From: Sasha Levin Date: Fri, 2 Sep 2022 04:23:53 +0000 (-0400) Subject: Fixes for 4.14 X-Git-Tag: v4.9.327~20 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f24187d3f1b6629c5a63c562a12abac4a3c746e9;p=thirdparty%2Fkernel%2Fstable-queue.git Fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch b/queue-4.14/neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch new file mode 100644 index 00000000000..9a64188b49e --- /dev/null +++ b/queue-4.14/neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch @@ -0,0 +1,129 @@ +From 4deaacb992f2bf7477ec740e048ece18557edac8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Aug 2022 18:20:11 +0300 +Subject: neigh: fix possible DoS due to net iface start/stop loop + +From: Denis V. Lunev + +[ Upstream commit 66ba215cb51323e4e55e38fd5f250e0fae0cbc94 ] + +Normal processing of ARP request (usually this is Ethernet broadcast +packet) coming to the host is looking like the following: +* the packet comes to arp_process() call and is passed through routing + procedure +* the request is put into the queue using pneigh_enqueue() if + corresponding ARP record is not local (common case for container + records on the host) +* the request is processed by timer (within 80 jiffies by default) and + ARP reply is sent from the same arp_process() using + NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED condition (flag is set inside + pneigh_enqueue()) + +And here the problem comes. Linux kernel calls pneigh_queue_purge() +which destroys the whole queue of ARP requests on ANY network interface +start/stop event through __neigh_ifdown(). + +This is actually not a problem within the original world as network +interface start/stop was accessible to the host 'root' only, which +could do more destructive things. But the world is changed and there +are Linux containers available. Here container 'root' has an access +to this API and could be considered as untrusted user in the hosting +(container's) world. + +Thus there is an attack vector to other containers on node when +container's root will endlessly start/stop interfaces. We have observed +similar situation on a real production node when docker container was +doing such activity and thus other containers on the node become not +accessible. + +The patch proposed doing very simple thing. It drops only packets from +the same namespace in the pneigh_queue_purge() where network interface +state change is detected. This is enough to prevent the problem for the +whole node preserving original semantics of the code. + +v2: + - do del_timer_sync() if queue is empty after pneigh_queue_purge() +v3: + - rebase to net tree + +Cc: "David S. Miller" +Cc: Eric Dumazet +Cc: Jakub Kicinski +Cc: Paolo Abeni +Cc: Daniel Borkmann +Cc: David Ahern +Cc: Yajun Deng +Cc: Roopa Prabhu +Cc: Christian Brauner +Cc: netdev@vger.kernel.org +Cc: linux-kernel@vger.kernel.org +Cc: Alexey Kuznetsov +Cc: Alexander Mikhalitsyn +Cc: Konstantin Khorenko +Cc: kernel@openvz.org +Cc: devel@openvz.org +Investigated-by: Alexander Mikhalitsyn +Signed-off-by: Denis V. Lunev +Signed-off-by: David S. Miller +Signed-off-by: Sasha Levin +--- + net/core/neighbour.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 358e84af0210b..8af9761768e00 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -222,14 +222,23 @@ static int neigh_del_timer(struct neighbour *n) + return 0; + } + +-static void pneigh_queue_purge(struct sk_buff_head *list) ++static void pneigh_queue_purge(struct sk_buff_head *list, struct net *net) + { ++ unsigned long flags; + struct sk_buff *skb; + +- while ((skb = skb_dequeue(list)) != NULL) { +- dev_put(skb->dev); +- kfree_skb(skb); ++ spin_lock_irqsave(&list->lock, flags); ++ skb = skb_peek(list); ++ while (skb != NULL) { ++ struct sk_buff *skb_next = skb_peek_next(skb, list); ++ if (net == NULL || net_eq(dev_net(skb->dev), net)) { ++ __skb_unlink(skb, list); ++ dev_put(skb->dev); ++ kfree_skb(skb); ++ } ++ skb = skb_next; + } ++ spin_unlock_irqrestore(&list->lock, flags); + } + + static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev) +@@ -295,9 +304,9 @@ int neigh_ifdown(struct neigh_table *tbl, struct net_device *dev) + write_lock_bh(&tbl->lock); + neigh_flush_dev(tbl, dev); + pneigh_ifdown_and_unlock(tbl, dev); +- +- del_timer_sync(&tbl->proxy_timer); +- pneigh_queue_purge(&tbl->proxy_queue); ++ pneigh_queue_purge(&tbl->proxy_queue, dev_net(dev)); ++ if (skb_queue_empty_lockless(&tbl->proxy_queue)) ++ del_timer_sync(&tbl->proxy_timer); + return 0; + } + EXPORT_SYMBOL(neigh_ifdown); +@@ -1609,7 +1618,7 @@ int neigh_table_clear(int index, struct neigh_table *tbl) + /* It is not clean... Fix it to unload IPv6 module safely */ + cancel_delayed_work_sync(&tbl->gc_work); + del_timer_sync(&tbl->proxy_timer); +- pneigh_queue_purge(&tbl->proxy_queue); ++ pneigh_queue_purge(&tbl->proxy_queue, NULL); + neigh_ifdown(tbl, NULL); + if (atomic_read(&tbl->entries)) + pr_crit("neighbour leakage\n"); +-- +2.35.1 + diff --git a/queue-4.14/netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch b/queue-4.14/netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch new file mode 100644 index 00000000000..e2a58bc6844 --- /dev/null +++ b/queue-4.14/netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch @@ -0,0 +1,36 @@ +From a3cafd66f4bc41bbea49b8e88aa8b29b3399cb79 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 15 Aug 2022 12:39:20 +0200 +Subject: netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to + y + +From: Geert Uytterhoeven + +[ Upstream commit aa5762c34213aba7a72dc58e70601370805fa794 ] + +NF_CONNTRACK_PROCFS was marked obsolete in commit 54b07dca68557b09 +("netfilter: provide config option to disable ancient procfs parts") in +v3.3. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: Florian Westphal +Signed-off-by: Sasha Levin +--- + net/netfilter/Kconfig | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig +index 1b302d9fd0a07..19d6821b0ffd9 100644 +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -100,7 +100,6 @@ config NF_CONNTRACK_ZONES + + config NF_CONNTRACK_PROCFS + bool "Supply CT list in procfs (OBSOLETE)" +- default y + depends on PROC_FS + ---help--- + This option enables for the list of known conntrack entries +-- +2.35.1 + diff --git a/queue-4.14/s390-hypfs-avoid-error-message-under-kvm.patch b/queue-4.14/s390-hypfs-avoid-error-message-under-kvm.patch new file mode 100644 index 00000000000..e210a553501 --- /dev/null +++ b/queue-4.14/s390-hypfs-avoid-error-message-under-kvm.patch @@ -0,0 +1,60 @@ +From a1e070d9c72d4db0f818fb41b1cf52bbae7ea50f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 20 Jun 2022 11:45:34 +0200 +Subject: s390/hypfs: avoid error message under KVM + +From: Juergen Gross + +[ Upstream commit 7b6670b03641ac308aaa6fa2e6f964ac993b5ea3 ] + +When booting under KVM the following error messages are issued: + +hypfs.7f5705: The hardware system does not support hypfs +hypfs.7a79f0: Initialization of hypfs failed with rc=-61 + +Demote the severity of first message from "error" to "info" and issue +the second message only in other error cases. + +Signed-off-by: Juergen Gross +Acked-by: Heiko Carstens +Acked-by: Christian Borntraeger +Link: https://lore.kernel.org/r/20220620094534.18967-1-jgross@suse.com +[arch/s390/hypfs/hypfs_diag.c changed description] +Signed-off-by: Alexander Gordeev +Signed-off-by: Sasha Levin +--- + arch/s390/hypfs/hypfs_diag.c | 2 +- + arch/s390/hypfs/inode.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/s390/hypfs/hypfs_diag.c b/arch/s390/hypfs/hypfs_diag.c +index be8cc53204b50..46338c65c75bf 100644 +--- a/arch/s390/hypfs/hypfs_diag.c ++++ b/arch/s390/hypfs/hypfs_diag.c +@@ -437,7 +437,7 @@ __init int hypfs_diag_init(void) + int rc; + + if (diag204_probe()) { +- pr_err("The hardware system does not support hypfs\n"); ++ pr_info("The hardware system does not support hypfs\n"); + return -ENODATA; + } + if (diag204_info_type == DIAG204_INFO_EXT) { +diff --git a/arch/s390/hypfs/inode.c b/arch/s390/hypfs/inode.c +index 32f5b3fb069f3..2a34c075fef66 100644 +--- a/arch/s390/hypfs/inode.c ++++ b/arch/s390/hypfs/inode.c +@@ -494,9 +494,9 @@ static int __init hypfs_init(void) + hypfs_vm_exit(); + fail_hypfs_diag_exit: + hypfs_diag_exit(); ++ pr_err("Initialization of hypfs failed with rc=%i\n", rc); + fail_dbfs_exit: + hypfs_dbfs_exit(); +- pr_err("Initialization of hypfs failed with rc=%i\n", rc); + return rc; + } + device_initcall(hypfs_init) +-- +2.35.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 5d852fb13a6..b4997a7f018 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -35,3 +35,6 @@ hid-hidraw-fix-memory-leak-in-hidraw_release.patch fbdev-fb_pm2fb-avoid-potential-divide-by-zero-error.patch ftrace-fix-null-pointer-dereference-in-is_ftrace_trampoline-when-ftrace-is-dead.patch mm-rmap-fix-anon_vma-degree-ambiguity-leading-to-double-reuse.patch +neigh-fix-possible-dos-due-to-net-iface-start-stop-l.patch +s390-hypfs-avoid-error-message-under-kvm.patch +netfilter-conntrack-nf_conntrack_procfs-should-no-lo.patch