From 28558cf334118a14371c112b90cf247a47bf6620 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 11 Apr 2018 15:29:46 +0200 Subject: [PATCH] 3.18-stable patches added patches: bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch ip6_gre-better-validate-user-provided-tunnel-names.patch ip6_tunnel-better-validate-user-provided-tunnel-names.patch ip_tunnel-better-validate-user-provided-tunnel-names.patch ipv6-sit-better-validate-user-provided-tunnel-names.patch ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch net-fool-proof-dev_valid_name.patch net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch pptp-remove-a-buggy-dst-release-in-pptp_connect.patch r8169-fix-setting-driver_data-after-register_netdev.patch sctp-do-not-leak-kernel-memory-to-user-space.patch sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch vhost-correctly-remove-wait-queue-during-poll-failure.patch vti6-better-validate-user-provided-tunnel-names.patch --- ...-for-dev-hwaddr-sync-in-bond_enslave.patch | 56 ++++++ ...aster_upper_dev_link-in-bond_enslave.patch | 165 ++++++++++++++++++ ...et_allmulti-properly-in-bond_enslave.patch | 38 ++++ ...-validate-user-provided-tunnel-names.patch | 73 ++++++++ ...-validate-user-provided-tunnel-names.patch | 39 +++++ ...-validate-user-provided-tunnel-names.patch | 78 +++++++++ ...-validate-user-provided-tunnel-names.patch | 73 ++++++++ ...er-chain-must-fit-the-first-fragment.patch | 121 +++++++++++++ ...f-bound-read-in-skb_network_protocol.patch | 59 +++++++ .../net-fool-proof-dev_valid_name.patch | 32 ++++ ...uires-several-messages-to-user-space.patch | 75 ++++++++ ...-has-correct-size-in-netlink_connect.patch | 35 ++++ ...-a-buggy-dst-release-in-pptp_connect.patch | 115 ++++++++++++ ...ng-driver_data-after-register_netdev.patch | 50 ++++++ ...not-leak-kernel-memory-to-user-space.patch | 95 ++++++++++ ...eck-minimal-addr-length-for-af_inet6.patch | 76 ++++++++ queue-3.18/series | 19 ++ ...-to-sky2-stops-working-after-suspend.patch | 36 ++++ ...emove-wait-queue-during-poll-failure.patch | 39 +++++ ...-validate-user-provided-tunnel-names.patch | 40 +++++ 20 files changed, 1314 insertions(+) create mode 100644 queue-3.18/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch create mode 100644 queue-3.18/bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch create mode 100644 queue-3.18/bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch create mode 100644 queue-3.18/ip6_gre-better-validate-user-provided-tunnel-names.patch create mode 100644 queue-3.18/ip6_tunnel-better-validate-user-provided-tunnel-names.patch create mode 100644 queue-3.18/ip_tunnel-better-validate-user-provided-tunnel-names.patch create mode 100644 queue-3.18/ipv6-sit-better-validate-user-provided-tunnel-names.patch create mode 100644 queue-3.18/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch create mode 100644 queue-3.18/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch create mode 100644 queue-3.18/net-fool-proof-dev_valid_name.patch create mode 100644 queue-3.18/net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch create mode 100644 queue-3.18/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch create mode 100644 queue-3.18/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch create mode 100644 queue-3.18/r8169-fix-setting-driver_data-after-register_netdev.patch create mode 100644 queue-3.18/sctp-do-not-leak-kernel-memory-to-user-space.patch create mode 100644 queue-3.18/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch create mode 100644 queue-3.18/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch create mode 100644 queue-3.18/vhost-correctly-remove-wait-queue-during-poll-failure.patch create mode 100644 queue-3.18/vti6-better-validate-user-provided-tunnel-names.patch diff --git a/queue-3.18/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch b/queue-3.18/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch new file mode 100644 index 00000000000..c3263a14a5c --- /dev/null +++ b/queue-3.18/bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch @@ -0,0 +1,56 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Xin Long +Date: Mon, 26 Mar 2018 01:16:45 +0800 +Subject: bonding: fix the err path for dev hwaddr sync in bond_enslave + +From: Xin Long + + +[ Upstream commit 5c78f6bfae2b10ff70e21d343e64584ea6280c26 ] + +vlan_vids_add_by_dev is called right after dev hwaddr sync, so on +the err path it should unsync dev hwaddr. Otherwise, the slave +dev's hwaddr will never be unsync when this err happens. + +Fixes: 1ff412ad7714 ("bonding: change the bond's vlan syncing functions with the standard ones") +Signed-off-by: Xin Long +Reviewed-by: Nikolay Aleksandrov +Acked-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1421,7 +1421,7 @@ int bond_enslave(struct net_device *bond + if (res) { + netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n", + slave_dev->name); +- goto err_close; ++ goto err_hwaddr_unsync; + } + + prev_slave = bond_last_slave(bond); +@@ -1596,9 +1596,6 @@ err_unregister: + netdev_rx_handler_unregister(slave_dev); + + err_detach: +- if (!bond_uses_primary(bond)) +- bond_hw_addr_flush(bond_dev, slave_dev); +- + vlan_vids_del_by_dev(slave_dev, bond_dev); + if (rcu_access_pointer(bond->primary_slave) == new_slave) + RCU_INIT_POINTER(bond->primary_slave, NULL); +@@ -1612,6 +1609,10 @@ err_detach: + synchronize_rcu(); + slave_disable_netpoll(new_slave); + ++err_hwaddr_unsync: ++ if (!bond_uses_primary(bond)) ++ bond_hw_addr_flush(bond_dev, slave_dev); ++ + err_close: + slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); diff --git a/queue-3.18/bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch b/queue-3.18/bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch new file mode 100644 index 00000000000..1a43ec4e15c --- /dev/null +++ b/queue-3.18/bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch @@ -0,0 +1,165 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Xin Long +Date: Mon, 26 Mar 2018 01:16:46 +0800 +Subject: bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave + +From: Xin Long + + +[ Upstream commit ae42cc62a9f07f1f6979054ed92606b9c30f4a2e ] + +Beniamino found a crash when adding vlan as slave of bond which is also +the parent link: + + ip link add bond1 type bond + ip link set bond1 up + ip link add link bond1 vlan1 type vlan id 80 + ip link set vlan1 master bond1 + +The call trace is as below: + + [] queued_spin_lock_slowpath+0xb/0xf + [] _raw_spin_lock+0x20/0x30 + [] dev_mc_sync+0x37/0x80 + [] vlan_dev_set_rx_mode+0x1c/0x30 [8021q] + [] __dev_set_rx_mode+0x5a/0xa0 + [] dev_mc_sync_multiple+0x78/0x80 + [] bond_enslave+0x67c/0x1190 [bonding] + [] do_setlink+0x9c9/0xe50 + [] rtnl_newlink+0x522/0x880 + [] rtnetlink_rcv_msg+0xa7/0x260 + [] netlink_rcv_skb+0xab/0xc0 + [] rtnetlink_rcv+0x28/0x30 + [] netlink_unicast+0x170/0x210 + [] netlink_sendmsg+0x308/0x420 + [] sock_sendmsg+0xb6/0xf0 + +This is actually a dead lock caused by sync slave hwaddr from master when +the master is the slave's 'slave'. This dead loop check is actually done +by netdev_master_upper_dev_link. However, Commit 1f718f0f4f97 ("bonding: +populate neighbour's private on enslave") moved it after dev_mc_sync. + +This patch is to fix it by moving dev_mc_sync after master_upper_dev_link, +so that this loop check would be earlier than dev_mc_sync. It also moves +if (mode == BOND_MODE_8023AD) into if (!bond_uses_primary) clause as an +improvement. + +Note team driver also has this issue, I will fix it in another patch. + +Fixes: 1f718f0f4f97 ("bonding: populate neighbour's private on enslave") +Reported-by: Beniamino Galvani +Signed-off-by: Xin Long +Acked-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 73 +++++++++++++++++++--------------------- + 1 file changed, 35 insertions(+), 38 deletions(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1384,44 +1384,11 @@ int bond_enslave(struct net_device *bond + goto err_close; + } + +- /* If the mode uses primary, then the following is handled by +- * bond_change_active_slave(). +- */ +- if (!bond_uses_primary(bond)) { +- /* set promiscuity level to new slave */ +- if (bond_dev->flags & IFF_PROMISC) { +- res = dev_set_promiscuity(slave_dev, 1); +- if (res) +- goto err_close; +- } +- +- /* set allmulti level to new slave */ +- if (bond_dev->flags & IFF_ALLMULTI) { +- res = dev_set_allmulti(slave_dev, 1); +- if (res) +- goto err_close; +- } +- +- netif_addr_lock_bh(bond_dev); +- +- dev_mc_sync_multiple(slave_dev, bond_dev); +- dev_uc_sync_multiple(slave_dev, bond_dev); +- +- netif_addr_unlock_bh(bond_dev); +- } +- +- if (BOND_MODE(bond) == BOND_MODE_8023AD) { +- /* add lacpdu mc addr to mc list */ +- u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR; +- +- dev_mc_add(slave_dev, lacpdu_multicast); +- } +- + res = vlan_vids_add_by_dev(slave_dev, bond_dev); + if (res) { + netdev_err(bond_dev, "Couldn't add bond vlan ids to %s\n", + slave_dev->name); +- goto err_hwaddr_unsync; ++ goto err_close; + } + + prev_slave = bond_last_slave(bond); +@@ -1567,6 +1534,37 @@ int bond_enslave(struct net_device *bond + goto err_upper_unlink; + } + ++ /* If the mode uses primary, then the following is handled by ++ * bond_change_active_slave(). ++ */ ++ if (!bond_uses_primary(bond)) { ++ /* set promiscuity level to new slave */ ++ if (bond_dev->flags & IFF_PROMISC) { ++ res = dev_set_promiscuity(slave_dev, 1); ++ if (res) ++ goto err_sysfs_del; ++ } ++ ++ /* set allmulti level to new slave */ ++ if (bond_dev->flags & IFF_ALLMULTI) { ++ res = dev_set_allmulti(slave_dev, 1); ++ if (res) ++ goto err_sysfs_del; ++ } ++ ++ netif_addr_lock_bh(bond_dev); ++ dev_mc_sync_multiple(slave_dev, bond_dev); ++ dev_uc_sync_multiple(slave_dev, bond_dev); ++ netif_addr_unlock_bh(bond_dev); ++ ++ if (BOND_MODE(bond) == BOND_MODE_8023AD) { ++ /* add lacpdu mc addr to mc list */ ++ u8 lacpdu_multicast[ETH_ALEN] = MULTICAST_LACPDU_ADDR; ++ ++ dev_mc_add(slave_dev, lacpdu_multicast); ++ } ++ } ++ + bond->slave_cnt++; + bond_compute_features(bond); + bond_set_carrier(bond); +@@ -1589,6 +1587,9 @@ int bond_enslave(struct net_device *bond + return 0; + + /* Undo stages on error */ ++err_sysfs_del: ++ bond_sysfs_slave_del(new_slave); ++ + err_upper_unlink: + bond_upper_dev_unlink(bond_dev, slave_dev); + +@@ -1609,10 +1610,6 @@ err_detach: + synchronize_rcu(); + slave_disable_netpoll(new_slave); + +-err_hwaddr_unsync: +- if (!bond_uses_primary(bond)) +- bond_hw_addr_flush(bond_dev, slave_dev); +- + err_close: + slave_dev->priv_flags &= ~IFF_BONDING; + dev_close(slave_dev); diff --git a/queue-3.18/bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch b/queue-3.18/bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch new file mode 100644 index 00000000000..77be4ceb9b1 --- /dev/null +++ b/queue-3.18/bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch @@ -0,0 +1,38 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Xin Long +Date: Mon, 26 Mar 2018 01:16:47 +0800 +Subject: bonding: process the err returned by dev_set_allmulti properly in bond_enslave + +From: Xin Long + + +[ Upstream commit 9f5a90c107741b864398f4ac0014711a8c1d8474 ] + +When dev_set_promiscuity(1) succeeds but dev_set_allmulti(1) fails, +dev_set_promiscuity(-1) should be done before going to the err path. +Otherwise, dev->promiscuity will leak. + +Fixes: 7e1a1ac1fbaa ("bonding: Check return of dev_set_promiscuity/allmulti") +Signed-off-by: Xin Long +Acked-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/bonding/bond_main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1548,8 +1548,11 @@ int bond_enslave(struct net_device *bond + /* set allmulti level to new slave */ + if (bond_dev->flags & IFF_ALLMULTI) { + res = dev_set_allmulti(slave_dev, 1); +- if (res) ++ if (res) { ++ if (bond_dev->flags & IFF_PROMISC) ++ dev_set_promiscuity(slave_dev, -1); + goto err_sysfs_del; ++ } + } + + netif_addr_lock_bh(bond_dev); diff --git a/queue-3.18/ip6_gre-better-validate-user-provided-tunnel-names.patch b/queue-3.18/ip6_gre-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..734c1252d16 --- /dev/null +++ b/queue-3.18/ip6_gre-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,73 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:29 -0700 +Subject: ip6_gre: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 5f42df013b8bc1b6511af7a04bf93b014884ae2a ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339 +Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466 + +CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339 + ip6gre_tunnel_ioctl+0x69d/0x12e0 net/ipv6/ip6_gre.c:1195 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: c12b395a4664 ("gre: Support GRE over IPv6") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_gre.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv6/ip6_gre.c ++++ b/net/ipv6/ip6_gre.c +@@ -320,11 +320,13 @@ static struct ip6_tnl *ip6gre_tunnel_loc + if (t || !create) + return t; + +- if (parms->name[0]) ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ return NULL; + strlcpy(name, parms->name, IFNAMSIZ); +- else ++ } else { + strcpy(name, "ip6gre%d"); +- ++ } + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ip6gre_tunnel_setup); + if (!dev) diff --git a/queue-3.18/ip6_tunnel-better-validate-user-provided-tunnel-names.patch b/queue-3.18/ip6_tunnel-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..82822b31fcb --- /dev/null +++ b/queue-3.18/ip6_tunnel-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:30 -0700 +Subject: ip6_tunnel: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257 ] + +Use valid_name() to make sure user does not provide illegal +device name. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_tunnel.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_tunnel.c ++++ b/net/ipv6/ip6_tunnel.c +@@ -307,10 +307,13 @@ static struct ip6_tnl *ip6_tnl_create(st + char name[IFNAMSIZ]; + int err; + +- if (p->name[0]) ++ if (p->name[0]) { ++ if (!dev_valid_name(p->name)) ++ goto failed; + strlcpy(name, p->name, IFNAMSIZ); +- else ++ } else { + sprintf(name, "ip6tnl%%d"); ++ } + + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ip6_tnl_dev_setup); diff --git a/queue-3.18/ip_tunnel-better-validate-user-provided-tunnel-names.patch b/queue-3.18/ip_tunnel-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..d2dc345a76f --- /dev/null +++ b/queue-3.18/ip_tunnel-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,78 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:27 -0700 +Subject: ip_tunnel: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 9cb726a212a82c88c98aa9f0037fd04777cd8fe5 ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257 +Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482 + +CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257 + ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline] + ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861 + ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -302,13 +302,14 @@ static struct net_device *__ip_tunnel_cr + struct net_device *dev; + char name[IFNAMSIZ]; + +- if (parms->name[0]) ++ err = -E2BIG; ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ goto failed; + strlcpy(name, parms->name, IFNAMSIZ); +- else { +- if (strlen(ops->kind) > (IFNAMSIZ - 3)) { +- err = -E2BIG; ++ } else { ++ if (strlen(ops->kind) > (IFNAMSIZ - 3)) + goto failed; +- } + strlcpy(name, ops->kind, IFNAMSIZ); + strncat(name, "%d", 2); + } diff --git a/queue-3.18/ipv6-sit-better-validate-user-provided-tunnel-names.patch b/queue-3.18/ipv6-sit-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..de512f1dda1 --- /dev/null +++ b/queue-3.18/ipv6-sit-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,73 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:28 -0700 +Subject: ipv6: sit: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit b95211e066fc3494b7c115060b2297b4ba21f025 ] + +Use dev_valid_name() to make sure user does not provide illegal +device name. + +syzbot caught the following bug : + +BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline] +BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254 +Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453 + +CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1b9/0x29f lib/dump_stack.c:53 + print_address_description+0x6c/0x20b mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267 + memcpy+0x37/0x50 mm/kasan/kasan.c:303 + strlcpy include/linux/string.h:300 [inline] + ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254 + ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221 + dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334 + dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525 + sock_ioctl+0x47e/0x680 net/socket.c:1015 + vfs_ioctl fs/ioctl.c:46 [inline] + file_ioctl fs/ioctl.c:500 [inline] + do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684 + ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701 + SYSC_ioctl fs/ioctl.c:708 [inline] + SyS_ioctl+0x24/0x30 fs/ioctl.c:706 + do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/sit.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -244,11 +244,13 @@ static struct ip_tunnel *ipip6_tunnel_lo + if (!create) + goto failed; + +- if (parms->name[0]) ++ if (parms->name[0]) { ++ if (!dev_valid_name(parms->name)) ++ goto failed; + strlcpy(name, parms->name, IFNAMSIZ); +- else ++ } else { + strcpy(name, "sit%d"); +- ++ } + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, + ipip6_tunnel_setup); + if (dev == NULL) diff --git a/queue-3.18/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch b/queue-3.18/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch new file mode 100644 index 00000000000..7868552f892 --- /dev/null +++ b/queue-3.18/ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch @@ -0,0 +1,121 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Paolo Abeni +Date: Fri, 23 Mar 2018 14:47:30 +0100 +Subject: ipv6: the entire IPv6 header chain must fit the first fragment + +From: Paolo Abeni + + +[ Upstream commit 10b8a3de603df7b96004179b1b33b1708c76d144 ] + +While building ipv6 datagram we currently allow arbitrary large +extheaders, even beyond pmtu size. The syzbot has found a way +to exploit the above to trigger the following splat: + +kernel BUG at ./include/linux/skbuff.h:2073! +invalid opcode: 0000 [#1] SMP KASAN +Dumping ftrace buffer: + (ftrace buffer empty) +Modules linked in: +CPU: 1 PID: 4230 Comm: syzkaller672661 Not tainted 4.16.0-rc2+ #326 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS +Google 01/01/2011 +RIP: 0010:__skb_pull include/linux/skbuff.h:2073 [inline] +RIP: 0010:__ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 +RSP: 0018:ffff8801bc18f0f0 EFLAGS: 00010293 +RAX: ffff8801b17400c0 RBX: 0000000000000738 RCX: ffffffff84f01828 +RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801b415ac18 +RBP: ffff8801bc18f360 R08: ffff8801b4576844 R09: 0000000000000000 +R10: ffff8801bc18f380 R11: ffffed00367aee4e R12: 00000000000000d6 +R13: ffff8801b415a740 R14: dffffc0000000000 R15: ffff8801b45767c0 +FS: 0000000001535880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 000000002000b000 CR3: 00000001b4123001 CR4: 00000000001606e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + ip6_finish_skb include/net/ipv6.h:969 [inline] + udp_v6_push_pending_frames+0x269/0x3b0 net/ipv6/udp.c:1073 + udpv6_sendmsg+0x2a96/0x3400 net/ipv6/udp.c:1343 + inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764 + sock_sendmsg_nosec net/socket.c:630 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:640 + ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046 + __sys_sendmmsg+0x1ee/0x620 net/socket.c:2136 + SYSC_sendmmsg net/socket.c:2167 [inline] + SyS_sendmmsg+0x35/0x60 net/socket.c:2162 + do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x4404c9 +RSP: 002b:00007ffdce35f948 EFLAGS: 00000217 ORIG_RAX: 0000000000000133 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404c9 +RDX: 0000000000000003 RSI: 0000000020001f00 RDI: 0000000000000003 +RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 0000000020000080 R11: 0000000000000217 R12: 0000000000401df0 +R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000 +Code: ff e8 1d 5e b9 fc e9 15 e9 ff ff e8 13 5e b9 fc e9 44 e8 ff ff e8 29 +5e b9 fc e9 c0 e6 ff ff e8 3f f3 80 fc 0f 0b e8 38 f3 80 fc <0f> 0b 49 8d +87 80 00 00 00 4d 8d 87 84 00 00 00 48 89 85 20 fe +RIP: __skb_pull include/linux/skbuff.h:2073 [inline] RSP: ffff8801bc18f0f0 +RIP: __ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 RSP: +ffff8801bc18f0f0 + +As stated by RFC 7112 section 5: + + When a host fragments an IPv6 datagram, it MUST include the entire + IPv6 Header Chain in the First Fragment. + +So this patch addresses the issue dropping datagrams with excessive +extheader length. It also updates the error path to report to the +calling socket nonnegative pmtu values. + +The issue apparently predates git history. + +v1 -> v2: cleanup error path, as per Eric's suggestion + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com +Signed-off-by: Paolo Abeni +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_output.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1151,7 +1151,7 @@ int ip6_append_data(struct sock *sk, int + struct ipv6_pinfo *np = inet6_sk(sk); + struct inet_cork *cork; + struct sk_buff *skb, *skb_prev = NULL; +- unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu; ++ unsigned int maxfraglen, fragheaderlen, mtu, orig_mtu, pmtu; + int exthdrlen; + int dst_exthdrlen; + int hh_len; +@@ -1259,6 +1259,12 @@ int ip6_append_data(struct sock *sk, int + else + maxnonfragsize = mtu; + ++ /* as per RFC 7112 section 5, the entire IPv6 Header Chain must fit ++ * the first fragment ++ */ ++ if (headersize + transhdrlen > mtu) ++ goto emsgsize; ++ + /* dontfrag active */ + if ((cork->length + length > mtu - headersize) && dontfrag && + (sk->sk_protocol == IPPROTO_UDP || +@@ -1270,9 +1276,8 @@ int ip6_append_data(struct sock *sk, int + + if (cork->length + length > maxnonfragsize - headersize) { + emsgsize: +- ipv6_local_error(sk, EMSGSIZE, fl6, +- mtu - headersize + +- sizeof(struct ipv6hdr)); ++ pmtu = max_t(int, mtu - headersize + sizeof(struct ipv6hdr), 0); ++ ipv6_local_error(sk, EMSGSIZE, fl6, pmtu); + return -EMSGSIZE; + } + } diff --git a/queue-3.18/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch b/queue-3.18/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch new file mode 100644 index 00000000000..ca9fb1b95dc --- /dev/null +++ b/queue-3.18/net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch @@ -0,0 +1,59 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Mon, 26 Mar 2018 08:08:07 -0700 +Subject: net: fix possible out-of-bound read in skb_network_protocol() + +From: Eric Dumazet + + +[ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ] + +skb mac header is not necessarily set at the time skb_network_protocol() +is called. Use skb->data instead. + +BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739 +Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242 + +CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x194/0x24d lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report+0x23c/0x360 mm/kasan/report.c:412 + __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443 + skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739 + harmonize_features net/core/dev.c:2924 [inline] + netif_skb_features+0x509/0x9b0 net/core/dev.c:3011 + validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084 + validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142 + packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256 + packet_snd net/packet/af_packet.c:2944 [inline] + packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969 + sock_sendmsg_nosec net/socket.c:629 [inline] + sock_sendmsg+0xca/0x110 net/socket.c:639 + ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047 + __sys_sendmsg+0xe5/0x210 net/socket.c:2081 + +Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()") +Signed-off-by: Eric Dumazet +Cc: Pravin B Shelar +Reported-by: Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2372,7 +2372,7 @@ __be16 skb_network_protocol(struct sk_bu + if (unlikely(!pskb_may_pull(skb, sizeof(struct ethhdr)))) + return 0; + +- eth = (struct ethhdr *)skb_mac_header(skb); ++ eth = (struct ethhdr *)skb->data; + type = eth->h_proto; + } + diff --git a/queue-3.18/net-fool-proof-dev_valid_name.patch b/queue-3.18/net-fool-proof-dev_valid_name.patch new file mode 100644 index 00000000000..99ccc6f45d4 --- /dev/null +++ b/queue-3.18/net-fool-proof-dev_valid_name.patch @@ -0,0 +1,32 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:26 -0700 +Subject: net: fool proof dev_valid_name() + +From: Eric Dumazet + + +[ Upstream commit a9d48205d0aedda021fc3728972a9e9934c2b9de ] + +We want to use dev_valid_name() to validate tunnel names, +so better use strnlen(name, IFNAMSIZ) than strlen(name) to make +sure to not upset KASAN. + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -937,7 +937,7 @@ bool dev_valid_name(const char *name) + { + if (*name == '\0') + return false; +- if (strlen(name) >= IFNAMSIZ) ++ if (strnlen(name, IFNAMSIZ) == IFNAMSIZ) + return false; + if (!strcmp(name, ".") || !strcmp(name, "..")) + return false; diff --git a/queue-3.18/net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch b/queue-3.18/net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch new file mode 100644 index 00000000000..85a97418f38 --- /dev/null +++ b/queue-3.18/net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch @@ -0,0 +1,75 @@ +From foo@baz Wed Apr 11 14:31:43 CEST 2018 +From: Craig Dillabaugh +Date: Mon, 26 Mar 2018 14:58:32 -0400 +Subject: net sched actions: fix dumping which requires several messages to user space + +From: Craig Dillabaugh + + +[ Upstream commit 734549eb550c0c720bc89e50501f1b1e98cdd841 ] + +Fixes a bug in the tcf_dump_walker function that can cause some actions +to not be reported when dumping a large number of actions. This issue +became more aggrevated when cookies feature was added. In particular +this issue is manifest when large cookie values are assigned to the +actions and when enough actions are created that the resulting table +must be dumped in multiple batches. + +The number of actions returned in each batch is limited by the total +number of actions and the memory buffer size. With small cookies +the numeric limit is reached before the buffer size limit, which avoids +the code path triggering this bug. When large cookies are used buffer +fills before the numeric limit, and the erroneous code path is hit. + +For example after creating 32 csum actions with the cookie +aaaabbbbccccdddd + +$ tc actions ls action csum +total acts 26 + + action order 0: csum (tcp) action continue + index 1 ref 1 bind 0 + cookie aaaabbbbccccdddd + + ..... + + action order 25: csum (tcp) action continue + index 26 ref 1 bind 0 + cookie aaaabbbbccccdddd +total acts 6 + + action order 0: csum (tcp) action continue + index 28 ref 1 bind 0 + cookie aaaabbbbccccdddd + + ...... + + action order 5: csum (tcp) action continue + index 32 ref 1 bind 0 + cookie aaaabbbbccccdddd + +Note that the action with index 27 is omitted from the report. + +Fixes: 4b3550ef530c ("[NET_SCHED]: Use nla_nest_start/nla_nest_end")" +Signed-off-by: Craig Dillabaugh +Acked-by: Jamal Hadi Salim +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_api.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -92,8 +92,10 @@ static int tcf_dump_walker(struct sk_buf + a->order = n_i; + + nest = nla_nest_start(skb, a->order); +- if (nest == NULL) ++ if (nest == NULL) { ++ index--; + goto nla_put_failure; ++ } + err = tcf_action_dump_1(skb, a, 0, 0); + if (err < 0) { + index--; diff --git a/queue-3.18/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch b/queue-3.18/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch new file mode 100644 index 00000000000..70e02f09ff6 --- /dev/null +++ b/queue-3.18/netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch @@ -0,0 +1,35 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Alexander Potapenko +Date: Fri, 23 Mar 2018 13:49:02 +0100 +Subject: netlink: make sure nladdr has correct size in netlink_connect() + +From: Alexander Potapenko + + +[ Upstream commit 7880287981b60a6808f39f297bb66936e8bdf57a ] + +KMSAN reports use of uninitialized memory in the case when |alen| is +smaller than sizeof(struct sockaddr_nl), and therefore |nladdr| isn't +fully copied from the userspace. + +Signed-off-by: Alexander Potapenko +Fixes: 1da177e4c3f41524 ("Linux-2.6.12-rc2") +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/netlink/af_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -977,6 +977,9 @@ static int netlink_connect(struct socket + if (addr->sa_family != AF_NETLINK) + return -EINVAL; + ++ if (alen < sizeof(struct sockaddr_nl)) ++ return -EINVAL; ++ + if ((nladdr->nl_groups || nladdr->nl_pid) && + !netlink_allowed(sock, NL_CFG_F_NONROOT_SEND)) + return -EPERM; diff --git a/queue-3.18/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch b/queue-3.18/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch new file mode 100644 index 00000000000..18af72b8563 --- /dev/null +++ b/queue-3.18/pptp-remove-a-buggy-dst-release-in-pptp_connect.patch @@ -0,0 +1,115 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Mon, 2 Apr 2018 18:48:37 -0700 +Subject: pptp: remove a buggy dst release in pptp_connect() + +From: Eric Dumazet + + +[ Upstream commit bfacfb457b36911a10140b8cb3ce76a74883ac5a ] + +Once dst has been cached in socket via sk_setup_caps(), +it is illegal to call ip_rt_put() (or dst_release()), +since sk_setup_caps() did not change dst refcount. + +We can still dereference it since we hold socket lock. + +Caugth by syzbot : + +BUG: KASAN: use-after-free in atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline] +BUG: KASAN: use-after-free in dst_release+0x27/0xa0 net/core/dst.c:185 +Write of size 4 at addr ffff8801c54dc040 by task syz-executor4/20088 + +CPU: 1 PID: 20088 Comm: syz-executor4 Not tainted 4.16.0+ #376 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x1a7/0x27d lib/dump_stack.c:53 + print_address_description+0x73/0x250 mm/kasan/report.c:256 + kasan_report_error mm/kasan/report.c:354 [inline] + kasan_report+0x23c/0x360 mm/kasan/report.c:412 + check_memory_region_inline mm/kasan/kasan.c:260 [inline] + check_memory_region+0x137/0x190 mm/kasan/kasan.c:267 + kasan_check_write+0x14/0x20 mm/kasan/kasan.c:278 + atomic_dec_return include/asm-generic/atomic-instrumented.h:198 [inline] + dst_release+0x27/0xa0 net/core/dst.c:185 + sk_dst_set include/net/sock.h:1812 [inline] + sk_dst_reset include/net/sock.h:1824 [inline] + sock_setbindtodevice net/core/sock.c:610 [inline] + sock_setsockopt+0x431/0x1b20 net/core/sock.c:707 + SYSC_setsockopt net/socket.c:1845 [inline] + SyS_setsockopt+0x2ff/0x360 net/socket.c:1828 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 +RIP: 0033:0x4552d9 +RSP: 002b:00007f4878126c68 EFLAGS: 00000246 ORIG_RAX: 0000000000000036 +RAX: ffffffffffffffda RBX: 00007f48781276d4 RCX: 00000000004552d9 +RDX: 0000000000000019 RSI: 0000000000000001 RDI: 0000000000000013 +RBP: 000000000072bea0 R08: 0000000000000010 R09: 0000000000000000 +R10: 00000000200010c0 R11: 0000000000000246 R12: 00000000ffffffff +R13: 0000000000000526 R14: 00000000006fac30 R15: 0000000000000000 + +Allocated by task 20088: + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 [inline] + kasan_kmalloc+0xad/0xe0 mm/kasan/kasan.c:552 + kasan_slab_alloc+0x12/0x20 mm/kasan/kasan.c:489 + kmem_cache_alloc+0x12e/0x760 mm/slab.c:3542 + dst_alloc+0x11f/0x1a0 net/core/dst.c:104 + rt_dst_alloc+0xe9/0x540 net/ipv4/route.c:1520 + __mkroute_output net/ipv4/route.c:2265 [inline] + ip_route_output_key_hash_rcu+0xa49/0x2c60 net/ipv4/route.c:2493 + ip_route_output_key_hash+0x20b/0x370 net/ipv4/route.c:2322 + __ip_route_output_key include/net/route.h:126 [inline] + ip_route_output_flow+0x26/0xa0 net/ipv4/route.c:2577 + ip_route_output_ports include/net/route.h:163 [inline] + pptp_connect+0xa84/0x1170 drivers/net/ppp/pptp.c:453 + SYSC_connect+0x213/0x4a0 net/socket.c:1639 + SyS_connect+0x24/0x30 net/socket.c:1620 + do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x42/0xb7 + +Freed by task 20082: + save_stack+0x43/0xd0 mm/kasan/kasan.c:447 + set_track mm/kasan/kasan.c:459 [inline] + __kasan_slab_free+0x11a/0x170 mm/kasan/kasan.c:520 + kasan_slab_free+0xe/0x10 mm/kasan/kasan.c:527 + __cache_free mm/slab.c:3486 [inline] + kmem_cache_free+0x83/0x2a0 mm/slab.c:3744 + dst_destroy+0x266/0x380 net/core/dst.c:140 + dst_destroy_rcu+0x16/0x20 net/core/dst.c:153 + __rcu_reclaim kernel/rcu/rcu.h:178 [inline] + rcu_do_batch kernel/rcu/tree.c:2675 [inline] + invoke_rcu_callbacks kernel/rcu/tree.c:2930 [inline] + __rcu_process_callbacks kernel/rcu/tree.c:2897 [inline] + rcu_process_callbacks+0xd6c/0x17b0 kernel/rcu/tree.c:2914 + __do_softirq+0x2d7/0xb85 kernel/softirq.c:285 + +The buggy address belongs to the object at ffff8801c54dc000 + which belongs to the cache ip_dst_cache of size 168 +The buggy address is located 64 bytes inside of + 168-byte region [ffff8801c54dc000, ffff8801c54dc0a8) +The buggy address belongs to the page: +page:ffffea0007153700 count:1 mapcount:0 mapping:ffff8801c54dc000 index:0x0 +flags: 0x2fffc0000000100(slab) +raw: 02fffc0000000100 ffff8801c54dc000 0000000000000000 0000000100000010 +raw: ffffea0006b34b20 ffffea0006b6c1e0 ffff8801d674a1c0 0000000000000000 +page dumped because: kasan: bad access detected + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ppp/pptp.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/net/ppp/pptp.c ++++ b/drivers/net/ppp/pptp.c +@@ -488,7 +488,6 @@ static int pptp_connect(struct socket *s + po->chan.mtu = dst_mtu(&rt->dst); + if (!po->chan.mtu) + po->chan.mtu = PPP_MRU; +- ip_rt_put(rt); + po->chan.mtu -= PPTP_HEADER_OVERHEAD; + + po->chan.hdrlen = 2 + sizeof(struct pptp_gre_header); diff --git a/queue-3.18/r8169-fix-setting-driver_data-after-register_netdev.patch b/queue-3.18/r8169-fix-setting-driver_data-after-register_netdev.patch new file mode 100644 index 00000000000..85ea3d20935 --- /dev/null +++ b/queue-3.18/r8169-fix-setting-driver_data-after-register_netdev.patch @@ -0,0 +1,50 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Heiner Kallweit +Date: Mon, 26 Mar 2018 19:19:30 +0200 +Subject: r8169: fix setting driver_data after register_netdev + +From: Heiner Kallweit + + +[ Upstream commit 19c9ea363a244f85f90a424f9936e6d56449e33c ] + +pci_set_drvdata() is called only after registering the net_device, +therefore we could run into a NPE if one of the functions using +driver_data is called before it's set. + +Fix this by calling pci_set_drvdata() before registering the +net_device. + +This fix is a candidate for stable. As far as I can see the +bug has been there in kernel version 3.2 already, therefore +I can't provide a reference which commit is fixed by it. + +The fix may need small adjustments per kernel version because +due to other changes the label which is jumped to if +register_netdev() fails has changed over time. + +Reported-by: David Miller +Signed-off-by: Heiner Kallweit +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/realtek/r8169.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/ethernet/realtek/r8169.c ++++ b/drivers/net/ethernet/realtek/r8169.c +@@ -8278,12 +8278,12 @@ static int rtl_init_one(struct pci_dev * + + tp->rtl_fw = RTL_FIRMWARE_UNKNOWN; + ++ pci_set_drvdata(pdev, dev); ++ + rc = register_netdev(dev); + if (rc < 0) + goto err_out_msi_4; + +- pci_set_drvdata(pdev, dev); +- + netif_info(tp, probe, dev, "%s at 0x%p, %pM, XID %08x IRQ %d\n", + rtl_chip_infos[chipset].name, ioaddr, dev->dev_addr, + (u32)(RTL_R32(TxConfig) & 0x9cf0f8ff), pdev->irq); diff --git a/queue-3.18/sctp-do-not-leak-kernel-memory-to-user-space.patch b/queue-3.18/sctp-do-not-leak-kernel-memory-to-user-space.patch new file mode 100644 index 00000000000..486ea57c64f --- /dev/null +++ b/queue-3.18/sctp-do-not-leak-kernel-memory-to-user-space.patch @@ -0,0 +1,95 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Sat, 7 Apr 2018 17:15:22 -0700 +Subject: sctp: do not leak kernel memory to user space + +From: Eric Dumazet + + +[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ] + +syzbot produced a nice report [1] + +Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory +to user space, because sin_zero (padding field) was not properly cleared. + +[1] +BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline] +BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227 +CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176 + kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 + copy_to_user include/linux/uaccess.h:184 [inline] + move_addr_to_user+0x32e/0x530 net/socket.c:227 + ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 + SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x4401c9 +RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9 +RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010 +R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0 +R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000 + +Local variable description: ----addr@___sys_recvmsg +Variable was created at: + ___sys_recvmsg+0xd5/0x810 net/socket.c:2172 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + +Bytes 8-15 of 16 are uninitialized + +================================================================== +Kernel panic - not syncing: panic_on_warn set ... + +CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G B 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + panic+0x39d/0x940 kernel/panic.c:183 + kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083 + kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176 + kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199 + copy_to_user include/linux/uaccess.h:184 [inline] + move_addr_to_user+0x32e/0x530 net/socket.c:227 + ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211 + __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313 + SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394 + SyS_recvmmsg+0x76/0xa0 net/socket.c:2378 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: Vlad Yasevich +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/ipv6.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -722,8 +722,10 @@ static int sctp_v6_addr_to_user(struct s + sctp_v6_map_v4(addr); + } + +- if (addr->sa.sa_family == AF_INET) ++ if (addr->sa.sa_family == AF_INET) { ++ memset(addr->v4.sin_zero, 0, sizeof(addr->v4.sin_zero)); + return sizeof(struct sockaddr_in); ++ } + return sizeof(struct sockaddr_in6); + } + diff --git a/queue-3.18/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch b/queue-3.18/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch new file mode 100644 index 00000000000..fb4a4b1da64 --- /dev/null +++ b/queue-3.18/sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch @@ -0,0 +1,76 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Sun, 8 Apr 2018 07:52:08 -0700 +Subject: sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 + +From: Eric Dumazet + + +[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ] + +Check must happen before call to ipv6_addr_v4mapped() + +syzbot report was : + +BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline] +BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384 +CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:17 [inline] + dump_stack+0x185/0x1d0 lib/dump_stack.c:53 + kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067 + __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676 + sctp_sockaddr_af net/sctp/socket.c:359 [inline] + sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384 + sctp_bind+0x149/0x190 net/sctp/socket.c:332 + inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293 + SYSC_bind+0x3f2/0x4b0 net/socket.c:1474 + SyS_bind+0x54/0x80 net/socket.c:1460 + do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287 + entry_SYSCALL_64_after_hwframe+0x3d/0xa2 +RIP: 0033:0x43fd49 +RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031 +RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49 +RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003 +RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8 +R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670 +R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000 + +Local variable description: ----address@SYSC_bind +Variable was created at: + SYSC_bind+0x6f/0x4b0 net/socket.c:1461 + SyS_bind+0x54/0x80 net/socket.c:1460 + +Signed-off-by: Eric Dumazet +Cc: Vlad Yasevich +Cc: Neil Horman +Reported-by: syzbot +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sctp/socket.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -336,11 +336,14 @@ static struct sctp_af *sctp_sockaddr_af( + if (!opt->pf->af_supported(addr->sa.sa_family, opt)) + return NULL; + +- /* V4 mapped address are really of AF_INET family */ +- if (addr->sa.sa_family == AF_INET6 && +- ipv6_addr_v4mapped(&addr->v6.sin6_addr) && +- !opt->pf->af_supported(AF_INET, opt)) +- return NULL; ++ if (addr->sa.sa_family == AF_INET6) { ++ if (len < SIN6_LEN_RFC2133) ++ return NULL; ++ /* V4 mapped address are really of AF_INET family */ ++ if (ipv6_addr_v4mapped(&addr->v6.sin6_addr) && ++ !opt->pf->af_supported(AF_INET, opt)) ++ return NULL; ++ } + + /* If we get this far, af is valid. */ + af = sctp_get_af_specific(addr->sa.sa_family); diff --git a/queue-3.18/series b/queue-3.18/series index ba642543480..8df7d38fdb2 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -100,3 +100,22 @@ virtio_net-check-return-value-of-skb_to_sgvec-always.patch virtio_net-check-return-value-of-skb_to_sgvec-in-one-more-location.patch random-use-lockless-method-of-accessing-and-updating-f-reg_idx.patch futex-remove-requirement-for-lock_page-in-get_futex_key.patch +net-fix-possible-out-of-bound-read-in-skb_network_protocol.patch +netlink-make-sure-nladdr-has-correct-size-in-netlink_connect.patch +pptp-remove-a-buggy-dst-release-in-pptp_connect.patch +sctp-do-not-leak-kernel-memory-to-user-space.patch +sctp-sctp_sockaddr_af-must-check-minimal-addr-length-for-af_inet6.patch +sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch +vhost-correctly-remove-wait-queue-during-poll-failure.patch +bonding-fix-the-err-path-for-dev-hwaddr-sync-in-bond_enslave.patch +bonding-move-dev_mc_sync-after-master_upper_dev_link-in-bond_enslave.patch +bonding-process-the-err-returned-by-dev_set_allmulti-properly-in-bond_enslave.patch +net-fool-proof-dev_valid_name.patch +ip_tunnel-better-validate-user-provided-tunnel-names.patch +ipv6-sit-better-validate-user-provided-tunnel-names.patch +ip6_gre-better-validate-user-provided-tunnel-names.patch +vti6-better-validate-user-provided-tunnel-names.patch +ip6_tunnel-better-validate-user-provided-tunnel-names.patch +r8169-fix-setting-driver_data-after-register_netdev.patch +net-sched-actions-fix-dumping-which-requires-several-messages-to-user-space.patch +ipv6-the-entire-ipv6-header-chain-must-fit-the-first-fragment.patch diff --git a/queue-3.18/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch b/queue-3.18/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch new file mode 100644 index 00000000000..d04df190529 --- /dev/null +++ b/queue-3.18/sky2-increase-d3-delay-to-sky2-stops-working-after-suspend.patch @@ -0,0 +1,36 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Kai-Heng Feng +Date: Sat, 31 Mar 2018 23:42:03 +0800 +Subject: sky2: Increase D3 delay to sky2 stops working after suspend + +From: Kai-Heng Feng + + +[ Upstream commit afb133637071be6deeb8b3d0e55593ffbf63c527 ] + +The sky2 ethernet stops working after system resume from suspend: +[ 582.852065] sky2 0000:04:00.0: Refused to change power state, currently in D3 + +The current 150ms delay is not enough, change it to 200ms can solve the +issue. + +BugLink: https://bugs.launchpad.net/bugs/1758507 +Cc: Stable +Signed-off-by: Kai-Heng Feng +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/marvell/sky2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/marvell/sky2.c ++++ b/drivers/net/ethernet/marvell/sky2.c +@@ -5069,7 +5069,7 @@ static int sky2_probe(struct pci_dev *pd + INIT_WORK(&hw->restart_work, sky2_restart); + + pci_set_drvdata(pdev, hw); +- pdev->d3_delay = 150; ++ pdev->d3_delay = 200; + + return 0; + diff --git a/queue-3.18/vhost-correctly-remove-wait-queue-during-poll-failure.patch b/queue-3.18/vhost-correctly-remove-wait-queue-during-poll-failure.patch new file mode 100644 index 00000000000..e9d1c846163 --- /dev/null +++ b/queue-3.18/vhost-correctly-remove-wait-queue-during-poll-failure.patch @@ -0,0 +1,39 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Jason Wang +Date: Tue, 27 Mar 2018 20:50:52 +0800 +Subject: vhost: correctly remove wait queue during poll failure + +From: Jason Wang + + +[ Upstream commit dc6455a71c7fc5117977e197f67f71b49f27baba ] + +We tried to remove vq poll from wait queue, but do not check whether +or not it was in a list before. This will lead double free. Fixing +this by switching to use vhost_poll_stop() which zeros poll->wqh after +removing poll from waitqueue to make sure it won't be freed twice. + +Cc: Darren Kenny +Reported-by: syzbot+c0272972b01b872e604a@syzkaller.appspotmail.com +Fixes: 2b8b328b61c79 ("vhost_net: handle polling errors when setting backend") +Signed-off-by: Jason Wang +Reviewed-by: Darren Kenny +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/vhost/vhost.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -96,8 +96,7 @@ int vhost_poll_start(struct vhost_poll * + if (mask) + vhost_poll_wakeup(&poll->wait, 0, 0, (void *)mask); + if (mask & POLLERR) { +- if (poll->wqh) +- remove_wait_queue(poll->wqh, &poll->wait); ++ vhost_poll_stop(poll); + ret = -EINVAL; + } + diff --git a/queue-3.18/vti6-better-validate-user-provided-tunnel-names.patch b/queue-3.18/vti6-better-validate-user-provided-tunnel-names.patch new file mode 100644 index 00000000000..e601b2f182a --- /dev/null +++ b/queue-3.18/vti6-better-validate-user-provided-tunnel-names.patch @@ -0,0 +1,40 @@ +From foo@baz Wed Apr 11 15:07:37 CEST 2018 +From: Eric Dumazet +Date: Thu, 5 Apr 2018 06:39:31 -0700 +Subject: vti6: better validate user provided tunnel names + +From: Eric Dumazet + + +[ Upstream commit 537b361fbcbcc3cd6fe2bb47069fd292b9256d16 ] + +Use valid_name() to make sure user does not provide illegal +device name. + +Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces") +Signed-off-by: Eric Dumazet +Cc: Steffen Klassert +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/ip6_vti.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/net/ipv6/ip6_vti.c ++++ b/net/ipv6/ip6_vti.c +@@ -195,10 +195,13 @@ static struct ip6_tnl *vti6_tnl_create(s + char name[IFNAMSIZ]; + int err; + +- if (p->name[0]) ++ if (p->name[0]) { ++ if (!dev_valid_name(p->name)) ++ goto failed; + strlcpy(name, p->name, IFNAMSIZ); +- else ++ } else { + sprintf(name, "ip6_vti%%d"); ++ } + + dev = alloc_netdev(sizeof(*t), name, NET_NAME_UNKNOWN, vti6_dev_setup); + if (dev == NULL) -- 2.47.3