From ff74c320c865f70b4a4e608b5a190fef2cb517d3 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 12 May 2020 13:54:54 +0200 Subject: [PATCH] 4.19-stable patches added patches: batman-adv-fix-batadv_nc_random_weight_tq.patch batman-adv-fix-refcnt-leak-in-batadv_show_throughput_override.patch batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch --- ...n-adv-fix-batadv_nc_random_weight_tq.patch | 66 +++++++++++++++++++ ...k-in-batadv_show_throughput_override.patch | 45 +++++++++++++ ...-in-batadv_store_throughput_override.patch | 46 +++++++++++++ ...-refcnt-leak-in-batadv_v_ogm_process.patch | 46 +++++++++++++ queue-4.19/series | 4 ++ 5 files changed, 207 insertions(+) create mode 100644 queue-4.19/batman-adv-fix-batadv_nc_random_weight_tq.patch create mode 100644 queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_show_throughput_override.patch create mode 100644 queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch create mode 100644 queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch diff --git a/queue-4.19/batman-adv-fix-batadv_nc_random_weight_tq.patch b/queue-4.19/batman-adv-fix-batadv_nc_random_weight_tq.patch new file mode 100644 index 00000000000..319ecd73709 --- /dev/null +++ b/queue-4.19/batman-adv-fix-batadv_nc_random_weight_tq.patch @@ -0,0 +1,66 @@ +From fd0c42c4dea54335967c5a86f15fc064235a2797 Mon Sep 17 00:00:00 2001 +From: George Spelvin +Date: Sun, 8 Mar 2020 09:44:59 -0400 +Subject: batman-adv: fix batadv_nc_random_weight_tq + +From: George Spelvin + +commit fd0c42c4dea54335967c5a86f15fc064235a2797 upstream. + +and change to pseudorandom numbers, as this is a traffic dithering +operation that doesn't need crypto-grade. + +The previous code operated in 4 steps: + +1. Generate a random byte 0 <= rand_tq <= 255 +2. Multiply it by BATADV_TQ_MAX_VALUE - tq +3. Divide by 255 (= BATADV_TQ_MAX_VALUE) +4. Return BATADV_TQ_MAX_VALUE - rand_tq + +This would apperar to scale (BATADV_TQ_MAX_VALUE - tq) by a random +value between 0/255 and 255/255. + +But! The intermediate value between steps 3 and 4 is stored in a u8 +variable. So it's truncated, and most of the time, is less than 255, after +which the division produces 0. Specifically, if tq is odd, the product is +always even, and can never be 255. If tq is even, there's exactly one +random byte value that will produce a product byte of 255. + +Thus, the return value is 255 (511/512 of the time) or 254 (1/512 +of the time). + +If we assume that the truncation is a bug, and the code is meant to scale +the input, a simpler way of looking at it is that it's returning a random +value between tq and BATADV_TQ_MAX_VALUE, inclusive. + +Well, we have an optimized function for doing just that. + +Fixes: 3c12de9a5c75 ("batman-adv: network coding - code and transmit packets if possible") +Signed-off-by: George Spelvin +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/network-coding.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -1021,15 +1021,8 @@ static struct batadv_nc_path *batadv_nc_ + */ + static u8 batadv_nc_random_weight_tq(u8 tq) + { +- u8 rand_val, rand_tq; +- +- get_random_bytes(&rand_val, sizeof(rand_val)); +- + /* randomize the estimated packet loss (max TQ - estimated TQ) */ +- rand_tq = rand_val * (BATADV_TQ_MAX_VALUE - tq); +- +- /* normalize the randomized packet loss */ +- rand_tq /= BATADV_TQ_MAX_VALUE; ++ u8 rand_tq = prandom_u32_max(BATADV_TQ_MAX_VALUE + 1 - tq); + + /* convert to (randomized) estimated tq again */ + return BATADV_TQ_MAX_VALUE - rand_tq; diff --git a/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_show_throughput_override.patch b/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_show_throughput_override.patch new file mode 100644 index 00000000000..1b362589aca --- /dev/null +++ b/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_show_throughput_override.patch @@ -0,0 +1,45 @@ +From f872de8185acf1b48b954ba5bd8f9bc0a0d14016 Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Wed, 15 Apr 2020 16:31:50 +0800 +Subject: batman-adv: Fix refcnt leak in batadv_show_throughput_override + +From: Xiyu Yang + +commit f872de8185acf1b48b954ba5bd8f9bc0a0d14016 upstream. + +batadv_show_throughput_override() invokes batadv_hardif_get_by_netdev(), +which gets a batadv_hard_iface object from net_dev with increased refcnt +and its reference is assigned to a local pointer 'hard_iface'. + +When batadv_show_throughput_override() returns, "hard_iface" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The issue happens in the normal path of +batadv_show_throughput_override(), which forgets to decrease the refcnt +increased by batadv_hardif_get_by_netdev() before the function returns, +causing a refcnt leak. + +Fix this issue by calling batadv_hardif_put() before the +batadv_show_throughput_override() returns in the normal path. + +Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/sysfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/batman-adv/sysfs.c ++++ b/net/batman-adv/sysfs.c +@@ -1126,6 +1126,7 @@ static ssize_t batadv_show_throughput_ov + + tp_override = atomic_read(&hard_iface->bat_v.throughput_override); + ++ batadv_hardif_put(hard_iface); + return sprintf(buff, "%u.%u MBit\n", tp_override / 10, + tp_override % 10); + } diff --git a/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch b/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch new file mode 100644 index 00000000000..9125904b90a --- /dev/null +++ b/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch @@ -0,0 +1,46 @@ +From 6107c5da0fca8b50b4d3215e94d619d38cc4a18c Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Wed, 15 Apr 2020 16:35:21 +0800 +Subject: batman-adv: Fix refcnt leak in batadv_store_throughput_override + +From: Xiyu Yang + +commit 6107c5da0fca8b50b4d3215e94d619d38cc4a18c upstream. + +batadv_show_throughput_override() invokes batadv_hardif_get_by_netdev(), +which gets a batadv_hard_iface object from net_dev with increased refcnt +and its reference is assigned to a local pointer 'hard_iface'. + +When batadv_store_throughput_override() returns, "hard_iface" becomes +invalid, so the refcount should be decreased to keep refcount balanced. + +The issue happens in one error path of +batadv_store_throughput_override(). When batadv_parse_throughput() +returns NULL, the refcnt increased by batadv_hardif_get_by_netdev() is +not decreased, causing a refcnt leak. + +Fix this issue by jumping to "out" label when batadv_parse_throughput() +returns NULL. + +Fixes: 0b5ecc6811bd ("batman-adv: add throughput override attribute to hard_ifaces") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/sysfs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/sysfs.c ++++ b/net/batman-adv/sysfs.c +@@ -1093,7 +1093,7 @@ static ssize_t batadv_store_throughput_o + ret = batadv_parse_throughput(net_dev, buff, "throughput_override", + &tp_override); + if (!ret) +- return count; ++ goto out; + + old_tp_override = atomic_read(&hard_iface->bat_v.throughput_override); + if (old_tp_override == tp_override) diff --git a/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch b/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch new file mode 100644 index 00000000000..17fbff251e6 --- /dev/null +++ b/queue-4.19/batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch @@ -0,0 +1,46 @@ +From 6f91a3f7af4186099dd10fa530dd7e0d9c29747d Mon Sep 17 00:00:00 2001 +From: Xiyu Yang +Date: Mon, 20 Apr 2020 13:37:20 +0800 +Subject: batman-adv: Fix refcnt leak in batadv_v_ogm_process + +From: Xiyu Yang + +commit 6f91a3f7af4186099dd10fa530dd7e0d9c29747d upstream. + +batadv_v_ogm_process() invokes batadv_hardif_neigh_get(), which returns +a reference of the neighbor object to "hardif_neigh" with increased +refcount. + +When batadv_v_ogm_process() returns, "hardif_neigh" becomes invalid, so +the refcount should be decreased to keep refcount balanced. + +The reference counting issue happens in one exception handling paths of +batadv_v_ogm_process(). When batadv_v_ogm_orig_get() fails to get the +orig node and returns NULL, the refcnt increased by +batadv_hardif_neigh_get() is not decreased, causing a refcnt leak. + +Fix this issue by jumping to "out" label when batadv_v_ogm_orig_get() +fails to get the orig node. + +Fixes: 9323158ef9f4 ("batman-adv: OGMv2 - implement originators logic") +Signed-off-by: Xiyu Yang +Signed-off-by: Xin Tan +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/bat_v_ogm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/batman-adv/bat_v_ogm.c ++++ b/net/batman-adv/bat_v_ogm.c +@@ -735,7 +735,7 @@ static void batadv_v_ogm_process(const s + + orig_node = batadv_v_ogm_orig_get(bat_priv, ogm_packet->orig); + if (!orig_node) +- return; ++ goto out; + + neigh_node = batadv_neigh_node_get_or_create(orig_node, if_incoming, + ethhdr->h_source); diff --git a/queue-4.19/series b/queue-4.19/series index 1dd8975120e..bef7adb9a41 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -30,3 +30,7 @@ staging-gasket-check-the-return-value-of-gasket_get_bar_index.patch coredump-fix-crash-when-umh-is-disabled.patch kvm-vmx-explicitly-reference-rcx-as-the-vmx_vcpu-pointer-in-asm-blobs.patch kvm-vmx-mark-rcx-rdx-and-rsi-as-clobbered-in-vmx_vcpu_run-s-asm-blob.patch +batman-adv-fix-batadv_nc_random_weight_tq.patch +batman-adv-fix-refcnt-leak-in-batadv_show_throughput_override.patch +batman-adv-fix-refcnt-leak-in-batadv_store_throughput_override.patch +batman-adv-fix-refcnt-leak-in-batadv_v_ogm_process.patch -- 2.47.3