Home Home > GIT Browse > SLE12-SP4-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTakashi Iwai <tiwai@suse.de>2019-03-21 15:31:24 +0100
committerTakashi Iwai <tiwai@suse.de>2019-03-21 15:31:24 +0100
commitf0f7b07b38e1c1ab247225f0eb281fc369e0e4d4 (patch)
treee19fec748840b04db6122be3dca8a51a135c56b6
parent464fcbac9f0941111de4f697da4a097d4acd32b9 (diff)
parent07d85fc90ec99381190dd2f4bf7f646b427cd044 (diff)
Merge branch 'users/dkirjanov/SLE15/for-next' into SLE15
Pull net fixes from Denis Kirjanov
-rw-r--r--patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch127
-rw-r--r--patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch81
-rw-r--r--patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch63
-rw-r--r--series.conf3
4 files changed, 274 insertions, 0 deletions
diff --git a/patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch b/patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch
new file mode 100644
index 0000000000..e2a83bd3d6
--- /dev/null
+++ b/patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch
@@ -0,0 +1,127 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: gro_cells: make sure device is up in gro_cells_receive()
+Patch-mainline: v5.1-rc1
+Git-commit: 2a5ff07a0eb945f291e361aa6f6becca8340ba46
+References: git-fixes
+
+We keep receiving syzbot reports [1] that show that tunnels do not play
+the rcu/IFF_UP rules properly.
+
+At device dismantle phase, gro_cells_destroy() will be called
+only after a full rcu grace period is observed after IFF_UP
+has been cleared.
+
+This means that IFF_UP needs to be tested before queueing packets
+into netif_rx() or gro_cells.
+
+This patch implements the test in gro_cells_receive() because
+too many callers do not seem to bother enough.
+
+[1]
+BUG: unable to handle kernel paging request at fffff4ca0b9ffffe
+PGD 0 P4D 0
+Oops: 0000 [#1] PREEMPT SMP KASAN
+CPU: 0 PID: 21 Comm: kworker/u4:1 Not tainted 5.0.0+ #97
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Workqueue: netns cleanup_net
+RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
+RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
+RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
+RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
+RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
+Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
+RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02
+RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe
+RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0
+RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645
+R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000
+R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75
+kobject: 'loop2' (000000004bd7d84a): kobject_uevent_env
+FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0
+Call Trace:
+kobject: 'loop2' (000000004bd7d84a): fill_kobj_path: path = '/devices/virtual/block/loop2'
+ ip_tunnel_dev_free+0x19/0x60 net/ipv4/ip_tunnel.c:1010
+ netdev_run_todo+0x51c/0x7d0 net/core/dev.c:8970
+ rtnl_unlock+0xe/0x10 net/core/rtnetlink.c:116
+ ip_tunnel_delete_nets+0x423/0x5f0 net/ipv4/ip_tunnel.c:1124
+ vti_exit_batch_net+0x23/0x30 net/ipv4/ip_vti.c:495
+ ops_exit_list.isra.0+0x105/0x160 net/core/net_namespace.c:156
+ cleanup_net+0x3fb/0x960 net/core/net_namespace.c:551
+ process_one_work+0x98e/0x1790 kernel/workqueue.c:2173
+ worker_thread+0x98/0xe40 kernel/workqueue.c:2319
+ kthread+0x357/0x430 kernel/kthread.c:246
+ ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:352
+Modules linked in:
+CR2: fffff4ca0b9ffffe
+ [ end trace 513fc9c1338d1cb3 ]
+RIP: 0010:__skb_unlink include/linux/skbuff.h:1929 [inline]
+RIP: 0010:__skb_dequeue include/linux/skbuff.h:1945 [inline]
+RIP: 0010:__skb_queue_purge include/linux/skbuff.h:2656 [inline]
+RIP: 0010:gro_cells_destroy net/core/gro_cells.c:89 [inline]
+RIP: 0010:gro_cells_destroy+0x19d/0x360 net/core/gro_cells.c:78
+Code: 03 42 80 3c 20 00 0f 85 53 01 00 00 48 8d 7a 08 49 8b 47 08 49 c7 07 00 00 00 00 48 89 f9 49 c7 47 08 00 00 00 00 48 c1 e9 03 <42> 80 3c 21 00 0f 85 10 01 00 00 48 89 c1 48 89 42 08 48 c1 e9 03
+RSP: 0018:ffff8880aa3f79a8 EFLAGS: 00010a02
+RAX: 00ffffffffffffe8 RBX: ffffe8ffffc64b70 RCX: 1ffff8ca0b9ffffe
+RDX: ffffc6505cffffe8 RSI: ffffffff858410ca RDI: ffffc6505cfffff0
+RBP: ffff8880aa3f7a08 R08: ffff8880aa3e8580 R09: fffffbfff1263645
+R10: fffffbfff1263644 R11: ffffffff8931b223 R12: dffffc0000000000
+kobject: 'loop3' (00000000e4ee57a6): kobject_uevent_env
+R13: 0000000000000000 R14: ffffe8ffffc64b80 R15: ffffe8ffffc64b75
+FS: 0000000000000000(0000) GS:ffff8880ae800000(0000) knlGS:0000000000000000
+CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: fffff4ca0b9ffffe CR3: 0000000094941000 CR4: 00000000001406f0
+
+Fixes: c9e6bc644e55 ("net: add gro_cells infrastructure")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/core/gro_cells.c | 22 ++++++++++++++++++----
+ 1 file changed, 18 insertions(+), 4 deletions(-)
+
+--- a/net/core/gro_cells.c
++++ b/net/core/gro_cells.c
+@@ -12,22 +12,36 @@ int gro_cells_receive(struct gro_cells *
+ {
+ struct net_device *dev = skb->dev;
+ struct gro_cell *cell;
++ int res;
+
+- if (!gcells->cells || skb_cloned(skb) || netif_elide_gro(dev))
+- return netif_rx(skb);
++ rcu_read_lock();
++ if (unlikely(!(dev->flags & IFF_UP)))
++ goto drop;
++
++ if (!gcells->cells || skb_cloned(skb) || netif_elide_gro(dev)) {
++ res = netif_rx(skb);
++ goto unlock;
++ }
+
+ cell = this_cpu_ptr(gcells->cells);
+
+ if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
++drop:
+ atomic_long_inc(&dev->rx_dropped);
+ kfree_skb(skb);
+- return NET_RX_DROP;
++ res = NET_RX_DROP;
++ goto unlock;
+ }
+
+ __skb_queue_tail(&cell->napi_skbs, skb);
+ if (skb_queue_len(&cell->napi_skbs) == 1)
+ napi_schedule(&cell->napi);
+- return NET_RX_SUCCESS;
++
++ res = NET_RX_SUCCESS;
++
++unlock:
++ rcu_read_unlock();
++ return res;
+ }
+ EXPORT_SYMBOL(gro_cells_receive);
+
diff --git a/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch b/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
new file mode 100644
index 0000000000..56e2c40645
--- /dev/null
+++ b/patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
@@ -0,0 +1,81 @@
+From: Eric Dumazet <edumazet@google.com>
+Subject: l2tp: fix infoleak in l2tp_ip6_recvmsg()
+Patch-mainline: v5.1-rc1
+Git-commit: 163d1c3d6f17556ed3c340d3789ea93be95d6c28
+References: git-fixes
+
+Back in 2013 Hannes took care of most of such leaks in commit
+bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls")
+
+But the bug in l2tp_ip6_recvmsg() has not been fixed.
+
+syzbot report :
+
+BUG: KMSAN: kernel-infoleak in _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+CPU: 1 PID: 10996 Comm: syz-executor362 Not tainted 5.0.0+ #11
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:77 [inline]
+ dump_stack+0x173/0x1d0 lib/dump_stack.c:113
+ kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:600
+ kmsan_internal_check_memory+0x9f4/0xb10 mm/kmsan/kmsan.c:694
+ kmsan_copy_to_user+0xab/0xc0 mm/kmsan/kmsan_hooks.c:601
+ _copy_to_user+0x16b/0x1f0 lib/usercopy.c:32
+ copy_to_user include/linux/uaccess.h:174 [inline]
+ move_addr_to_user+0x311/0x570 net/socket.c:227
+ ___sys_recvmsg+0xb65/0x1310 net/socket.c:2283
+ do_recvmmsg+0x646/0x10c0 net/socket.c:2390
+ __sys_recvmmsg net/socket.c:2469 [inline]
+ __do_sys_recvmmsg net/socket.c:2492 [inline]
+ __se_sys_recvmmsg+0x1d1/0x350 net/socket.c:2485
+ __x64_sys_recvmmsg+0x62/0x80 net/socket.c:2485
+ do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
+ entry_SYSCALL_64_after_hwframe+0x63/0xe7
+RIP: 0033:0x445819
+
+Code: e8 6c b6 02 00 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 2b 12 fc ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f64453eddb8 EFLAGS: 00000246 ORIG_RAX: 000000000000012b
+RAX: ffffffffffffffda RBX: 00000000006dac28 RCX: 0000000000445819
+RDX: 0000000000000005 RSI: 0000000020002f80 RDI: 0000000000000003
+RBP: 00000000006dac20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006dac2c
+R13: 00007ffeba8f87af R14: 00007f64453ee9c0 R15: 20c49ba5e353f7cf
+
+Local variable description: ----addr@___sys_recvmsg
+Variable was created at:
+ ___sys_recvmsg+0xf6/0x1310 net/socket.c:2244
+ do_recvmmsg+0x646/0x10c0 net/socket.c:2390
+
+Bytes 0-31 of 32 are uninitialized
+Memory access of size 32 starts at ffff8880ae62fbb0
+Data copied to user address 0000000020000000
+
+Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/l2tp/l2tp_ip6.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/l2tp/l2tp_ip6.c
++++ b/net/l2tp/l2tp_ip6.c
+@@ -680,9 +680,6 @@ static int l2tp_ip6_recvmsg(struct sock
+ if (flags & MSG_OOB)
+ goto out;
+
+- if (addr_len)
+- *addr_len = sizeof(*lsa);
+-
+ if (flags & MSG_ERRQUEUE)
+ return ipv6_recv_error(sk, msg, len, addr_len);
+
+@@ -712,6 +709,7 @@ static int l2tp_ip6_recvmsg(struct sock
+ lsa->l2tp_conn_id = 0;
+ if (ipv6_addr_type(&lsa->l2tp_addr) & IPV6_ADDR_LINKLOCAL)
+ lsa->l2tp_scope_id = inet6_iif(skb);
++ *addr_len = sizeof(*lsa);
+ }
+
+ if (np->rxopt.all)
diff --git a/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch b/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
new file mode 100644
index 0000000000..38aeab73a5
--- /dev/null
+++ b/patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
@@ -0,0 +1,63 @@
+From: Guillaume Nault <gnault@redhat.com>
+Subject: tcp: handle inet_csk_reqsk_queue_add() failures
+Patch-mainline: v5.1-rc1
+Git-commit: 9d3e1368bb45893a75a5dfb7cd21fdebfa6b47af
+References: git-fixes
+
+Commit 7716682cc58e ("tcp/dccp: fix another race at listener
+dismantle") let inet_csk_reqsk_queue_add() fail, and adjusted
+{tcp,dccp}_check_req() accordingly. However, TFO and syncookies
+weren't modified, thus leaking allocated resources on error.
+
+Contrary to tcp_check_req(), in both syncookies and TFO cases,
+we need to drop the request socket. Also, since the child socket is
+created with inet_csk_clone_lock(), we have to unlock it and drop an
+extra reference (->sk_refcount is initially set to 2 and
+inet_csk_reqsk_queue_add() drops only one ref).
+
+For TFO, we also need to revert the work done by tcp_try_fastopen()
+(with reqsk_fastopen_remove()).
+
+Fixes: 7716682cc58e ("tcp/dccp: fix another race at listener dismantle")
+Signed-off-by: Guillaume Nault <gnault@redhat.com>
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Acked-by: Denis Kirjanov <dkirjanov@suse.com>
+---
+ net/ipv4/syncookies.c | 7 ++++++-
+ net/ipv4/tcp_input.c | 8 +++++++-
+ 2 files changed, 13 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/syncookies.c
++++ b/net/ipv4/syncookies.c
+@@ -216,7 +216,12 @@ struct sock *tcp_get_cookie_sock(struct
+ atomic_set(&req->rsk_refcnt, 1);
+ tcp_sk(child)->tsoffset = tsoff;
+ sock_rps_save_rxhash(child, skb);
+- inet_csk_reqsk_queue_add(sk, req, child);
++ if (!inet_csk_reqsk_queue_add(sk, req, child)) {
++ bh_unlock_sock(child);
++ sock_put(child);
++ child = NULL;
++ reqsk_put(req);
++ }
+ } else {
+ reqsk_free(req);
+ }
+--- a/net/ipv4/tcp_input.c
++++ b/net/ipv4/tcp_input.c
+@@ -6373,7 +6373,13 @@ int tcp_conn_request(struct request_sock
+ af_ops->send_synack(fastopen_sk, dst, &fl, req,
+ &foc, TCP_SYNACK_FASTOPEN);
+ /* Add the child socket directly into the accept queue */
+- inet_csk_reqsk_queue_add(sk, req, fastopen_sk);
++ if (!inet_csk_reqsk_queue_add(sk, req, fastopen_sk)) {
++ reqsk_fastopen_remove(fastopen_sk, req, false);
++ bh_unlock_sock(fastopen_sk);
++ sock_put(fastopen_sk);
++ reqsk_put(req);
++ goto drop;
++ }
+ sk->sk_data_ready(sk);
+ bh_unlock_sock(fastopen_sk);
+ sock_put(fastopen_sk);
diff --git a/series.conf b/series.conf
index b7877479e2..b95fde2d50 100644
--- a/series.conf
+++ b/series.conf
@@ -20895,8 +20895,10 @@
patches.fixes/tipc-fix-RDM-DGRAM-connect-regression.patch
patches.drivers/enic-fix-build-warning-without-CONFIG_CPUMASK_OFFSTA.patch
patches.fixes/0001-vxlan-Fix-GRO-cells-race-condition-between-receive-a.patch
+ patches.fixes/0001-tcp-handle-inet_csk_reqsk_queue_add-failures.patch
patches.fixes/bpf-fix-replace_map_fd_with_map_ptr-s-ldimm64-second.patch
patches.fixes/0001-vxlan-test-dev-flags-IFF_UP-before-calling-gro_cells.patch
+ patches.fixes/0001-gro_cells-make-sure-device-is-up-in-gro_cells_receiv.patch
patches.drivers/input-raspberrypi-ts-select-config_input_polldev.patch
patches.drivers/Input-elan_i2c-add-id-for-touchpad-found-in-Lenovo-s.patch
patches.drivers/Input-wacom_serial4-add-support-for-Wacom-ArtPad-II-.patch
@@ -20949,6 +20951,7 @@
patches.fixes/0001-net-mlx4_core-Fix-reset-flow-when-in-command-polling.patch
patches.fixes/0001-net-mlx4_core-Fix-locking-in-SRIOV-mode-when-switchi.patch
patches.fixes/0001-net-mlx4_core-Fix-qp-mtt-size-calculation.patch
+ patches.fixes/0001-l2tp-fix-infoleak-in-l2tp_ip6_recvmsg.patch
patches.fixes/0001-pptp-dst_release-sk_dst_cache-in-pptp_sock_destruct.patch
patches.fixes/ACPI-device_sysfs-Avoid-OF-modalias-creation-for-rem.patch
patches.drm/0001-drm-etnaviv-NULL-vs-IS_ERR-buf-in-etnaviv_core_dump.patch