tables, by walking +through the whole hashtable of fib6_table's. We can get rid of the +special cases for local and main, since they're also part of the +hashtable. + +Reproducer: + ip netns add x + ip -net x -6 rule add from 6003:1::/64 table 100 + ip netns del x + +Reported-by: Jianlin Shi +Fixes: 58f09b78b730 ("[NETNS][IPV6] ip6_fib - make it per network namespace") +Signed-off-by: Sabrina Dubroca +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 25 +++++++++++++++++++------ + 1 file changed, 19 insertions(+), 6 deletions(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -160,6 +160,12 @@ static void rt6_release(struct rt6_info + dst_free(&rt->dst); + } + ++static void fib6_free_table(struct fib6_table *table) ++{ ++ inetpeer_invalidate_tree(&table->tb6_peers); ++ kfree(table); ++} ++ + static void fib6_link_table(struct net *net, struct fib6_table *tb) + { + unsigned int h; +@@ -1782,15 +1788,22 @@ out_timer: + + static void fib6_net_exit(struct net *net) + { ++ unsigned int i; ++ + rt6_ifdown(net, NULL); + del_timer_sync(&net->ipv6.ip6_fib_timer); + +-#ifdef CONFIG_IPV6_MULTIPLE_TABLES +- inetpeer_invalidate_tree(&net->ipv6.fib6_local_tbl->tb6_peers); +- kfree(net->ipv6.fib6_local_tbl); +-#endif +- inetpeer_invalidate_tree(&net->ipv6.fib6_main_tbl->tb6_peers); +- kfree(net->ipv6.fib6_main_tbl); ++ for (i = 0; i < FIB_TABLE_HASHSZ; i++) { ++ struct hlist_head *head = &net->ipv6.fib_table_hash[i]; ++ struct hlist_node *tmp; ++ struct fib6_table *tb; ++ ++ hlist_for_each_entry_safe(tb, tmp, head, tb6_hlist) { ++ hlist_del(&tb->tb6_hlist); ++ fib6_free_table(tb); ++ } ++ } ++ + kfree(net->ipv6.fib_table_hash); + kfree(net->ipv6.rt6_stats); + } diff --git a/queue-3.18/ipv6-fix-typo-in-fib6_net_exit.patch b/queue-3.18/ipv6-fix-typo-in-fib6_net_exit.patch new file mode 100644 index 00000000000..08b74579c7c --- /dev/null +++ b/queue-3.18/ipv6-fix-typo-in-fib6_net_exit.patch @@ -0,0 +1,31 @@ +From foo@baz Fri Sep 15 10:12:30 PDT 2017 +From: Eric Dumazet +Date: Fri, 8 Sep 2017 15:48:47 -0700 +Subject: ipv6: fix typo in fib6_net_exit() + +From: Eric Dumazet + + +[ Upstream commit 32a805baf0fb70b6dbedefcd7249ac7f580f9e3b ] + +IPv6 FIB should use FIB6_TABLE_HASHSZ, not FIB_TABLE_HASHSZ. + +Fixes: ba1cc08d9488 ("ipv6: fix memory leak with multiple tables during netns destruction") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_fib.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -1793,7 +1793,7 @@ static void fib6_net_exit(struct net *ne + rt6_ifdown(net, NULL); + del_timer_sync(&net->ipv6.ip6_fib_timer); + +- for (i = 0; i < FIB_TABLE_HASHSZ; i++) { ++ for (i = 0; i < FIB6_TABLE_HASHSZ; i++) { + struct hlist_head *head = &net->ipv6.fib_table_hash[i]; + struct hlist_node *tmp; + struct fib6_table *tb; diff --git a/queue-3.18/qlge-avoid-memcpy-buffer-overflow.patch b/queue-3.18/qlge-avoid-memcpy-buffer-overflow.patch new file mode 100644 index 00000000000..73ea99807d6 --- /dev/null +++ b/queue-3.18/qlge-avoid-memcpy-buffer-overflow.patch @@ -0,0 +1,44 @@ +From foo@baz Fri Sep 15 10:12:30 PDT 2017 +From: Arnd Bergmann +Date: Wed, 23 Aug 2017 15:59:49 +0200 +Subject: qlge: avoid memcpy buffer overflow + +From: Arnd Bergmann + + +[ Upstream commit e58f95831e7468d25eb6e41f234842ecfe6f014f ] + +gcc-8.0.0 (snapshot) points out that we copy a variable-length string +into a fixed length field using memcpy() with the destination length, +and that ends up copying whatever follows the string: + + inlined from 'ql_core_dump' at drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:1106:2: +drivers/net/ethernet/qlogic/qlge/qlge_dbg.c:708:2: error: 'memcpy' reading 15 bytes from a region of size 14 [-Werror=stringop-overflow=] + memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); + +Changing it to use strncpy() will instead zero-pad the destination, +which seems to be the right thing to do here. + +The bug is probably harmless, but it seems like a good idea to address +it in stable kernels as well, if only for the purpose of building with +gcc-8 without warnings. + +Fixes: a61f80261306 ("qlge: Add ethtool register dump function.") +Signed-off-by: Arnd Bergmann +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qlogic/qlge/qlge_dbg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c ++++ b/drivers/net/ethernet/qlogic/qlge/qlge_dbg.c +@@ -724,7 +724,7 @@ static void ql_build_coredump_seg_header + seg_hdr->cookie = MPI_COREDUMP_COOKIE; + seg_hdr->segNum = seg_number; + seg_hdr->segSize = seg_size; +- memcpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); ++ strncpy(seg_hdr->description, desc, (sizeof(seg_hdr->description)) - 1); + } + + /* diff --git a/queue-3.18/revert-net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch b/queue-3.18/revert-net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch new file mode 100644 index 00000000000..9f854acdcf2 --- /dev/null +++ b/queue-3.18/revert-net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch @@ -0,0 +1,104 @@ +From foo@baz Fri Sep 15 10:12:30 PDT 2017 +From: Florian Fainelli +Date: Wed, 30 Aug 2017 17:49:29 -0700 +Subject: Revert "net: phy: Correctly process PHY_HALTED in phy_stop_machine()" + +From: Florian Fainelli + + +[ Upstream commit ebc8254aeae34226d0bc8fda309fd9790d4dccfe ] + +This reverts commit 7ad813f208533cebfcc32d3d7474dc1677d1b09a ("net: phy: +Correctly process PHY_HALTED in phy_stop_machine()") because it is +creating the possibility for a NULL pointer dereference. + +David Daney provide the following call trace and diagram of events: + +When ndo_stop() is called we call: + + phy_disconnect() + +---> phy_stop_interrupts() implies: phydev->irq = PHY_POLL; + +---> phy_stop_machine() + | +---> phy_state_machine() + | +----> queue_delayed_work(): Work queued. + +--->phy_detach() implies: phydev->attached_dev = NULL; + +Now at a later time the queued work does: + + phy_state_machine() + +---->netif_carrier_off(phydev->attached_dev): Oh no! It is NULL: + + CPU 12 Unable to handle kernel paging request at virtual address +0000000000000048, epc == ffffffff80de37ec, ra == ffffffff80c7c +Oops[#1]: +CPU: 12 PID: 1502 Comm: kworker/12:1 Not tainted 4.9.43-Cavium-Octeon+ #1 +Workqueue: events_power_efficient phy_state_machine +task: 80000004021ed100 task.stack: 8000000409d70000 +$ 0 : 0000000000000000 ffffffff84720060 0000000000000048 0000000000000004 +$ 4 : 0000000000000000 0000000000000001 0000000000000004 0000000000000000 +$ 8 : 0000000000000000 0000000000000000 00000000ffff98f3 0000000000000000 +$12 : 8000000409d73fe0 0000000000009c00 ffffffff846547c8 000000000000af3b +$16 : 80000004096bab68 80000004096babd0 0000000000000000 80000004096ba800 +$20 : 0000000000000000 0000000000000000 ffffffff81090000 0000000000000008 +$24 : 0000000000000061 ffffffff808637b0 +$28 : 8000000409d70000 8000000409d73cf0 80000000271bd300 ffffffff80c7804c +Hi : 000000000000002a +Lo : 000000000000003f +epc : ffffffff80de37ec netif_carrier_off+0xc/0x58 +ra : ffffffff80c7804c phy_state_machine+0x48c/0x4f8 +Status: 14009ce3 KX SX UX KERNEL EXL IE +Cause : 00800008 (ExcCode 02) +BadVA : 0000000000000048 +PrId : 000d9501 (Cavium Octeon III) +Modules linked in: +Process kworker/12:1 (pid: 1502, threadinfo=8000000409d70000, +task=80000004021ed100, tls=0000000000000000) +Stack : 8000000409a54000 80000004096bab68 80000000271bd300 80000000271c1e00 + 0000000000000000 ffffffff808a1708 8000000409a54000 80000000271bd300 + 80000000271bd320 8000000409a54030 ffffffff80ff0f00 0000000000000001 + ffffffff81090000 ffffffff808a1ac0 8000000402182080 ffffffff84650000 + 8000000402182080 ffffffff84650000 ffffffff80ff0000 8000000409a54000 + ffffffff808a1970 0000000000000000 80000004099e8000 8000000402099240 + 0000000000000000 ffffffff808a8598 0000000000000000 8000000408eeeb00 + 8000000409a54000 00000000810a1d00 0000000000000000 8000000409d73de8 + 8000000409d73de8 0000000000000088 000000000c009c00 8000000409d73e08 + 8000000409d73e08 8000000402182080 ffffffff808a84d0 8000000402182080 + ... +Call Trace: +[] netif_carrier_off+0xc/0x58 +[] phy_state_machine+0x48c/0x4f8 +[] process_one_work+0x158/0x368 +[] worker_thread+0x150/0x4c0 +[] kthread+0xc8/0xe0 +[] ret_from_kernel_thread+0x14/0x1c + +The original motivation for this change originated from Marc Gonzales +indicating that his network driver did not have its adjust_link callback +executing with phydev->link = 0 while he was expecting it. + +PHYLIB has never made any such guarantees ever because phy_stop() merely just +tells the workqueue to move into PHY_HALTED state which will happen +asynchronously. + +Reported-by: Geert Uytterhoeven +Reported-by: David Daney +Fixes: 7ad813f20853 ("net: phy: Correctly process PHY_HALTED in phy_stop_machine()") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/phy/phy.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/drivers/net/phy/phy.c ++++ b/drivers/net/phy/phy.c +@@ -509,9 +509,6 @@ void phy_stop_machine(struct phy_device + if (phydev->state > PHY_UP && phydev->state != PHY_HALTED) + phydev->state = PHY_UP; + mutex_unlock(&phydev->lock); +- +- /* Now we can run the state machine synchronously */ +- phy_state_machine(&phydev->state_queue.work); + } + + /** diff --git a/queue-3.18/series b/queue-3.18/series new file mode 100644 index 00000000000..4d9a0f0fef2 --- /dev/null +++ b/queue-3.18/series @@ -0,0 +1,6 @@ +ipv6-accept-64k-1-packet-length-in-ip6_find_1stfragopt.patch +qlge-avoid-memcpy-buffer-overflow.patch +revert-net-phy-correctly-process-phy_halted-in-phy_stop_machine.patch +tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch +ipv6-fix-memory-leak-with-multiple-tables-during-netns-destruction.patch +ipv6-fix-typo-in-fib6_net_exit.patch diff --git a/queue-3.18/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch b/queue-3.18/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch new file mode 100644 index 00000000000..4f3d7895f53 --- /dev/null +++ b/queue-3.18/tcp-initialize-rcv_mss-to-tcp_min_mss-instead-of-0.patch @@ -0,0 +1,40 @@ +From foo@baz Fri Sep 15 10:12:30 PDT 2017 +From: Wei Wang +Date: Thu, 18 May 2017 11:22:33 -0700 +Subject: tcp: initialize rcv_mss to TCP_MIN_MSS instead of 0 + +From: Wei Wang + + +[ Upstream commit 499350a5a6e7512d9ed369ed63a4244b6536f4f8 ] + +When tcp_disconnect() is called, inet_csk_delack_init() sets +icsk->icsk_ack.rcv_mss to 0. +This could potentially cause tcp_recvmsg() => tcp_cleanup_rbuf() => +__tcp_select_window() call path to have division by 0 issue. +So this patch initializes rcv_mss to TCP_MIN_MSS instead of 0. + +Reported-by: Andrey Konovalov +Signed-off-by: Wei Wang +Signed-off-by: Eric Dumazet +Signed-off-by: Neal Cardwell +Signed-off-by: Yuchung Cheng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/tcp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -2265,6 +2265,10 @@ int tcp_disconnect(struct sock *sk, int + tcp_set_ca_state(sk, TCP_CA_Open); + tcp_clear_retrans(tp); + inet_csk_delack_init(sk); ++ /* Initialize rcv_mss to TCP_MIN_MSS to avoid division by 0 ++ * issue in __tcp_select_window() ++ */ ++ icsk->icsk_ack.rcv_mss = TCP_MIN_MSS; + tcp_init_send_head(sk); + memset(&tp->rx_opt, 0, sizeof(tp->rx_opt)); + __sk_dst_reset(sk);