From: Greg Kroah-Hartman Date: Wed, 19 Mar 2014 23:33:24 +0000 (+0000) Subject: 3.4-stable patches X-Git-Tag: v3.4.84~44 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c9001ed4cc629baae74c023aaab7d9821404a9c7;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch sched-fix-double-normalization-of-vruntime.patch tg3-don-t-check-undefined-error-bits-in-rxbd.patch virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch --- diff --git a/queue-3.4/net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch b/queue-3.4/net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch new file mode 100644 index 00000000000..b856ac6386f --- /dev/null +++ b/queue-3.4/net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch @@ -0,0 +1,137 @@ +From foo@baz Wed Mar 19 23:27:34 Local time zone must be set--see zic manual page 2014 +From: Daniel Borkmann +Date: Mon, 3 Mar 2014 17:23:04 +0100 +Subject: net: sctp: fix sctp_sf_do_5_1D_ce to verify if we/peer is AUTH capable + +From: Daniel Borkmann + +[ Upstream commit ec0223ec48a90cb605244b45f7c62de856403729 ] + +RFC4895 introduced AUTH chunks for SCTP; during the SCTP +handshake RANDOM; CHUNKS; HMAC-ALGO are negotiated (CHUNKS +being optional though): + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + -------------------- COOKIE-ECHO --------------------> + <-------------------- COOKIE-ACK --------------------- + +A special case is when an endpoint requires COOKIE-ECHO +chunks to be authenticated: + + ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------> + <------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------- + ------------------ AUTH; COOKIE-ECHO ----------------> + <-------------------- COOKIE-ACK --------------------- + +RFC4895, section 6.3. Receiving Authenticated Chunks says: + + The receiver MUST use the HMAC algorithm indicated in + the HMAC Identifier field. If this algorithm was not + specified by the receiver in the HMAC-ALGO parameter in + the INIT or INIT-ACK chunk during association setup, the + AUTH chunk and all the chunks after it MUST be discarded + and an ERROR chunk SHOULD be sent with the error cause + defined in Section 4.1. [...] If no endpoint pair shared + key has been configured for that Shared Key Identifier, + all authenticated chunks MUST be silently discarded. [...] + + When an endpoint requires COOKIE-ECHO chunks to be + authenticated, some special procedures have to be followed + because the reception of a COOKIE-ECHO chunk might result + in the creation of an SCTP association. If a packet arrives + containing an AUTH chunk as a first chunk, a COOKIE-ECHO + chunk as the second chunk, and possibly more chunks after + them, and the receiver does not have an STCB for that + packet, then authentication is based on the contents of + the COOKIE-ECHO chunk. In this situation, the receiver MUST + authenticate the chunks in the packet by using the RANDOM + parameters, CHUNKS parameters and HMAC_ALGO parameters + obtained from the COOKIE-ECHO chunk, and possibly a local + shared secret as inputs to the authentication procedure + specified in Section 6.3. If authentication fails, then + the packet is discarded. If the authentication is successful, + the COOKIE-ECHO and all the chunks after the COOKIE-ECHO + MUST be processed. If the receiver has an STCB, it MUST + process the AUTH chunk as described above using the STCB + from the existing association to authenticate the + COOKIE-ECHO chunk and all the chunks after it. [...] + +Commit bbd0d59809f9 introduced the possibility to receive +and verification of AUTH chunk, including the edge case for +authenticated COOKIE-ECHO. On reception of COOKIE-ECHO, +the function sctp_sf_do_5_1D_ce() handles processing, +unpacks and creates a new association if it passed sanity +checks and also tests for authentication chunks being +present. After a new association has been processed, it +invokes sctp_process_init() on the new association and +walks through the parameter list it received from the INIT +chunk. It checks SCTP_PARAM_RANDOM, SCTP_PARAM_HMAC_ALGO +and SCTP_PARAM_CHUNKS, and copies them into asoc->peer +meta data (peer_random, peer_hmacs, peer_chunks) in case +sysctl -w net.sctp.auth_enable=1 is set. If in INIT's +SCTP_PARAM_SUPPORTED_EXT parameter SCTP_CID_AUTH is set, +peer_random != NULL and peer_hmacs != NULL the peer is to be +assumed asoc->peer.auth_capable=1, in any other case +asoc->peer.auth_capable=0. + +Now, if in sctp_sf_do_5_1D_ce() chunk->auth_chunk is +available, we set up a fake auth chunk and pass that on to +sctp_sf_authenticate(), which at latest in +sctp_auth_calculate_hmac() reliably dereferences a NULL pointer +at position 0..0008 when setting up the crypto key in +crypto_hash_setkey() by using asoc->asoc_shared_key that is +NULL as condition key_id == asoc->active_key_id is true if +the AUTH chunk was injected correctly from remote. This +happens no matter what net.sctp.auth_enable sysctl says. + +The fix is to check for net->sctp.auth_enable and for +asoc->peer.auth_capable before doing any operations like +sctp_sf_authenticate() as no key is activated in +sctp_auth_asoc_init_active_key() for each case. + +Now as RFC4895 section 6.3 states that if the used HMAC-ALGO +passed from the INIT chunk was not used in the AUTH chunk, we +SHOULD send an error; however in this case it would be better +to just silently discard such a maliciously prepared handshake +as we didn't even receive a parameter at all. Also, as our +endpoint has no shared key configured, section 6.3 says that +MUST silently discard, which we are doing from now onwards. + +Before calling sctp_sf_pdiscard(), we need not only to free +the association, but also the chunk->auth_chunk skb, as +commit bbd0d59809f9 created a skb clone in that case. + +I have tested this locally by using netfilter's nfqueue and +re-injecting packets into the local stack after maliciously +modifying the INIT chunk (removing RANDOM; HMAC-ALGO param) +and the SCTP packet containing the COOKIE_ECHO (injecting +AUTH chunk before COOKIE_ECHO). Fixed with this patch applied. + +Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk") +Signed-off-by: Daniel Borkmann +Cc: Vlad Yasevich +Cc: Neil Horman +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/sm_statefuns.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/net/sctp/sm_statefuns.c ++++ b/net/sctp/sm_statefuns.c +@@ -747,6 +747,13 @@ sctp_disposition_t sctp_sf_do_5_1D_ce(co + struct sctp_chunk auth; + sctp_ierror_t ret; + ++ /* Make sure that we and the peer are AUTH capable */ ++ if (!sctp_auth_enable || !new_asoc->peer.auth_capable) { ++ kfree_skb(chunk->auth_chunk); ++ sctp_association_free(new_asoc); ++ return sctp_sf_pdiscard(ep, asoc, type, arg, commands); ++ } ++ + /* set-up our fake chunk so that we can process it */ + auth.skb = chunk->auth_chunk; + auth.asoc = chunk->asoc; diff --git a/queue-3.4/sched-fix-double-normalization-of-vruntime.patch b/queue-3.4/sched-fix-double-normalization-of-vruntime.patch new file mode 100644 index 00000000000..8ed259268ec --- /dev/null +++ b/queue-3.4/sched-fix-double-normalization-of-vruntime.patch @@ -0,0 +1,60 @@ +From 791c9e0292671a3bfa95286bb5c08129d8605618 Mon Sep 17 00:00:00 2001 +From: George McCollister +Date: Tue, 18 Feb 2014 17:56:51 -0600 +Subject: sched: Fix double normalization of vruntime + +From: George McCollister + +commit 791c9e0292671a3bfa95286bb5c08129d8605618 upstream. + +dequeue_entity() is called when p->on_rq and sets se->on_rq = 0 +which appears to guarentee that the !se->on_rq condition is met. +If the task has done set_current_state(TASK_INTERRUPTIBLE) without +schedule() the second condition will be met and vruntime will be +incorrectly adjusted twice. + +In certain cases this can result in the task's vruntime never increasing +past the vruntime of other tasks on the CFS' run queue, starving them of +CPU time. + +This patch changes switched_from_fair() to use !p->on_rq instead of +!se->on_rq. + +I'm able to cause a task with a priority of 120 to starve all other +tasks with the same priority on an ARM platform running 3.2.51-rt72 +PREEMPT RT by writing one character at time to a serial tty (16550 UART) +in a tight loop. I'm also able to verify making this change corrects the +problem on that platform and kernel version. + +Signed-off-by: George McCollister +Signed-off-by: Peter Zijlstra +Link: http://lkml.kernel.org/r/1392767811-28916-1-git-send-email-george.mccollister@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/fair.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/sched/fair.c ++++ b/kernel/sched/fair.c +@@ -5270,15 +5270,15 @@ static void switched_from_fair(struct rq + struct cfs_rq *cfs_rq = cfs_rq_of(se); + + /* +- * Ensure the task's vruntime is normalized, so that when its ++ * Ensure the task's vruntime is normalized, so that when it's + * switched back to the fair class the enqueue_entity(.flags=0) will + * do the right thing. + * +- * If it was on_rq, then the dequeue_entity(.flags=0) will already +- * have normalized the vruntime, if it was !on_rq, then only when ++ * If it's on_rq, then the dequeue_entity(.flags=0) will already ++ * have normalized the vruntime, if it's !on_rq, then only when + * the task is sleeping will it still have non-normalized vruntime. + */ +- if (!se->on_rq && p->state != TASK_RUNNING) { ++ if (!p->on_rq && p->state != TASK_RUNNING) { + /* + * Fix up our vruntime so that the current sleep doesn't + * cause 'unlimited' sleep bonus. diff --git a/queue-3.4/series b/queue-3.4/series index 81e4552c978..5a6cc1c1b61 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -1,2 +1,6 @@ ocfs2-fix-quota-file-corruption.patch ocfs2-syncs-the-wrong-range.patch +sched-fix-double-normalization-of-vruntime.patch +virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch +tg3-don-t-check-undefined-error-bits-in-rxbd.patch +net-sctp-fix-sctp_sf_do_5_1d_ce-to-verify-if-we-peer-is-auth-capable.patch diff --git a/queue-3.4/tg3-don-t-check-undefined-error-bits-in-rxbd.patch b/queue-3.4/tg3-don-t-check-undefined-error-bits-in-rxbd.patch new file mode 100644 index 00000000000..7c6c5106fdb --- /dev/null +++ b/queue-3.4/tg3-don-t-check-undefined-error-bits-in-rxbd.patch @@ -0,0 +1,47 @@ +From foo@baz Wed Mar 19 23:27:34 Local time zone must be set--see zic manual page 2014 +From: Michael Chan +Date: Fri, 28 Feb 2014 15:05:10 -0800 +Subject: tg3: Don't check undefined error bits in RXBD + +From: Michael Chan + +[ Upstream commit d7b95315cc7f441418845a165ee56df723941487 ] + +Redefine the RXD_ERR_MASK to include only relevant error bits. This fixes +a customer reported issue of randomly dropping packets on the 5719. + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/tg3.c | 3 +-- + drivers/net/ethernet/broadcom/tg3.h | 6 +++++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -5844,8 +5844,7 @@ static int tg3_rx(struct tg3_napi *tnapi + + work_mask |= opaque_key; + +- if ((desc->err_vlan & RXD_ERR_MASK) != 0 && +- (desc->err_vlan != RXD_ERR_ODD_NIBBLE_RCVD_MII)) { ++ if (desc->err_vlan & RXD_ERR_MASK) { + drop_it: + tg3_recycle_rx(tnapi, tpr, opaque_key, + desc_idx, *post_ptr); +--- a/drivers/net/ethernet/broadcom/tg3.h ++++ b/drivers/net/ethernet/broadcom/tg3.h +@@ -2484,7 +2484,11 @@ struct tg3_rx_buffer_desc { + #define RXD_ERR_TOO_SMALL 0x00400000 + #define RXD_ERR_NO_RESOURCES 0x00800000 + #define RXD_ERR_HUGE_FRAME 0x01000000 +-#define RXD_ERR_MASK 0xffff0000 ++ ++#define RXD_ERR_MASK (RXD_ERR_BAD_CRC | RXD_ERR_COLLISION | \ ++ RXD_ERR_LINK_LOST | RXD_ERR_PHY_DECODE | \ ++ RXD_ERR_MAC_ABRT | RXD_ERR_TOO_SMALL | \ ++ RXD_ERR_NO_RESOURCES | RXD_ERR_HUGE_FRAME) + + u32 reserved; + u32 opaque; diff --git a/queue-3.4/virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch b/queue-3.4/virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch new file mode 100644 index 00000000000..cb15fe09404 --- /dev/null +++ b/queue-3.4/virtio-net-alloc-big-buffers-also-when-guest-can-receive-ufo.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Mar 19 23:27:34 Local time zone must be set--see zic manual page 2014 +From: Jason Wang +Date: Fri, 21 Feb 2014 13:08:04 +0800 +Subject: virtio-net: alloc big buffers also when guest can receive UFO + +From: Jason Wang + +[ Upstream commit 0e7ede80d929ff0f830c44a543daa1acd590c749 ] + +We should alloc big buffers also when guest can receive UFO +packets to let the big packets fit into guest rx buffer. + +Fixes 5c5167515d80f78f6bb538492c423adcae31ad65 +(virtio-net: Allow UFO feature to be set and advertised.) + +Cc: Rusty Russell +Cc: Michael S. Tsirkin +Cc: Sridhar Samudrala +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Acked-by: Rusty Russell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/virtio_net.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1084,7 +1084,8 @@ static int virtnet_probe(struct virtio_d + /* If we can receive ANY GSO packets, we must allocate large ones. */ + if (virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO4) || + virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_TSO6) || +- virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN)) ++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_ECN) || ++ virtio_has_feature(vdev, VIRTIO_NET_F_GUEST_UFO)) + vi->big_packets = true; + + if (virtio_has_feature(vdev, VIRTIO_NET_F_MRG_RXBUF))