malhuda/msm-4.14
1
0
Fork 0
mirror of https://github.com/rd-stuffs/msm-4.14.git synced 2025-02-20 11:45:48 +08:00
Code Issues Actions Packages Projects Releases Wiki Activity
718,340 Commits 5 Branches 0 Tags
Commit Graph

48662 Commits

Author SHA1 Message Date
Isaac J. Manjarres
92816ebe29 Merge remote-tracking branch 'remotes/origin/tmp-7e76ead' into msm-4.14 
* remotes/origin/tmp-7e76ead:
  Linux 4.14.34
  net/mlx4_core: Fix memory leak while delete slave's resources
  vhost_net: add missing lock nesting notation
  team: move dev_mc_sync after master_upper_dev_link in team_port_add
  route: check sysctl_fib_multipath_use_neigh earlier than hash
  vhost: validate log when IOTLB is enabled
  net/mlx5e: Fix traffic being dropped on VF representor
  net/mlx4_en: Fix mixed PFC and Global pause user control requests
  strparser: Fix sign of err codes
  net/sched: fix NULL dereference on the error path of tcf_skbmod_init()
  net/sched: fix NULL dereference in the error path of tunnel_key_init()
  net/mlx5e: Sync netdev vxlan ports at open
  net/mlx5e: Don't override vport admin link state in switchdev mode
  ipv6: sr: fix seg6 encap performances with TSO enabled
  nfp: use full 40 bits of the NSP buffer address
  net/mlx5e: Fix memory usage issues in offloading TC flows
  net/mlx5e: Avoid using the ipv6 stub in the TC offload neigh update path
  vti6: better validate user provided tunnel names
  ip6_tunnel: better validate user provided tunnel names
  ip6_gre: better validate user provided tunnel names
  ipv6: sit: better validate user provided tunnel names
  ip_tunnel: better validate user provided tunnel names
  net: fool proof dev_valid_name()
  bonding: process the err returned by dev_set_allmulti properly in bond_enslave
  bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
  bonding: fix the err path for dev hwaddr sync in bond_enslave
  vrf: Fix use after free and double free in vrf_finish_output
  vlan: also check phy_driver ts_info for vlan's real device
  vhost: correctly remove wait queue during poll failure
  sky2: Increase D3 delay to sky2 stops working after suspend
  sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
  sctp: do not leak kernel memory to user space
  r8169: fix setting driver_data after register_netdev
  pptp: remove a buggy dst release in pptp_connect()
  net/sched: fix NULL dereference in the error path of tcf_bpf_init()
  net sched actions: fix dumping which requires several messages to user space
  netlink: make sure nladdr has correct size in netlink_connect()
  net/ipv6: Increment OUTxxx counters after netfilter hook
  net/ipv6: Fix route leaking between VRFs
  net: fix possible out-of-bound read in skb_network_protocol()
  lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write)
  ipv6: the entire IPv6 header chain must fit the first fragment
  arp: fix arp_filter on l3slave devices
  x86/microcode: Fix CPU synchronization routine
  x86/microcode: Attempt late loading only when new microcode is present
  x86/microcode: Synchronize late microcode loading
  x86/microcode: Request microcode on the BSP
  x86/microcode/intel: Look into the patch cache first
  x86/microcode: Do not upload microcode if CPUs are offline
  x86/microcode/intel: Writeback and invalidate caches before updating microcode
  x86/microcode/intel: Check microcode revision before updating sibling threads
  x86/microcode: Get rid of struct apply_microcode_ctx
  x86/CPU: Check CPU feature bits after microcode upgrade
  x86/CPU: Add a microcode loader callback
  x86/microcode: Propagate return value from updating functions
  crypto: arm64/aes-ce-cipher - move assembler code to .S file
  objtool: Add Clang support
  thermal: int3400_thermal: fix error handling in int3400_thermal_probe()
  tcmu: release blocks for partially setup cmds
  perf tools: Fix copyfile_offset update of output offset
  crypto: aes-generic - build with -Os on gcc-7+
  mtd: mtd_oobtest: Handle bitflips during reads
  Input: goodix - disable IRQs while suspended
  ibmvnic: Don't handle RX interrupts when not up.
  sdhci: Advertise 2.0v supply on SDIO host controller
  x86/gart: Exclude GART aperture from vmcore
  gpio: thunderx: fix error return code in thunderx_gpio_probe()
  RDMA/cma: Fix rdma_cm path querying for RoCE
  scsi: megaraid_sas: unload flag should be set after scsi_remove_host is called
  scsi: megaraid_sas: Error handling for invalid ldcount provided by firmware in RAID map
  cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages
  i40evf: don't rely on netif_running() outside rtnl_lock()
  uio_hv_generic: check that host supports monitor page
  EDAC, mv64x60: Fix an error handling path
  block, bfq: put async queues for root bfq groups too
  tty: n_gsm: Allow ADM response in addition to UA for control dlci
  blk-mq: fix kernel oops in blk_mq_tag_idle()
  scsi: libsas: initialize sas_phy status according to response of DISCOVER
  scsi: libsas: fix error when getting phy events
  scsi: libsas: fix memory leak in sas_smp_get_phy_events()
  bcache: segregate flash only volume write streams
  bcache: stop writeback thread after detaching
  bcache: ret IOERR when read meets metadata error
  net: hns3: fix for changing MTU
  net: hns3: Fix an error macro definition of HNS3_TQP_STAT
  net: hns3: Fix a loop index error of tqp statistics query
  net: hns3: Fix an error of total drop packet statistics
  net/mlx5: Fix race for multiple RoCE enable
  wl1251: check return from call to wl1251_acx_arp_ip_filter
  rt2x00: do not pause queue unconditionally on error path
  power: supply: axp288_charger: Properly stop work on probe-error / remove
  ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()'
  staging: lustre: disable preempt while sampling processor id.
  perf report: Fix a no annotate browser displayed issue
  tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented
  nvme_fcloop: fix abort race condition
  nvme_fcloop: disassocate local port structs
  pinctrl: baytrail: Enable glitch filter for GPIOs used as interrupts
  backlight: tdo24m: Fix the SPI CS between transfers
  blk-mq: fix race between updating nr_hw_queues and switching io sched
  blk-mq: avoid to map CPU into stale hw queue
  IB/rdmavt: Allocate CQ memory on the correct node
  powernv-cpufreq: Add helper to extract pstate from PMSR
  gpio: label descriptors using the device name
  vfb: fix video mode and line_length being set when loaded
  mac80211: Fix setting TX power on monitor interfaces
  ACPI: EC: Fix debugfs_create_*() usage
  irqchip/gic-v3: Fix the driver probe() fail due to disabled GICC entry
  scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag.
  scsi: libiscsi: Allow sd_shutdown on bad transport
  spi: sh-msiof: Fix timeout failures for TX-only DMA transfers
  ASoC: Intel: cht_bsw_rt5645: Analog Mic support
  ASoC: Intel: Skylake: Disable clock gating during firmware and library download
  media: videobuf2-core: don't go out of the buffer range
  clk: sunxi-ng: a83t: Add M divider to TCON1 clock
  hwmon: (ina2xx) Make calibration register value fixed
  RDMA/cma: Mark end of CMA ID messages
  selftests/net: fix bugs in address and port initialization
  PM / devfreq: Fix potential NULL pointer dereference in governor_store
  clk: divider: fix incorrect usage of container_of
  watchdog: dw_wdt: add stop watchdog operation
  VFS: close race between getcwd() and d_move()
  net/mlx4_en: Change default QoS settings
  ACPI / video: Default lcd_only to true on Win8-ready and newer machines
  rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
  l2tp: fix missing print session offset info
  net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg
  net: hns3: free the ring_data structrue when change tqps
  perf evsel: Enable ignore_missing_thread for pid option
  perf probe: Add warning message if there is unexpected event name
  perf probe: Find versioned symbols from map
  thermal: power_allocator: fix one race condition issue for thermal_instances list
  ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT
  Bluetooth: Add a new 04ca:3015 QCA_ROME device
  ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node
  clk: meson: mpll: use 64-bit maths in params_from_rate
  i40iw: Validate correct IRD/ORD connection parameters
  i40iw: Correct Q1/XF object count equation
  i40iw: Fix sequence number for the first partial FPDU
  Revert "ANDROID: sched/tune: Initialize raw_spin_lock in boosted_groups"

Conflicts:
	arch/arm64/crypto/Makefile
	drivers/clk/qcom/clk-regmap-divider.c

Change-Id: I7d83113e6d6d943804051a983d73067184b9fb39
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
 2018-04-12 12:24:33 -07:00
Isaac J. Manjarres
b0166e2f2f Merge remote-tracking branch 'remotes/origin/tmp-27e69ad' into msm-4.14 
* remotes/origin/tmp-27e69ad:
  Linux 4.14.33
  Revert "ip6_vti: adjust vti mtu according to mtu of lower device"
  Revert "cpufreq: Fix governor module removal race"
  Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin"
  Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin"
  Fix slab name "biovec-(1<<(21-12))"
  net: hns: Fix ethtool private flags
  ARM: dts: DRA76-EVM: Set powerhold property for tps65917
  vt: change SGR 21 to follow the standards
  Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad
  Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list
  Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370
  Revert "base: arch_topology: fix section mismatch build warnings"
  staging: comedi: ni_mio_common: ack ai fifo error interrupts.
  Btrfs: fix unexpected cow in run_delalloc_nocow
  crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one
  crypto: arm,arm64 - Fix random regeneration of S_shipped
  crypto: ccp - return an actual key size from RSA max_size callback
  crypto: caam - Fix null dereference at error path
  crypto: ahash - Fix early termination in hash walk
  crypto: testmgr - Fix incorrect values in PKCS#1 test vector
  crypto: inside-secure - fix clock management
  crypto: lrw - Free rctx->ext with kzfree
  parport_pc: Add support for WCH CH382L PCI-E single parallel port card.
  media: usbtv: prevent double free in error case
  /dev/mem: Avoid overwriting "err" in read_mem()
  mei: remove dev_err message on an unsupported ioctl
  serial: 8250: Add Nuvoton NPCM UART
  USB: serial: cp210x: add ELDAT Easywave RX09 id
  USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator
  USB: serial: ftdi_sio: add RT Systems VX-8 cable
  bitmap: fix memset optimization on big-endian systems
  usb: dwc2: Improve gadget state disconnection handling
  Bluetooth: Fix missing encryption refresh on Security Request
  phy: qcom-ufs: add MODULE_LICENSE tag
  netfilter: x_tables: add and use xt_check_proc_name
  netfilter: drop template ct when conntrack is skipped.
  l2tp: fix races with ipv4-mapped ipv6 addresses
  netfilter: bridge: ebt_among: add more missing match size checks
  netfilter: x_tables: make allocation less aggressive
  percpu: add __GFP_NORETRY semantics to the percpu balancing path
  xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
  net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
  RDMA/ucma: Introduce safer rdma_addr_size() variants
  RDMA/ucma: Check that device exists prior to accessing it
  RDMA/ucma: Check that device is connected prior to access it
  RDMA/rdma_cm: Fix use after free race with process_one_req
  RDMA/ucma: Ensure that CM_ID exists prior to access it
  RDMA/ucma: Fix use-after-free access in ucma_close
  RDMA/ucma: Check AF family prior resolving address
  xfrm_user: uncoditionally validate esn replay attribute struct
  partitions/msdos: Unable to mount UFS 44bsd partitions
  powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs
  powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened
  i2c: i2c-stm32f7: fix no check on returned setup
  ipc/shm.c: add split function to shm_vm_ops
  ceph: only dirty ITER_IOVEC pages for direct read
  perf/hwbp: Simplify the perf-hwbp code, fix documentation
  x86/platform/uv/BAU: Add APIC idt entry
  ALSA: pcm: potential uninitialized return values
  ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
  ALSA: usb-audio: Add native DSD support for TEAC UD-301
  mtd: nand: atmel: Fix get_sectorsize() function
  mtd: jedec_probe: Fix crash in jedec_read_mfr()
  ARM: dts: sun6i: a31s: bpi-m2: add missing regulators
  ARM: dts: sun6i: a31s: bpi-m2: improve pmic properties
  ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[]
  ARM: OMAP: Fix SRAM W+X mapping
  ANDROID: fuse: Add null terminator to path in canonical path to avoid issue
  ANDROID: sdcardfs: Fix sdcardfs to stop creating cases-sensitive duplicate entries.

Conflicts:
	drivers/phy/qualcomm/phy-qcom-ufs.c

Change-Id: Iab5cb23d596cebf19e0eb63a71828507dfb47054
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
 2018-04-12 09:39:59 -07:00
Greg Kroah-Hartman
7e76ead2d2 This is the 4.14.34 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlrPNhoACgkQONu9yGCS
 aT6BgRAAlQVoTa9PEk/vyJACP/IDnzW/UUhUatTTBcsj8hAOzeF5tpFPvvqG+Aoj
 TfjujeFN8YgqepBKEWdAvUknJtO9Ka+1Q7elBg1A9ygwPXn4XCVV1Cu+Q7w9gmci
 OJd/3ubevqGV0enA9wzxsczhG8ua/8EZiBM5pz8NDXy4nZ7rtxCUs+8npCj23/dJ
 klN70Gv58ClSaI4CUTXejBxm9/EGIrY0+SoS3+M1rj8vV8kgr8uzqDuk/Kv12YL8
 /XVbB6QHPauvJAw9QFaP9xi2M7hZ03YJlo0hHMoPUXyLK2CJ5w/NJmJcKOu+eKx0
 GGn/qQ0C8uAXGFfJjwHNj3MHDgPVayIvE7SMVKRIY8EcSYv9AsL+YDo6KK9WRmuE
 3VLxOFO8Z2vVaVATU3U/m/+lK+kyDqStwwp7IFTbYSb3GpSD8JeruBWcbM2ywPCX
 J+n3DWrvwcvIsS1+URJogiaamo7J6u4upyz9ilym7XovMub5RfjmhIAKBsd3DqEL
 PZ+MLM+TMUq6smSlSFdrSuU+aquhbaKaD/LdXmVlsIjMQOOkQCU8d6mHYfW7jBEP
 6oE/VjXSewMdsrux3C4rKW/TnnXRWNHPY47SqObkqEx1uf2uFPSi5jIKRCBZtNfT
 2nMEfDnW/FBuQVoWvBx01eiSeupNRl0ULbdtdrMS7YMFY8gaVOY=
 =+4X0
 -----END PGP SIGNATURE-----

Merge 4.14.34 into android-4.14

Changes in 4.14.34
	i40iw: Fix sequence number for the first partial FPDU
	i40iw: Correct Q1/XF object count equation
	i40iw: Validate correct IRD/ORD connection parameters
	clk: meson: mpll: use 64-bit maths in params_from_rate
	ARM: dts: ls1021a: add "fsl,ls1021a-esdhc" compatible string to esdhc node
	Bluetooth: Add a new 04ca:3015 QCA_ROME device
	ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT
	thermal: power_allocator: fix one race condition issue for thermal_instances list
	perf probe: Find versioned symbols from map
	perf probe: Add warning message if there is unexpected event name
	perf evsel: Enable ignore_missing_thread for pid option
	net: hns3: free the ring_data structrue when change tqps
	net: hns3: fix for getting auto-negotiation state in hclge_get_autoneg
	l2tp: fix missing print session offset info
	rds; Reset rs->rs_bound_addr in rds_add_bound() failure path
	ACPI / video: Default lcd_only to true on Win8-ready and newer machines
	net/mlx4_en: Change default QoS settings
	VFS: close race between getcwd() and d_move()
	watchdog: dw_wdt: add stop watchdog operation
	clk: divider: fix incorrect usage of container_of
	PM / devfreq: Fix potential NULL pointer dereference in governor_store
	selftests/net: fix bugs in address and port initialization
	RDMA/cma: Mark end of CMA ID messages
	hwmon: (ina2xx) Make calibration register value fixed
	clk: sunxi-ng: a83t: Add M divider to TCON1 clock
	media: videobuf2-core: don't go out of the buffer range
	ASoC: Intel: Skylake: Disable clock gating during firmware and library download
	ASoC: Intel: cht_bsw_rt5645: Analog Mic support
	spi: sh-msiof: Fix timeout failures for TX-only DMA transfers
	scsi: libiscsi: Allow sd_shutdown on bad transport
	scsi: mpt3sas: Proper handling of set/clear of "ATA command pending" flag.
	irqchip/gic-v3: Fix the driver probe() fail due to disabled GICC entry
	ACPI: EC: Fix debugfs_create_*() usage
	mac80211: Fix setting TX power on monitor interfaces
	vfb: fix video mode and line_length being set when loaded
	gpio: label descriptors using the device name
	powernv-cpufreq: Add helper to extract pstate from PMSR
	IB/rdmavt: Allocate CQ memory on the correct node
	blk-mq: avoid to map CPU into stale hw queue
	blk-mq: fix race between updating nr_hw_queues and switching io sched
	backlight: tdo24m: Fix the SPI CS between transfers
	pinctrl: baytrail: Enable glitch filter for GPIOs used as interrupts
	nvme_fcloop: disassocate local port structs
	nvme_fcloop: fix abort race condition
	tpm: return a TPM_RC_COMMAND_CODE response if command is not implemented
	perf report: Fix a no annotate browser displayed issue
	staging: lustre: disable preempt while sampling processor id.
	ASoC: Intel: sst: Fix the return value of 'sst_send_byte_stream_mrfld()'
	power: supply: axp288_charger: Properly stop work on probe-error / remove
	rt2x00: do not pause queue unconditionally on error path
	wl1251: check return from call to wl1251_acx_arp_ip_filter
	net/mlx5: Fix race for multiple RoCE enable
	net: hns3: Fix an error of total drop packet statistics
	net: hns3: Fix a loop index error of tqp statistics query
	net: hns3: Fix an error macro definition of HNS3_TQP_STAT
	net: hns3: fix for changing MTU
	bcache: ret IOERR when read meets metadata error
	bcache: stop writeback thread after detaching
	bcache: segregate flash only volume write streams
	scsi: libsas: fix memory leak in sas_smp_get_phy_events()
	scsi: libsas: fix error when getting phy events
	scsi: libsas: initialize sas_phy status according to response of DISCOVER
	blk-mq: fix kernel oops in blk_mq_tag_idle()
	tty: n_gsm: Allow ADM response in addition to UA for control dlci
	block, bfq: put async queues for root bfq groups too
	EDAC, mv64x60: Fix an error handling path
	uio_hv_generic: check that host supports monitor page
	i40evf: don't rely on netif_running() outside rtnl_lock()
	cxgb4vf: Fix SGE FL buffer initialization logic for 64K pages
	scsi: megaraid_sas: Error handling for invalid ldcount provided by firmware in RAID map
	scsi: megaraid_sas: unload flag should be set after scsi_remove_host is called
	RDMA/cma: Fix rdma_cm path querying for RoCE
	gpio: thunderx: fix error return code in thunderx_gpio_probe()
	x86/gart: Exclude GART aperture from vmcore
	sdhci: Advertise 2.0v supply on SDIO host controller
	ibmvnic: Don't handle RX interrupts when not up.
	Input: goodix - disable IRQs while suspended
	mtd: mtd_oobtest: Handle bitflips during reads
	crypto: aes-generic - build with -Os on gcc-7+
	perf tools: Fix copyfile_offset update of output offset
	tcmu: release blocks for partially setup cmds
	thermal: int3400_thermal: fix error handling in int3400_thermal_probe()
	objtool: Add Clang support
	crypto: arm64/aes-ce-cipher - move assembler code to .S file
	x86/microcode: Propagate return value from updating functions
	x86/CPU: Add a microcode loader callback
	x86/CPU: Check CPU feature bits after microcode upgrade
	x86/microcode: Get rid of struct apply_microcode_ctx
	x86/microcode/intel: Check microcode revision before updating sibling threads
	x86/microcode/intel: Writeback and invalidate caches before updating microcode
	x86/microcode: Do not upload microcode if CPUs are offline
	x86/microcode/intel: Look into the patch cache first
	x86/microcode: Request microcode on the BSP
	x86/microcode: Synchronize late microcode loading
	x86/microcode: Attempt late loading only when new microcode is present
	x86/microcode: Fix CPU synchronization routine
	arp: fix arp_filter on l3slave devices
	ipv6: the entire IPv6 header chain must fit the first fragment
	lan78xx: Crash in lan78xx_writ_reg (Workqueue: events lan78xx_deferred_multicast_write)
	net: fix possible out-of-bound read in skb_network_protocol()
	net/ipv6: Fix route leaking between VRFs
	net/ipv6: Increment OUTxxx counters after netfilter hook
	netlink: make sure nladdr has correct size in netlink_connect()
	net sched actions: fix dumping which requires several messages to user space
	net/sched: fix NULL dereference in the error path of tcf_bpf_init()
	pptp: remove a buggy dst release in pptp_connect()
	r8169: fix setting driver_data after register_netdev
	sctp: do not leak kernel memory to user space
	sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6
	sky2: Increase D3 delay to sky2 stops working after suspend
	vhost: correctly remove wait queue during poll failure
	vlan: also check phy_driver ts_info for vlan's real device
	vrf: Fix use after free and double free in vrf_finish_output
	bonding: fix the err path for dev hwaddr sync in bond_enslave
	bonding: move dev_mc_sync after master_upper_dev_link in bond_enslave
	bonding: process the err returned by dev_set_allmulti properly in bond_enslave
	net: fool proof dev_valid_name()
	ip_tunnel: better validate user provided tunnel names
	ipv6: sit: better validate user provided tunnel names
	ip6_gre: better validate user provided tunnel names
	ip6_tunnel: better validate user provided tunnel names
	vti6: better validate user provided tunnel names
	net/mlx5e: Avoid using the ipv6 stub in the TC offload neigh update path
	net/mlx5e: Fix memory usage issues in offloading TC flows
	nfp: use full 40 bits of the NSP buffer address
	ipv6: sr: fix seg6 encap performances with TSO enabled
	net/mlx5e: Don't override vport admin link state in switchdev mode
	net/mlx5e: Sync netdev vxlan ports at open
	net/sched: fix NULL dereference in the error path of tunnel_key_init()
	net/sched: fix NULL dereference on the error path of tcf_skbmod_init()
	strparser: Fix sign of err codes
	net/mlx4_en: Fix mixed PFC and Global pause user control requests
	net/mlx5e: Fix traffic being dropped on VF representor
	vhost: validate log when IOTLB is enabled
	route: check sysctl_fib_multipath_use_neigh earlier than hash
	team: move dev_mc_sync after master_upper_dev_link in team_port_add
	vhost_net: add missing lock nesting notation
	net/mlx4_core: Fix memory leak while delete slave's resources
	Linux 4.14.34

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2018-04-12 14:51:09 +02:00
Xin Long
233ba28e18 route: check sysctl_fib_multipath_use_neigh earlier than hash 
[ Upstream commit 6174a30df1b902e1fedbd728f5343937e83e64e6 ]

Prior to this patch, when one packet is hashed into path [1]
(hash <= nh_upper_bound) and it's neigh is dead, it will try
path [2]. However, if path [2]'s neigh is alive but it's
hash > nh_upper_bound, it will not return this alive path.
This packet will never be sent even if path [2] is alive.

 3.3.3.1/24:
  nexthop via 1.1.1.254 dev eth1 weight 1 <--[1] (dead neigh)
  nexthop via 2.2.2.254 dev eth2 weight 1 <--[2]

With sysctl_fib_multipath_use_neigh set is supposed to find an
available path respecting to the l3/l4 hash. But if there is
no available route with this hash, it should at least return
an alive route even with other hash.

This patch is to fix it by processing fib_multipath_use_neigh
earlier than the hash check, so that it will at least return
an alive route if there is when fib_multipath_use_neigh is
enabled. It's also compatible with before when there are alive
routes with the l3/l4 hash.

Fixes: a6db4494d218 ("net: ipv4: Consider failed nexthops in multipath routes")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:27 +02:00
Dave Watson
477c73abf2 strparser: Fix sign of err codes 
[ Upstream commit cd00edc179863848abab5cc5683de5b7b5f70954 ]

strp_parser_err is called with a negative code everywhere, which then
calls abort_parser with a negative code.  strp_msg_timeout calls
abort_parser directly with a positive code.  Negate ETIMEDOUT
to match signed-ness of other calls.

The default abort_parser callback, strp_abort_strp, sets
sk->sk_err to err.  Also negate the error here so sk_err always
holds a positive value, as the rest of the net code expects.  Currently
a negative sk_err can result in endless loops, or user code that
thinks it actually sent/received err bytes.

Found while testing net/tls_sw recv path.

Fixes: 43a0c6751a322847 ("strparser: Stream parser for messages")
Signed-off-by: Dave Watson <davejwatson@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:26 +02:00
Davide Caratti
1c71bfe84d net/sched: fix NULL dereference on the error path of tcf_skbmod_init() 
[ Upstream commit 2d433610176d6569e8b3a28f67bc72235bf69efc ]

when the following command

 # tc action replace action skbmod swap mac index 100

is run for the first time, and tcf_skbmod_init() fails to allocate struct
tcf_skbmod_params, tcf_skbmod_cleanup() calls kfree_rcu(NULL), thus
causing the following error:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000008
 IP: __call_rcu+0x23/0x2b0
 PGD 8000000034057067 P4D 8000000034057067 PUD 74937067 PMD 0
 Oops: 0002 [#1] SMP PTI
 Modules linked in: act_skbmod(E) psample ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 snd_hda_codec_generic snd_hda_intel snd_hda_codec crct10dif_pclmul mbcache jbd2 crc32_pclmul snd_hda_core ghash_clmulni_intel snd_hwdep pcbc snd_seq snd_seq_device snd_pcm aesni_intel snd_timer crypto_simd glue_helper snd cryptd virtio_balloon joydev soundcore pcspkr i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm virtio_console virtio_net virtio_blk ata_piix libata crc32c_intel virtio_pci serio_raw virtio_ring virtio i2c_core floppy dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_skbmod]
 CPU: 3 PID: 3144 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 RIP: 0010:__call_rcu+0x23/0x2b0
 RSP: 0018:ffffbd2e403e7798 EFLAGS: 00010246
 RAX: ffffffffc0872080 RBX: ffff981d34bff780 RCX: 00000000ffffffff
 RDX: ffffffff922a5f00 RSI: 0000000000000000 RDI: 0000000000000000
 RBP: 0000000000000000 R08: 0000000000000001 R09: 000000000000021f
 R10: 000000003d003000 R11: 0000000000aaaaaa R12: 0000000000000000
 R13: ffffffff922a5f00 R14: 0000000000000001 R15: ffff981d3b698c2c
 FS:  00007f3678292740(0000) GS:ffff981d3fd80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000008 CR3: 000000007c57a006 CR4: 00000000001606e0
 Call Trace:
  __tcf_idr_release+0x79/0xf0
  tcf_skbmod_init+0x1d1/0x210 [act_skbmod]
  tcf_action_init_1+0x2cc/0x430
  tcf_action_init+0xd3/0x1b0
  tc_ctl_action+0x18b/0x240
  rtnetlink_rcv_msg+0x29c/0x310
  ? _cond_resched+0x15/0x30
  ? __kmalloc_node_track_caller+0x1b9/0x270
  ? rtnl_calcit.isra.28+0x100/0x100
  netlink_rcv_skb+0xd2/0x110
  netlink_unicast+0x17c/0x230
  netlink_sendmsg+0x2cd/0x3c0
  sock_sendmsg+0x30/0x40
  ___sys_sendmsg+0x27a/0x290
  ? filemap_map_pages+0x34a/0x3a0
  ? __handle_mm_fault+0xbfd/0xe20
  __sys_sendmsg+0x51/0x90
  do_syscall_64+0x6e/0x1a0
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
 RIP: 0033:0x7f36776a3ba0
 RSP: 002b:00007fff4703b618 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 00007fff4703b740 RCX: 00007f36776a3ba0
 RDX: 0000000000000000 RSI: 00007fff4703b690 RDI: 0000000000000003
 RBP: 000000005aaaba36 R08: 0000000000000002 R09: 0000000000000000
 R10: 00007fff4703b0a0 R11: 0000000000000246 R12: 0000000000000000
 R13: 00007fff4703b754 R14: 0000000000000001 R15: 0000000000669f60
 Code: 5d e9 42 da ff ff 66 90 0f 1f 44 00 00 41 57 41 56 41 55 49 89 d5 41 54 55 48 89 fd 53 48 83 ec 08 40 f6 c7 07 0f 85 19 02 00 00 <48> 89 75 08 48 c7 45 00 00 00 00 00 9c 58 0f 1f 44 00 00 49 89
 RIP: __call_rcu+0x23/0x2b0 RSP: ffffbd2e403e7798
 CR2: 0000000000000008

Fix it in tcf_skbmod_cleanup(), ensuring that kfree_rcu(p, ...) is called
only when p is not NULL.

Fixes: 86da71b57383 ("net_sched: Introduce skbmod action")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:26 +02:00
Davide Caratti
a19024a3f3 net/sched: fix NULL dereference in the error path of tunnel_key_init() 
[ Upstream commit abdadd3cfd3e7ea3da61ac774f84777d1f702058 ]

when the following command

 # tc action add action tunnel_key unset index 100

is run for the first time, and tunnel_key_init() fails to allocate struct
tcf_tunnel_key_params, tunnel_key_release() dereferences NULL pointers.
This causes the following error:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
 IP: tunnel_key_release+0xd/0x40 [act_tunnel_key]
 PGD 8000000033787067 P4D 8000000033787067 PUD 74646067 PMD 0
 Oops: 0000 [#1] SMP PTI
 Modules linked in: act_tunnel_key(E) act_csum ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul snd_hda_codec_generic ghash_clmulni_intel snd_hda_intel pcbc snd_hda_codec snd_hda_core snd_hwdep snd_seq aesni_intel snd_seq_device crypto_simd glue_helper snd_pcm cryptd joydev snd_timer pcspkr virtio_balloon snd i2c_piix4 soundcore nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_net virtio_blk drm virtio_console crc32c_intel ata_piix serio_raw i2c_core virtio_pci libata virtio_ring virtio floppy dm_mirror dm_region_hash dm_log dm_mod
 CPU: 2 PID: 3101 Comm: tc Tainted: G            E    4.16.0-rc4.act_vlan.orig+ #403
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 RIP: 0010:tunnel_key_release+0xd/0x40 [act_tunnel_key]
 RSP: 0018:ffffba46803b7768 EFLAGS: 00010286
 RAX: ffffffffc09010a0 RBX: 0000000000000000 RCX: 0000000000000024
 RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff99ee336d7480
 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
 R10: 0000000000000220 R11: ffff99ee79d73131 R12: 0000000000000000
 R13: ffff99ee32d67610 R14: ffff99ee7671dc38 R15: 00000000fffffff4
 FS:  00007febcb2cd740(0000) GS:ffff99ee7fd00000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000010 CR3: 000000007c8e4005 CR4: 00000000001606e0
 Call Trace:
  __tcf_idr_release+0x79/0xf0
  tunnel_key_init+0xd9/0x460 [act_tunnel_key]
  tcf_action_init_1+0x2cc/0x430
  tcf_action_init+0xd3/0x1b0
  tc_ctl_action+0x18b/0x240
  rtnetlink_rcv_msg+0x29c/0x310
  ? _cond_resched+0x15/0x30
  ? __kmalloc_node_track_caller+0x1b9/0x270
  ? rtnl_calcit.isra.28+0x100/0x100
  netlink_rcv_skb+0xd2/0x110
  netlink_unicast+0x17c/0x230
  netlink_sendmsg+0x2cd/0x3c0
  sock_sendmsg+0x30/0x40
  ___sys_sendmsg+0x27a/0x290
  __sys_sendmsg+0x51/0x90
  do_syscall_64+0x6e/0x1a0
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
 RIP: 0033:0x7febca6deba0
 RSP: 002b:00007ffe7b0dd128 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 00007ffe7b0dd250 RCX: 00007febca6deba0
 RDX: 0000000000000000 RSI: 00007ffe7b0dd1a0 RDI: 0000000000000003
 RBP: 000000005aaa90cb R08: 0000000000000002 R09: 0000000000000000
 R10: 00007ffe7b0dcba0 R11: 0000000000000246 R12: 0000000000000000
 R13: 00007ffe7b0dd264 R14: 0000000000000001 R15: 0000000000669f60
 Code: 44 00 00 8b 0d b5 23 00 00 48 8b 87 48 10 00 00 48 8b 3c c8 e9 a5 e5 d8 c3 0f 1f 44 00 00 0f 1f 44 00 00 53 48 8b 9f b0 00 00 00 <83> 7b 10 01 74 0b 48 89 df 31 f6 5b e9 f2 fa 7f c3 48 8b 7b 18
 RIP: tunnel_key_release+0xd/0x40 [act_tunnel_key] RSP: ffffba46803b7768
 CR2: 0000000000000010

Fix this in tunnel_key_release(), ensuring 'param' is not NULL before
dereferencing it.

Fixes: d0f6dd8a914f ("net/sched: Introduce act_tunnel_key")
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Acked-by: Jiri Pirko <jiri@mellanox.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:26 +02:00
David Lebrun
1ec7966ab7 ipv6: sr: fix seg6 encap performances with TSO enabled 
[ Upstream commit 5807b22c9164a21cd1077a9bc587f0bba361f72d ]

Enabling TSO can lead to abysmal performances when using seg6 in
encap mode, such as with the ixgbe driver. This patch adds a call to
iptunnel_handle_offloads() to remove the encapsulation bit if needed.

Before:
root@comp4-seg6bpf:~# iperf3 -c fc00::55
Connecting to host fc00::55, port 5201
[  4] local fc45::4 port 36592 connected to fc00::55 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec   196 KBytes  1.60 Mbits/sec   47   6.66 KBytes
[  4]   1.00-2.00   sec   304 KBytes  2.49 Mbits/sec  100   5.33 KBytes
[  4]   2.00-3.00   sec   284 KBytes  2.32 Mbits/sec   92   5.33 KBytes

After:
root@comp4-seg6bpf:~# iperf3 -c fc00::55
Connecting to host fc00::55, port 5201
[  4] local fc45::4 port 43062 connected to fc00::55 port 5201
[ ID] Interval           Transfer     Bandwidth       Retr  Cwnd
[  4]   0.00-1.00   sec  1.03 GBytes  8.89 Gbits/sec    0    743 KBytes
[  4]   1.00-2.00   sec  1.03 GBytes  8.87 Gbits/sec    0    743 KBytes
[  4]   2.00-3.00   sec  1.03 GBytes  8.87 Gbits/sec    0    743 KBytes

Reported-by: Tom Herbert <tom@quantonium.net>
Fixes: 6c8702c60b88 ("ipv6: sr: add support for SRH encapsulation and injection with lwtunnels")
Signed-off-by: David Lebrun <dlebrun@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:26 +02:00
Eric Dumazet
b9c6ddda38 vti6: better validate user provided tunnel names 
[ Upstream commit 537b361fbcbcc3cd6fe2bb47069fd292b9256d16 ]

Use valid_name() to make sure user does not provide illegal
device name.

Fixes: ed1efb2aefbb ("ipv6: Add support for IPsec virtual tunnel interfaces")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:25 +02:00
Eric Dumazet
109dce20c6 ip6_tunnel: better validate user provided tunnel names 
[ Upstream commit db7a65e3ab78e5b1c4b17c0870ebee35a4ee3257 ]

Use valid_name() to make sure user does not provide illegal
device name.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:25 +02:00
Eric Dumazet
72363c63b0 ip6_gre: better validate user provided tunnel names 
[ Upstream commit 5f42df013b8bc1b6511af7a04bf93b014884ae2a ]

Use dev_valid_name() to make sure user does not provide illegal
device name.

syzbot caught the following bug :

BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
BUG: KASAN: stack-out-of-bounds in ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
Write of size 20 at addr ffff8801afb9f7b8 by task syzkaller851048/4466

CPU: 1 PID: 4466 Comm: syzkaller851048 Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b9/0x29f lib/dump_stack.c:53
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x37/0x50 mm/kasan/kasan.c:303
 strlcpy include/linux/string.h:300 [inline]
 ip6gre_tunnel_locate+0x334/0x860 net/ipv6/ip6_gre.c:339
 ip6gre_tunnel_ioctl+0x69d/0x12e0 net/ipv6/ip6_gre.c:1195
 dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
 dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
 sock_ioctl+0x47e/0x680 net/socket.c:1015
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 SYSC_ioctl fs/ioctl.c:708 [inline]
 SyS_ioctl+0x24/0x30 fs/ioctl.c:706
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: c12b395a4664 ("gre: Support GRE over IPv6")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:25 +02:00
Eric Dumazet
a7309cad9c ipv6: sit: better validate user provided tunnel names 
[ Upstream commit b95211e066fc3494b7c115060b2297b4ba21f025 ]

Use dev_valid_name() to make sure user does not provide illegal
device name.

syzbot caught the following bug :

BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
BUG: KASAN: stack-out-of-bounds in ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
Write of size 33 at addr ffff8801b64076d8 by task syzkaller932654/4453

CPU: 0 PID: 4453 Comm: syzkaller932654 Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b9/0x29f lib/dump_stack.c:53
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x37/0x50 mm/kasan/kasan.c:303
 strlcpy include/linux/string.h:300 [inline]
 ipip6_tunnel_locate+0x63b/0xaa0 net/ipv6/sit.c:254
 ipip6_tunnel_ioctl+0xe71/0x241b net/ipv6/sit.c:1221
 dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
 dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
 sock_ioctl+0x47e/0x680 net/socket.c:1015
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 SYSC_ioctl fs/ioctl.c:708 [inline]
 SyS_ioctl+0x24/0x30 fs/ioctl.c:706
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:25 +02:00
Eric Dumazet
6816295fe9 ip_tunnel: better validate user provided tunnel names 
[ Upstream commit 9cb726a212a82c88c98aa9f0037fd04777cd8fe5 ]

Use dev_valid_name() to make sure user does not provide illegal
device name.

syzbot caught the following bug :

BUG: KASAN: stack-out-of-bounds in strlcpy include/linux/string.h:300 [inline]
BUG: KASAN: stack-out-of-bounds in __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
Write of size 20 at addr ffff8801ac79f810 by task syzkaller268107/4482

CPU: 0 PID: 4482 Comm: syzkaller268107 Not tainted 4.16.0+ #1
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x1b9/0x29f lib/dump_stack.c:53
 print_address_description+0x6c/0x20b mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report.cold.7+0xac/0x2f5 mm/kasan/report.c:412
 check_memory_region_inline mm/kasan/kasan.c:260 [inline]
 check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
 memcpy+0x37/0x50 mm/kasan/kasan.c:303
 strlcpy include/linux/string.h:300 [inline]
 __ip_tunnel_create+0xca/0x6b0 net/ipv4/ip_tunnel.c:257
 ip_tunnel_create net/ipv4/ip_tunnel.c:352 [inline]
 ip_tunnel_ioctl+0x818/0xd40 net/ipv4/ip_tunnel.c:861
 ipip_tunnel_ioctl+0x1c5/0x420 net/ipv4/ipip.c:350
 dev_ifsioc+0x43e/0xb90 net/core/dev_ioctl.c:334
 dev_ioctl+0x69a/0xcc0 net/core/dev_ioctl.c:525
 sock_ioctl+0x47e/0x680 net/socket.c:1015
 vfs_ioctl fs/ioctl.c:46 [inline]
 file_ioctl fs/ioctl.c:500 [inline]
 do_vfs_ioctl+0x1cf/0x1650 fs/ioctl.c:684
 ksys_ioctl+0xa9/0xd0 fs/ioctl.c:701
 SYSC_ioctl fs/ioctl.c:708 [inline]
 SyS_ioctl+0x24/0x30 fs/ioctl.c:706
 do_syscall_64+0x29e/0x9d0 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: c54419321455 ("GRE: Refactor GRE tunneling code.")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:25 +02:00
Eric Dumazet
048a64fbc2 net: fool proof dev_valid_name() 
[ Upstream commit a9d48205d0aedda021fc3728972a9e9934c2b9de ]

We want to use dev_valid_name() to validate tunnel names,
so better use strnlen(name, IFNAMSIZ) than strlen(name) to make
sure to not upset KASAN.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:25 +02:00
Hangbin Liu
09cb8267ad vlan: also check phy_driver ts_info for vlan's real device 
[ Upstream commit ec1d8ccb07deaf30fd0508af6755364ac47dc08d ]

Just like function ethtool_get_ts_info(), we should also consider the
phy_driver ts_info call back. For example, driver dp83640.

Fixes: 37dd9255b2f6 ("vlan: Pass ethtool get_ts_info queries to real device.")
Acked-by: Richard Cochran <richardcochran@gmail.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:24 +02:00
Eric Dumazet
3fdd43709d sctp: sctp_sockaddr_af must check minimal addr length for AF_INET6 
[ Upstream commit 81e98370293afcb58340ce8bd71af7b97f925c26 ]

Check must happen before call to ipv6_addr_v4mapped()

syzbot report was :

BUG: KMSAN: uninit-value in sctp_sockaddr_af net/sctp/socket.c:359 [inline]
BUG: KMSAN: uninit-value in sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
CPU: 0 PID: 3576 Comm: syzkaller968804 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:676
 sctp_sockaddr_af net/sctp/socket.c:359 [inline]
 sctp_do_bind+0x60f/0xdc0 net/sctp/socket.c:384
 sctp_bind+0x149/0x190 net/sctp/socket.c:332
 inet6_bind+0x1fd/0x1820 net/ipv6/af_inet6.c:293
 SYSC_bind+0x3f2/0x4b0 net/socket.c:1474
 SyS_bind+0x54/0x80 net/socket.c:1460
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x43fd49
RSP: 002b:00007ffe99df3d28 EFLAGS: 00000213 ORIG_RAX: 0000000000000031
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fd49
RDX: 0000000000000010 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 00000000004002c8 R11: 0000000000000213 R12: 0000000000401670
R13: 0000000000401700 R14: 0000000000000000 R15: 0000000000000000

Local variable description: ----address@SYSC_bind
Variable was created at:
 SYSC_bind+0x6f/0x4b0 net/socket.c:1461
 SyS_bind+0x54/0x80 net/socket.c:1460

Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Vlad Yasevich <vyasevich@gmail.com>
Cc: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:24 +02:00
Eric Dumazet
3f80d01bbd sctp: do not leak kernel memory to user space 
[ Upstream commit 6780db244d6b1537d139dea0ec8aad10cf9e4adb ]

syzbot produced a nice report [1]

Issue here is that a recvmmsg() managed to leak 8 bytes of kernel memory
to user space, because sin_zero (padding field) was not properly cleared.

[1]
BUG: KMSAN: uninit-value in copy_to_user include/linux/uaccess.h:184 [inline]
BUG: KMSAN: uninit-value in move_addr_to_user+0x32e/0x530 net/socket.c:227
CPU: 1 PID: 3586 Comm: syzkaller481044 Not tainted 4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
 kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
 copy_to_user include/linux/uaccess.h:184 [inline]
 move_addr_to_user+0x32e/0x530 net/socket.c:227
 ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
 __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
 SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
 SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2
RIP: 0033:0x4401c9
RSP: 002b:00007ffc56f73098 EFLAGS: 00000217 ORIG_RAX: 000000000000012b
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004401c9
RDX: 0000000000000001 RSI: 0000000020003ac0 RDI: 0000000000000003
RBP: 00000000006ca018 R08: 0000000020003bc0 R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000217 R12: 0000000000401af0
R13: 0000000000401b80 R14: 0000000000000000 R15: 0000000000000000

Local variable description: ----addr@___sys_recvmsg
Variable was created at:
 ___sys_recvmsg+0xd5/0x810 net/socket.c:2172
 __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313

Bytes 8-15 of 16 are uninitialized

==================================================================
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 3586 Comm: syzkaller481044 Tainted: G    B            4.16.0+ #82
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x185/0x1d0 lib/dump_stack.c:53
 panic+0x39d/0x940 kernel/panic.c:183
 kmsan_report+0x238/0x240 mm/kmsan/kmsan.c:1083
 kmsan_internal_check_memory+0x164/0x1d0 mm/kmsan/kmsan.c:1176
 kmsan_copy_to_user+0x69/0x160 mm/kmsan/kmsan.c:1199
 copy_to_user include/linux/uaccess.h:184 [inline]
 move_addr_to_user+0x32e/0x530 net/socket.c:227
 ___sys_recvmsg+0x4e2/0x810 net/socket.c:2211
 __sys_recvmmsg+0x54e/0xdb0 net/socket.c:2313
 SYSC_recvmmsg+0x29b/0x3e0 net/socket.c:2394
 SyS_recvmmsg+0x76/0xa0 net/socket.c:2378
 do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x3d/0xa2

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc:	Vlad Yasevich <vyasevich@gmail.com>
Cc:	Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:24 +02:00
Davide Caratti
21563c4df3 net/sched: fix NULL dereference in the error path of tcf_bpf_init() 
[ Upstream commit 3239534a79ee6f20cffd974173a1e62e0730e8ac ]

when tcf_bpf_init_from_ops() fails (e.g. because of program having invalid
number of instructions), tcf_bpf_cfg_cleanup() calls bpf_prog_put(NULL) or
bpf_prog_destroy(NULL). Unless CONFIG_BPF_SYSCALL is unset, this causes
the following error:

 BUG: unable to handle kernel NULL pointer dereference at 0000000000000020
 PGD 800000007345a067 P4D 800000007345a067 PUD 340e1067 PMD 0
 Oops: 0000 [#1] SMP PTI
 Modules linked in: act_bpf(E) ip6table_filter ip6_tables iptable_filter binfmt_misc ext4 mbcache jbd2 crct10dif_pclmul crc32_pclmul ghash_clmulni_intel snd_hda_codec_generic pcbc snd_hda_intel snd_hda_codec snd_hda_core snd_hwdep snd_seq snd_seq_device snd_pcm aesni_intel crypto_simd glue_helper cryptd joydev snd_timer snd virtio_balloon pcspkr soundcore i2c_piix4 nfsd auth_rpcgss nfs_acl lockd grace sunrpc ip_tables xfs libcrc32c ata_generic pata_acpi qxl drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm virtio_blk drm virtio_net virtio_console i2c_core crc32c_intel serio_raw virtio_pci ata_piix libata virtio_ring floppy virtio dm_mirror dm_region_hash dm_log dm_mod [last unloaded: act_bpf]
 CPU: 3 PID: 5654 Comm: tc Tainted: G            E    4.16.0.bpf_test+ #408
 Hardware name: Red Hat KVM, BIOS 0.5.1 01/01/2011
 RIP: 0010:__bpf_prog_put+0xc/0xc0
 RSP: 0018:ffff9594003ef728 EFLAGS: 00010202
 RAX: 0000000000000000 RBX: ffff9594003ef758 RCX: 0000000000000024
 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000000
 RBP: 0000000000000000 R08: 0000000000000001 R09: 0000000000000044
 R10: 0000000000000220 R11: ffff8a7ab9f17131 R12: 0000000000000000
 R13: ffff8a7ab7c3c8e0 R14: 0000000000000001 R15: ffff8a7ab88f1054
 FS:  00007fcb2f17c740(0000) GS:ffff8a7abfd80000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 0000000000000020 CR3: 000000007c888006 CR4: 00000000001606e0
 Call Trace:
  tcf_bpf_cfg_cleanup+0x2f/0x40 [act_bpf]
  tcf_bpf_cleanup+0x4c/0x70 [act_bpf]
  __tcf_idr_release+0x79/0x140
  tcf_bpf_init+0x125/0x330 [act_bpf]
  tcf_action_init_1+0x2cc/0x430
  ? get_page_from_freelist+0x3f0/0x11b0
  tcf_action_init+0xd3/0x1b0
  tc_ctl_action+0x18b/0x240
  rtnetlink_rcv_msg+0x29c/0x310
  ? _cond_resched+0x15/0x30
  ? __kmalloc_node_track_caller+0x1b9/0x270
  ? rtnl_calcit.isra.29+0x100/0x100
  netlink_rcv_skb+0xd2/0x110
  netlink_unicast+0x17c/0x230
  netlink_sendmsg+0x2cd/0x3c0
  sock_sendmsg+0x30/0x40
  ___sys_sendmsg+0x27a/0x290
  ? mem_cgroup_commit_charge+0x80/0x130
  ? page_add_new_anon_rmap+0x73/0xc0
  ? do_anonymous_page+0x2a2/0x560
  ? __handle_mm_fault+0xc75/0xe20
  __sys_sendmsg+0x58/0xa0
  do_syscall_64+0x6e/0x1a0
  entry_SYSCALL_64_after_hwframe+0x3d/0xa2
 RIP: 0033:0x7fcb2e58eba0
 RSP: 002b:00007ffc93c496c8 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
 RAX: ffffffffffffffda RBX: 00007ffc93c497f0 RCX: 00007fcb2e58eba0
 RDX: 0000000000000000 RSI: 00007ffc93c49740 RDI: 0000000000000003
 RBP: 000000005ac6a646 R08: 0000000000000002 R09: 0000000000000000
 R10: 00007ffc93c49120 R11: 0000000000000246 R12: 0000000000000000
 R13: 00007ffc93c49804 R14: 0000000000000001 R15: 000000000066afa0
 Code: 5f 00 48 8b 43 20 48 c7 c7 70 2f 7c b8 c7 40 10 00 00 00 00 5b e9 a5 8b 61 00 0f 1f 44 00 00 0f 1f 44 00 00 41 54 55 48 89 fd 53 <48> 8b 47 20 f0 ff 08 74 05 5b 5d 41 5c c3 41 89 f4 0f 1f 44 00
 RIP: __bpf_prog_put+0xc/0xc0 RSP: ffff9594003ef728
 CR2: 0000000000000020

Fix it in tcf_bpf_cfg_cleanup(), ensuring that bpf_prog_{put,destroy}(f)
is called only when f is not NULL.

Fixes: bbc09e7842a5 ("net/sched: fix idr leak on the error path of tcf_bpf_init()")
Reported-by: Lucas Bates <lucasb@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:23 +02:00
Craig Dillabaugh
cd19a9b12a net sched actions: fix dumping which requires several messages to user space 
[ Upstream commit 734549eb550c0c720bc89e50501f1b1e98cdd841 ]

Fixes a bug in the tcf_dump_walker function that can cause some actions
to not be reported when dumping a large number of actions. This issue
became more aggrevated when cookies feature was added. In particular
this issue is manifest when large cookie values are assigned to the
actions and when enough actions are created that the resulting table
must be dumped in multiple batches.

The number of actions returned in each batch is limited by the total
number of actions and the memory buffer size.  With small cookies
the numeric limit is reached before the buffer size limit, which avoids
the code path triggering this bug. When large cookies are used buffer
fills before the numeric limit, and the erroneous code path is hit.

For example after creating 32 csum actions with the cookie
aaaabbbbccccdddd

$ tc actions ls action csum
total acts 26

    action order 0: csum (tcp) action continue
    index 1 ref 1 bind 0
    cookie aaaabbbbccccdddd

    .....

    action order 25: csum (tcp) action continue
    index 26 ref 1 bind 0
    cookie aaaabbbbccccdddd
total acts 6

    action order 0: csum (tcp) action continue
    index 28 ref 1 bind 0
    cookie aaaabbbbccccdddd

    ......

    action order 5: csum (tcp) action continue
    index 32 ref 1 bind 0
    cookie aaaabbbbccccdddd

Note that the action with index 27 is omitted from the report.

Fixes: 4b3550ef530c ("[NET_SCHED]: Use nla_nest_start/nla_nest_end")"
Signed-off-by: Craig Dillabaugh <cdillaba@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:23 +02:00
Alexander Potapenko
787b940625 netlink: make sure nladdr has correct size in netlink_connect() 
[ Upstream commit 7880287981b60a6808f39f297bb66936e8bdf57a ]

KMSAN reports use of uninitialized memory in the case when |alen| is
smaller than sizeof(struct sockaddr_nl), and therefore |nladdr| isn't
fully copied from the userspace.

Signed-off-by: Alexander Potapenko <glider@google.com>
Fixes: 1da177e4c3f41524 ("Linux-2.6.12-rc2")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:23 +02:00
Jeff Barnhill
7948bc9279 net/ipv6: Increment OUTxxx counters after netfilter hook 
[ Upstream commit 71a1c915238c970cd9bdd5bf158b1279d6b6d55b ]

At the end of ip6_forward(), IPSTATS_MIB_OUTFORWDATAGRAMS and
IPSTATS_MIB_OUTOCTETS are incremented immediately before the NF_HOOK call
for NFPROTO_IPV6 / NF_INET_FORWARD.  As a result, these counters get
incremented regardless of whether or not the netfilter hook allows the
packet to continue being processed.  This change increments the counters
in ip6_forward_finish() so that it will not happen if the netfilter hook
chooses to terminate the packet, which is similar to how IPv4 works.

Signed-off-by: Jeff Barnhill <0xeffeff@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:23 +02:00
David Ahern
d1b820bd98 net/ipv6: Fix route leaking between VRFs 
[ Upstream commit b6cdbc85234b072340b8923e69f49ec293f905dc ]

Donald reported that IPv6 route leaking between VRFs is not working.
The root cause is the strict argument in the call to rt6_lookup when
validating the nexthop spec.

ip6_route_check_nh validates the gateway and device (if given) of a
route spec. It in turn could call rt6_lookup (e.g., lookup in a given
table did not succeed so it falls back to a full lookup) and if so
sets the strict argument to 1. That means if the egress device is given,
the route lookup needs to return a result with the same device. This
strict requirement does not work with VRFs (IPv4 or IPv6) because the
oif in the flow struct is overridden with the index of the VRF device
to trigger a match on the l3mdev rule and force the lookup to its table.

The right long term solution is to add an l3mdev index to the flow
struct such that the oif is not overridden. That solution will not
backport well, so this patch aims for a simpler solution to relax the
strict argument if the route spec device is an l3mdev slave. As done
in other places, use the FLOWI_FLAG_SKIP_NH_OIF to know that the
RT6_LOOKUP_F_IFACE flag needs to be removed.

Fixes: ca254490c8df ("net: Add VRF support to IPv6 stack")
Reported-by: Donald Sharp <sharpd@cumulusnetworks.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:23 +02:00
Eric Dumazet
589a3f3051 net: fix possible out-of-bound read in skb_network_protocol() 
[ Upstream commit 1dfe82ebd7d8fd43dba9948fdfb31f145014baa0 ]

skb mac header is not necessarily set at the time skb_network_protocol()
is called. Use skb->data instead.

BUG: KASAN: slab-out-of-bounds in skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
Read of size 2 at addr ffff8801b3097a0b by task syz-executor5/14242

CPU: 1 PID: 14242 Comm: syz-executor5 Not tainted 4.16.0-rc6+ #280
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23c/0x360 mm/kasan/report.c:412
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/report.c:443
 skb_network_protocol+0x46b/0x4b0 net/core/dev.c:2739
 harmonize_features net/core/dev.c:2924 [inline]
 netif_skb_features+0x509/0x9b0 net/core/dev.c:3011
 validate_xmit_skb+0x81/0xb00 net/core/dev.c:3084
 validate_xmit_skb_list+0xbf/0x120 net/core/dev.c:3142
 packet_direct_xmit+0x117/0x790 net/packet/af_packet.c:256
 packet_snd net/packet/af_packet.c:2944 [inline]
 packet_sendmsg+0x3aed/0x60b0 net/packet/af_packet.c:2969
 sock_sendmsg_nosec net/socket.c:629 [inline]
 sock_sendmsg+0xca/0x110 net/socket.c:639
 ___sys_sendmsg+0x767/0x8b0 net/socket.c:2047
 __sys_sendmsg+0xe5/0x210 net/socket.c:2081

Fixes: 19acc327258a ("gso: Handle Trans-Ether-Bridging protocol in skb_network_protocol()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Pravin B Shelar <pshelar@ovn.org>
Reported-by: Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:23 +02:00
Paolo Abeni
52f0a5ff60 ipv6: the entire IPv6 header chain must fit the first fragment 
[ Upstream commit 10b8a3de603df7b96004179b1b33b1708c76d144 ]

While building ipv6 datagram we currently allow arbitrary large
extheaders, even beyond pmtu size. The syzbot has found a way
to exploit the above to trigger the following splat:

kernel BUG at ./include/linux/skbuff.h:2073!
invalid opcode: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
    (ftrace buffer empty)
Modules linked in:
CPU: 1 PID: 4230 Comm: syzkaller672661 Not tainted 4.16.0-rc2+ #326
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
RIP: 0010:__skb_pull include/linux/skbuff.h:2073 [inline]
RIP: 0010:__ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636
RSP: 0018:ffff8801bc18f0f0 EFLAGS: 00010293
RAX: ffff8801b17400c0 RBX: 0000000000000738 RCX: ffffffff84f01828
RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8801b415ac18
RBP: ffff8801bc18f360 R08: ffff8801b4576844 R09: 0000000000000000
R10: ffff8801bc18f380 R11: ffffed00367aee4e R12: 00000000000000d6
R13: ffff8801b415a740 R14: dffffc0000000000 R15: ffff8801b45767c0
FS:  0000000001535880(0000) GS:ffff8801db300000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000002000b000 CR3: 00000001b4123001 CR4: 00000000001606e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
  ip6_finish_skb include/net/ipv6.h:969 [inline]
  udp_v6_push_pending_frames+0x269/0x3b0 net/ipv6/udp.c:1073
  udpv6_sendmsg+0x2a96/0x3400 net/ipv6/udp.c:1343
  inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:764
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  ___sys_sendmsg+0x320/0x8b0 net/socket.c:2046
  __sys_sendmmsg+0x1ee/0x620 net/socket.c:2136
  SYSC_sendmmsg net/socket.c:2167 [inline]
  SyS_sendmmsg+0x35/0x60 net/socket.c:2162
  do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x4404c9
RSP: 002b:00007ffdce35f948 EFLAGS: 00000217 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 00000000004404c9
RDX: 0000000000000003 RSI: 0000000020001f00 RDI: 0000000000000003
RBP: 00000000006cb018 R08: 00000000004002c8 R09: 00000000004002c8
R10: 0000000020000080 R11: 0000000000000217 R12: 0000000000401df0
R13: 0000000000401e80 R14: 0000000000000000 R15: 0000000000000000
Code: ff e8 1d 5e b9 fc e9 15 e9 ff ff e8 13 5e b9 fc e9 44 e8 ff ff e8 29
5e b9 fc e9 c0 e6 ff ff e8 3f f3 80 fc 0f 0b e8 38 f3 80 fc <0f> 0b 49 8d
87 80 00 00 00 4d 8d 87 84 00 00 00 48 89 85 20 fe
RIP: __skb_pull include/linux/skbuff.h:2073 [inline] RSP: ffff8801bc18f0f0
RIP: __ip6_make_skb+0x1ac8/0x2190 net/ipv6/ip6_output.c:1636 RSP:
ffff8801bc18f0f0

As stated by RFC 7112 section 5:

   When a host fragments an IPv6 datagram, it MUST include the entire
   IPv6 Header Chain in the First Fragment.

So this patch addresses the issue dropping datagrams with excessive
extheader length. It also updates the error path to report to the
calling socket nonnegative pmtu values.

The issue apparently predates git history.

v1 -> v2: cleanup error path, as per Eric's suggestion

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot+91e6f9932ff122fa4410@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:23 +02:00
Miguel Fadon Perlines
cdd74d6ac8 arp: fix arp_filter on l3slave devices 
[ Upstream commit 58b35f27689b5eb514fc293c332966c226b1b6e4 ]

arp_filter performs an ip_route_output search for arp source address and
checks if output device is the same where the arp request was received,
if it is not, the arp request is not answered.

This route lookup is always done on main route table so l3slave devices
never find the proper route and arp is not answered.

Passing l3mdev_master_ifindex_rcu(dev) return value as oif fixes the
lookup for l3slave devices while maintaining same behavior for non
l3slave devices as this function returns 0 in that case.

Fixes: 613d09b30f8b ("net: Use VRF device index for lookups on TX")
Signed-off-by: Miguel Fadon Perlines <mfadon@teldat.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:22 +02:00
Peter Große
bb23fbd8fb mac80211: Fix setting TX power on monitor interfaces 
[ Upstream commit 3a3713ec360138f806c6fc368d1de570f692b347 ]

Instead of calling ieee80211_recalc_txpower on monitor interfaces
directly, call it using the virtual monitor interface, if one exists.

In case of a single monitor interface given, reject setting TX power,
if no virtual monitor interface exists.

That being checked, don't warn in ieee80211_bss_info_change_notify,
after setting TX power on a monitor interface.

Fixes warning:
------------[ cut here ]------------
 WARNING: CPU: 0 PID: 2193 at net/mac80211/driver-ops.h:167
 ieee80211_bss_info_change_notify+0x111/0x190 Modules linked in: uvcvideo
 videobuf2_vmalloc videobuf2_memops videobuf2_v4l2 videobuf2_core
rndis_host cdc_ether usbnet mii tp_smapi(O) thinkpad_ec(O) ohci_hcd vboxpci(O)
 vboxnetadp(O) vboxnetflt(O) v boxdrv(O) x86_pkg_temp_thermal kvm_intel kvm
 irqbypass iwldvm iwlwifi ehci_pci ehci_hcd tpm_tis tpm_tis_core tpm CPU: 0
 PID: 2193 Comm: iw Tainted: G           O    4.12.12-gentoo #2 task:
 ffff880186fd5cc0 task.stack: ffffc90001b54000 RIP:
 0010:ieee80211_bss_info_change_notify+0x111/0x190 RSP: 0018:ffffc90001b57a10
 EFLAGS: 00010246 RAX: 0000000000000006 RBX: ffff8801052ce840 RCX:
 0000000000000064 RDX: 00000000fffffffc RSI: 0000000000040000 RDI:
 ffff8801052ce840 RBP: ffffc90001b57a38 R08: 0000000000000062 R09:
 0000000000000000 R10: ffff8802144b5000 R11: ffff880049dc4614 R12:
 0000000000040000 R13: 0000000000000064 R14: ffff8802105f0760 R15:
 ffffc90001b57b48 FS:  00007f92644b4580(0000) GS:ffff88021e200000(0000)
 knlGS:0000000000000000 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00007f9263c109f0 CR3: 00000001df850000 CR4: 00000000000406f0
 Call Trace:
  ieee80211_recalc_txpower+0x33/0x40
  ieee80211_set_tx_power+0x40/0x180
  nl80211_set_wiphy+0x32e/0x950

Reported-by: Peter Große <pegro@friiks.de>
Signed-off-by: Peter Große <pegro@friiks.de>

Signed-off-by: Johannes Berg <johannes.berg@intel.com>

Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:15 +02:00
Sowmini Varadhan
ea620e414b rds; Reset rs->rs_bound_addr in rds_add_bound() failure path 
[ Upstream commit 7ae0c649c47f1c5d2db8cee6dd75855970af1669 ]

If the rds_sock is not added to the bind_hash_table, we must
reset rs_bound_addr so that rds_remove_bound will not trip on
this rds_sock.

rds_add_bound() does a rds_sock_put() in this failure path, so
failing to reset rs_bound_addr will result in a socket refcount
bug, and will trigger a WARN_ON with the stack shown below when
the application subsequently tries to close the PF_RDS socket.

     WARNING: CPU: 20 PID: 19499 at net/rds/af_rds.c:496 \
		rds_sock_destruct+0x15/0x30 [rds]
       :
     __sk_destruct+0x21/0x190
     rds_remove_bound.part.13+0xb6/0x140 [rds]
     rds_release+0x71/0x120 [rds]
     sock_release+0x1a/0x70
     sock_close+0xe/0x20
     __fput+0xd5/0x210
     task_work_run+0x82/0xa0
     do_exit+0x2ce/0xb30
     ? syscall_trace_enter+0x1cc/0x2b0
     do_group_exit+0x39/0xa0
     SyS_exit_group+0x10/0x10
     do_syscall_64+0x61/0x1a0

Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:12 +02:00
Hangbin Liu
ab4ac0fc47 l2tp: fix missing print session offset info 
[ Upstream commit 820da5357572715c6235ba3b3daa2d5b43a1198f ]

Report offset parameter in L2TP_CMD_SESSION_GET command if
it has been configured by userspace

Fixes: 309795f4bec ("l2tp: Add netlink control API for L2TP")
Reported-by: Jianlin Shi <jishi@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:12 +02:00
Tobias Brunner
fd78be4b37 ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT 
[ Upstream commit 09ee9dba9611cd382fd360a99ad1c2fa23bfdca8 ]

If SNAT modifies the source address the resulting packet might match
an IPsec policy, reinject the packet if that's the case.

The exact same thing is already done for IPv4.

Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Acked-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-12 12:32:11 +02:00
Greg Kroah-Hartman
27e69ad2ae This is the 4.14.33 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlrKCn4ACgkQONu9yGCS
 aT5N9Q//fD3Bsaf4GuQxBLR0Jd6tNpunTMyc98TxQ1SUqN72YHiVhhZ88F5syRXd
 OsdOUIbmlnGPGfiV4sFf9HPmji4OCmTwBdWOjeja75TjApJ98H1gMUlULbiFYgdc
 TMitrwfNmxjUsdbCUGO2E3+9xKXjWcqmDfqeE4zano9iejPLiDwulIiG52QTVIlY
 FGm0nxYPq2A4AlF4u2B7sHaf1PEeopcmx/wNaAAZQf3pzXo8SukThQaeQihYMUv2
 4iU6EDmorTFy2V+r6N58AU4BEVj1fsiWLVObNRjfRkQ6NiljhzHgoSxrqXF+lOFu
 ZGOOLJ7oiVJMXBBFKkDCA9qKvLcVRmwEz8gwdvylhWuOoUIvRxfPBdbPenz7YXYS
 0ySXA0zU6KT31O+70ryE2UQonQ27fF71hohBRm1a5Z88uy24eCbFR1b5+8ldVKeF
 2SFruhtoaI9iG6aaIFW8bNLVU3d5wyhp+NrL57y4STeR/fDC5ed3jnaOaXKpM4Dl
 DnteX/UtTvlVTwhBNgSEaCxB53gHWM9/ueEJaijfSiQVaIyrXL0atz8ZhZPlXwVG
 n13Dl4nWbXO6/TckK+VqhCTJ/54vEZzKfvR6u9+QiusA5AcS5rFz/4nQx6fVpt1z
 XgmUPtaC63TPc7E3iY/SvX2FtOWpdjqR/Tv32xbIjwSfDdnOl2M=
 =kd9N
 -----END PGP SIGNATURE-----

Merge 4.14.33 into android-4.14

Changes in 4.14.33
	ARM: OMAP: Fix SRAM W+X mapping
	ARM: 8746/1: vfp: Go back to clearing vfp_current_hw_state[]
	ARM: dts: sun6i: a31s: bpi-m2: improve pmic properties
	ARM: dts: sun6i: a31s: bpi-m2: add missing regulators
	mtd: jedec_probe: Fix crash in jedec_read_mfr()
	mtd: nand: atmel: Fix get_sectorsize() function
	ALSA: usb-audio: Add native DSD support for TEAC UD-301
	ALSA: pcm: Use dma_bytes as size parameter in dma_mmap_coherent()
	ALSA: pcm: potential uninitialized return values
	x86/platform/uv/BAU: Add APIC idt entry
	perf/hwbp: Simplify the perf-hwbp code, fix documentation
	ceph: only dirty ITER_IOVEC pages for direct read
	ipc/shm.c: add split function to shm_vm_ops
	i2c: i2c-stm32f7: fix no check on returned setup
	powerpc/64s: Fix lost pending interrupt due to race causing lost update to irq_happened
	powerpc/64s: Fix i-side SLB miss bad address handler saving nonvolatile GPRs
	partitions/msdos: Unable to mount UFS 44bsd partitions
	xfrm_user: uncoditionally validate esn replay attribute struct
	RDMA/ucma: Check AF family prior resolving address
	RDMA/ucma: Fix use-after-free access in ucma_close
	RDMA/ucma: Ensure that CM_ID exists prior to access it
	RDMA/rdma_cm: Fix use after free race with process_one_req
	RDMA/ucma: Check that device is connected prior to access it
	RDMA/ucma: Check that device exists prior to accessing it
	RDMA/ucma: Introduce safer rdma_addr_size() variants
	net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms()
	xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems
	percpu: add __GFP_NORETRY semantics to the percpu balancing path
	netfilter: x_tables: make allocation less aggressive
	netfilter: bridge: ebt_among: add more missing match size checks
	l2tp: fix races with ipv4-mapped ipv6 addresses
	netfilter: drop template ct when conntrack is skipped.
	netfilter: x_tables: add and use xt_check_proc_name
	phy: qcom-ufs: add MODULE_LICENSE tag
	Bluetooth: Fix missing encryption refresh on Security Request
	usb: dwc2: Improve gadget state disconnection handling
	bitmap: fix memset optimization on big-endian systems
	USB: serial: ftdi_sio: add RT Systems VX-8 cable
	USB: serial: ftdi_sio: add support for Harman FirmwareHubEmulator
	USB: serial: cp210x: add ELDAT Easywave RX09 id
	serial: 8250: Add Nuvoton NPCM UART
	mei: remove dev_err message on an unsupported ioctl
	/dev/mem: Avoid overwriting "err" in read_mem()
	media: usbtv: prevent double free in error case
	parport_pc: Add support for WCH CH382L PCI-E single parallel port card.
	crypto: lrw - Free rctx->ext with kzfree
	crypto: inside-secure - fix clock management
	crypto: testmgr - Fix incorrect values in PKCS#1 test vector
	crypto: ahash - Fix early termination in hash walk
	crypto: caam - Fix null dereference at error path
	crypto: ccp - return an actual key size from RSA max_size callback
	crypto: arm,arm64 - Fix random regeneration of S_shipped
	crypto: x86/cast5-avx - fix ECB encryption when long sg follows short one
	Btrfs: fix unexpected cow in run_delalloc_nocow
	staging: comedi: ni_mio_common: ack ai fifo error interrupts.
	Revert "base: arch_topology: fix section mismatch build warnings"
	Input: ALPS - fix TrackStick detection on Thinkpad L570 and Latitude 7370
	Input: i8042 - add Lenovo ThinkPad L460 to i8042 reset list
	Input: i8042 - enable MUX on Sony VAIO VGN-CS series to fix touchpad
	vt: change SGR 21 to follow the standards
	ARM: dts: DRA76-EVM: Set powerhold property for tps65917
	net: hns: Fix ethtool private flags
	Fix slab name "biovec-(1<<(21-12))"
	Revert "ARM: dts: am335x-pepper: Fix the audio CODEC's reset pin"
	Revert "ARM: dts: omap3-n900: Fix the audio CODEC's reset pin"
	Revert "cpufreq: Fix governor module removal race"
	Revert "ip6_vti: adjust vti mtu according to mtu of lower device"
	Linux 4.14.33

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2018-04-08 16:39:12 +02:00
Greg Kroah-Hartman
6bc3a54e06 Revert "ip6_vti: adjust vti mtu according to mtu of lower device" 
This reverts commit e6cfc525163ea3375113a9dcc234c2cdd8dbf643 which is
commit 53c81e95df1793933f87748d36070a721f6cb287 upstream.

Ben writes that there are a number of follow-on patches needed to fix
this up, but they get complex to backport, and some custom fixes are
needed, so let's just revert this and wait for a "real" set of patches
to resolve this to be submitted if it is really needed.

Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Cc: Petr Vorel <pvorel@suse.cz>
Cc: Alexey Kodanev <alexey.kodanev@oracle.com>
Cc: David S. Miller <davem@davemloft.net>
Cc: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:34 +02:00
Szymon Janc
87a97ab15e Bluetooth: Fix missing encryption refresh on Security Request 
commit 64e759f58f128730b97a3c3a26d283c075ad7c86 upstream.

If Security Request is received on connection that is already encrypted
with sufficient security master should perform encryption key refresh
procedure instead of just ignoring Slave Security Request
(Core Spec 5.0 Vol 3 Part H 2.4.6).

> ACL Data RX: Handle 3585 flags 0x02 dlen 6
      SMP: Security Request (0x0b) len 1
        Authentication requirement: Bonding, No MITM, SC, No Keypresses (0x09)
< HCI Command: LE Start Encryption (0x08|0x0019) plen 28
        Handle: 3585
        Random number: 0x0000000000000000
        Encrypted diversifier: 0x0000
        Long term key: 44264272a5c426a9e868f034cf0e69f3
> HCI Event: Command Status (0x0f) plen 4
      LE Start Encryption (0x08|0x0019) ncmd 1
        Status: Success (0x00)
> HCI Event: Encryption Key Refresh Complete (0x30) plen 3
        Status: Success (0x00)
        Handle: 3585

Signed-off-by: Szymon Janc <szymon.janc@codecoup.pl>
Signed-off-by: Marcel Holtmann <marcel@holtmann.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:30 +02:00
Florian Westphal
839a4c3b4a netfilter: x_tables: add and use xt_check_proc_name 
commit b1d0a5d0cba4597c0394997b2d5fced3e3841b4e upstream.

recent and hashlimit both create /proc files, but only check that
name is 0 terminated.

This can trigger WARN() from procfs when name is "" or "/".
Add helper for this and then use it for both.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: <syzbot+0502b00edac2a0680b61@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:29 +02:00
Paolo Abeni
2a55ad7440 netfilter: drop template ct when conntrack is skipped. 
commit aebfa52a925d701114afd6af0def35bab16d4f47 upstream.

The ipv4 nf_ct code currently skips the nf_conntrak_in() call
for fragmented packets. As a results later matches/target can end
up manipulating template ct entry instead of 'real' ones.

Exploiting the above, syzbot found a way to trigger the following
splat:

WARNING: CPU: 1 PID: 4242 at net/netfilter/xt_cluster.c:55
xt_cluster_mt+0x6c1/0x840 net/netfilter/xt_cluster.c:127
Kernel panic - not syncing: panic_on_warn set ...

CPU: 1 PID: 4242 Comm: syzkaller027971 Not tainted 4.16.0-rc2+ #243
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x24d lib/dump_stack.c:53
  panic+0x1e4/0x41c kernel/panic.c:183
  __warn+0x1dc/0x200 kernel/panic.c:547
  report_bug+0x211/0x2d0 lib/bug.c:184
  fixup_bug.part.11+0x37/0x80 arch/x86/kernel/traps.c:178
  fixup_bug arch/x86/kernel/traps.c:247 [inline]
  do_error_trap+0x2d7/0x3e0 arch/x86/kernel/traps.c:296
  do_invalid_op+0x1b/0x20 arch/x86/kernel/traps.c:315
  invalid_op+0x58/0x80 arch/x86/entry/entry_64.S:957
RIP: 0010:xt_cluster_hash net/netfilter/xt_cluster.c:55 [inline]
RIP: 0010:xt_cluster_mt+0x6c1/0x840 net/netfilter/xt_cluster.c:127
RSP: 0018:ffff8801d2f6f2d0 EFLAGS: 00010293
RAX: ffff8801af700540 RBX: 0000000000000000 RCX: ffffffff84a2d1e1
RDX: 0000000000000000 RSI: ffff8801d2f6f478 RDI: ffff8801cafd336a
RBP: ffff8801d2f6f2e8 R08: 0000000000000000 R09: 0000000000000001
R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801b03b3d18
R13: ffff8801cafd3300 R14: dffffc0000000000 R15: ffff8801d2f6f478
  ipt_do_table+0xa91/0x19b0 net/ipv4/netfilter/ip_tables.c:296
  iptable_filter_hook+0x65/0x80 net/ipv4/netfilter/iptable_filter.c:41
  nf_hook_entry_hookfn include/linux/netfilter.h:120 [inline]
  nf_hook_slow+0xba/0x1a0 net/netfilter/core.c:483
  nf_hook include/linux/netfilter.h:243 [inline]
  NF_HOOK include/linux/netfilter.h:286 [inline]
  raw_send_hdrinc.isra.17+0xf39/0x1880 net/ipv4/raw.c:432
  raw_sendmsg+0x14cd/0x26b0 net/ipv4/raw.c:669
  inet_sendmsg+0x11f/0x5e0 net/ipv4/af_inet.c:763
  sock_sendmsg_nosec net/socket.c:629 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:639
  SYSC_sendto+0x361/0x5c0 net/socket.c:1748
  SyS_sendto+0x40/0x50 net/socket.c:1716
  do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x441b49
RSP: 002b:00007ffff5ca8b18 EFLAGS: 00000216 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000441b49
RDX: 0000000000000030 RSI: 0000000020ff7000 RDI: 0000000000000003
RBP: 00000000006cc018 R08: 000000002066354c R09: 0000000000000010
R10: 0000000000000000 R11: 0000000000000216 R12: 0000000000403470
R13: 0000000000403500 R14: 0000000000000000 R15: 0000000000000000
Dumping ftrace buffer:
    (ftrace buffer empty)
Kernel Offset: disabled
Rebooting in 86400 seconds..

Instead of adding checks for template ct on every target/match
manipulating skb->_nfct, simply drop the template ct when skipping
nf_conntrack_in().

Fixes: 7b4fdf77a450ec ("netfilter: don't track fragmented packets")
Reported-and-tested-by: syzbot+0346441ae0545cfcea3a@syzkaller.appspotmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:29 +02:00
Paolo Abeni
b0850604cc l2tp: fix races with ipv4-mapped ipv6 addresses 
commit b954f94023dcc61388c8384f0f14eb8e42c863c5 upstream.

The l2tp_tunnel_create() function checks for v4mapped ipv6
sockets and cache that flag, so that l2tp core code can
reusing it at xmit time.

If the socket is provided by the userspace, the connection
status of the tunnel sockets can change between the tunnel
creation and the xmit call, so that syzbot is able to
trigger the following splat:

BUG: KASAN: use-after-free in ip6_dst_idev include/net/ip6_fib.h:192
[inline]
BUG: KASAN: use-after-free in ip6_xmit+0x1f76/0x2260
net/ipv6/ip6_output.c:264
Read of size 8 at addr ffff8801bd949318 by task syz-executor4/23448

CPU: 0 PID: 23448 Comm: syz-executor4 Not tainted 4.16.0-rc4+ #65
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:17 [inline]
  dump_stack+0x194/0x24d lib/dump_stack.c:53
  print_address_description+0x73/0x250 mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report+0x23c/0x360 mm/kasan/report.c:412
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
  ip6_dst_idev include/net/ip6_fib.h:192 [inline]
  ip6_xmit+0x1f76/0x2260 net/ipv6/ip6_output.c:264
  inet6_csk_xmit+0x2fc/0x580 net/ipv6/inet6_connection_sock.c:139
  l2tp_xmit_core net/l2tp/l2tp_core.c:1053 [inline]
  l2tp_xmit_skb+0x105f/0x1410 net/l2tp/l2tp_core.c:1148
  pppol2tp_sendmsg+0x470/0x670 net/l2tp/l2tp_ppp.c:341
  sock_sendmsg_nosec net/socket.c:630 [inline]
  sock_sendmsg+0xca/0x110 net/socket.c:640
  ___sys_sendmsg+0x767/0x8b0 net/socket.c:2046
  __sys_sendmsg+0xe5/0x210 net/socket.c:2080
  SYSC_sendmsg net/socket.c:2091 [inline]
  SyS_sendmsg+0x2d/0x50 net/socket.c:2087
  do_syscall_64+0x281/0x940 arch/x86/entry/common.c:287
  entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x453e69
RSP: 002b:00007f819593cc68 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00007f819593d6d4 RCX: 0000000000453e69
RDX: 0000000000000081 RSI: 000000002037ffc8 RDI: 0000000000000004
RBP: 000000000072bea0 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
R13: 00000000000004c3 R14: 00000000006f72e8 R15: 0000000000000000

This change addresses the issues:
* explicitly checking for TCP_ESTABLISHED for user space provided sockets
* dropping the v4mapped flag usage - it can become outdated - and
  explicitly invoking ipv6_addr_v4mapped() instead

The issue is apparently there since ancient times.

v1 -> v2: (many thanks to Guillaume)
 - with csum issue introduced in v1
 - replace pr_err with pr_debug
 - fix build issue with IPV6 disabled
 - move l2tp_sk_is_v4mapped in l2tp_core.c

v2 -> v3:
 - don't update inet_daddr for v4mapped address, unneeded
 - drop rendundant check at creation time

Reported-and-tested-by: syzbot+92fa328176eb07e4ac1a@syzkaller.appspotmail.com
Fixes: 3557baabf280 ("[L2TP]: PPP over L2TP driver core")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:29 +02:00
Florian Westphal
bbfbc396f0 netfilter: bridge: ebt_among: add more missing match size checks 
commit c8d70a700a5b486bfa8e5a7d33d805389f6e59f9 upstream.

ebt_among is special, it has a dynamic match size and is exempt
from the central size checks.

commit c4585a2823edf ("bridge: ebt_among: add missing match size checks")
added validation for pool size, but missed fact that the macros
ebt_among_wh_src/dst can already return out-of-bound result because
they do not check value of wh_src/dst_ofs (an offset) vs. the size
of the match that userspace gave to us.

v2:
check that offset has correct alignment.
Paolo Abeni points out that we should also check that src/dst
wormhash arrays do not overlap, and src + length lines up with
start of dst (or vice versa).
v3: compact wormhash_sizes_valid() part

NB: Fixes tag is intentionally wrong, this bug exists from day
one when match was added for 2.6 kernel. Tag is there so stable
maintainers will notice this one too.

Tested with same rules from the earlier patch.

Fixes: c4585a2823edf ("bridge: ebt_among: add missing match size checks")
Reported-by: <syzbot+bdabab6f1983a03fc009@syzkaller.appspotmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:29 +02:00
Michal Hocko
546ade704a netfilter: x_tables: make allocation less aggressive 
commit 0537250fdc6c876ed4cbbe874c739aebef493ee2 upstream.

syzbot has noticed that xt_alloc_table_info can allocate a lot of memory.
This is an admin only interface but an admin in a namespace is sufficient
as well.  eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in
xt_alloc_table_info()") has changed the opencoded kmalloc->vmalloc
fallback into kvmalloc.  It has dropped __GFP_NORETRY on the way because
vmalloc has simply never fully supported __GFP_NORETRY semantic.  This is
still the case because e.g.  page tables backing the vmalloc area are
hardcoded GFP_KERNEL.

Revert back to __GFP_NORETRY as a poors man defence against excessively
large allocation request here.  We will not rule out the OOM killer
completely but __GFP_NORETRY should at least stop the large request in
most cases.

[akpm@linux-foundation.org: coding-style fixes]
Fixes: eacd86ca3b03 ("net/netfilter/x_tables.c: use kvmalloc() in xt_alloc_tableLink: http://lkml.kernel.org/r/20180130140104.GE21609@dhcp22.suse.cz
Signed-off-by: Michal Hocko <mhocko@suse.com>
Acked-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Cc: David S. Miller <davem@davemloft.net>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:29 +02:00
Steffen Klassert
dffe655ddb xfrm: Refuse to insert 32 bit userspace socket policies on 64 bit systems 
commit 19d7df69fdb2636856dc8919de72fc1bf8f79598 upstream.

We don't have a compat layer for xfrm, so userspace and kernel
structures have different sizes in this case. This results in
a broken configuration, so refuse to configure socket policies
when trying to insert from 32 bit userspace as we do it already
with policies inserted via netlink.

Reported-and-tested-by: syzbot+e1a1577ca8bcb47b769a@syzkaller.appspotmail.com
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:29 +02:00
Greg Hackmann
a6232ffa2a net: xfrm: use preempt-safe this_cpu_read() in ipcomp_alloc_tfms() 
commit 0dcd7876029b58770f769cbb7b484e88e4a305e5 upstream.

f7c83bcbfaf5 ("net: xfrm: use __this_cpu_read per-cpu helper") added a
__this_cpu_read() call inside ipcomp_alloc_tfms().

At the time, __this_cpu_read() required the caller to either not care
about races or to handle preemption/interrupt issues.  3.15 tightened
the rules around some per-cpu operations, and now __this_cpu_read()
should never be used in a preemptible context.  On 3.15 and later, we
need to use this_cpu_read() instead.

syzkaller reported this leading to the following kernel BUG while
fuzzing sendmsg:

BUG: using __this_cpu_read() in preemptible [00000000] code: repro/3101
caller is ipcomp_init_state+0x185/0x990
CPU: 3 PID: 3101 Comm: repro Not tainted 4.16.0-rc4-00123-g86f84779d8e9 #154
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1 04/01/2014
Call Trace:
 dump_stack+0xb9/0x115
 check_preemption_disabled+0x1cb/0x1f0
 ipcomp_init_state+0x185/0x990
 ? __xfrm_init_state+0x876/0xc20
 ? lock_downgrade+0x5e0/0x5e0
 ipcomp4_init_state+0xaa/0x7c0
 __xfrm_init_state+0x3eb/0xc20
 xfrm_init_state+0x19/0x60
 pfkey_add+0x20df/0x36f0
 ? pfkey_broadcast+0x3dd/0x600
 ? pfkey_sock_destruct+0x340/0x340
 ? pfkey_seq_stop+0x80/0x80
 ? __skb_clone+0x236/0x750
 ? kmem_cache_alloc+0x1f6/0x260
 ? pfkey_sock_destruct+0x340/0x340
 ? pfkey_process+0x62a/0x6f0
 pfkey_process+0x62a/0x6f0
 ? pfkey_send_new_mapping+0x11c0/0x11c0
 ? mutex_lock_io_nested+0x1390/0x1390
 pfkey_sendmsg+0x383/0x750
 ? dump_sp+0x430/0x430
 sock_sendmsg+0xc0/0x100
 ___sys_sendmsg+0x6c8/0x8b0
 ? copy_msghdr_from_user+0x3b0/0x3b0
 ? pagevec_lru_move_fn+0x144/0x1f0
 ? find_held_lock+0x32/0x1c0
 ? do_huge_pmd_anonymous_page+0xc43/0x11e0
 ? lock_downgrade+0x5e0/0x5e0
 ? get_kernel_page+0xb0/0xb0
 ? _raw_spin_unlock+0x29/0x40
 ? do_huge_pmd_anonymous_page+0x400/0x11e0
 ? __handle_mm_fault+0x553/0x2460
 ? __fget_light+0x163/0x1f0
 ? __sys_sendmsg+0xc7/0x170
 __sys_sendmsg+0xc7/0x170
 ? SyS_shutdown+0x1a0/0x1a0
 ? __do_page_fault+0x5a0/0xca0
 ? lock_downgrade+0x5e0/0x5e0
 SyS_sendmsg+0x27/0x40
 ? __sys_sendmsg+0x170/0x170
 do_syscall_64+0x19f/0x640
 entry_SYSCALL_64_after_hwframe+0x42/0xb7
RIP: 0033:0x7f0ee73dfb79
RSP: 002b:00007ffe14fc15a8 EFLAGS: 00000207 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f0ee73dfb79
RDX: 0000000000000000 RSI: 00000000208befc8 RDI: 0000000000000004
RBP: 00007ffe14fc15b0 R08: 00007ffe14fc15c0 R09: 00007ffe14fc15c0
R10: 0000000000000000 R11: 0000000000000207 R12: 0000000000400440
R13: 00007ffe14fc16b0 R14: 0000000000000000 R15: 0000000000000000

Signed-off-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:29 +02:00
Florian Westphal
25fd02ea40 xfrm_user: uncoditionally validate esn replay attribute struct 
commit d97ca5d714a5334aecadadf696875da40f1fbf3e upstream.

The sanity test added in ecd7918745234 can be bypassed, validation
only occurs if XFRM_STATE_ESN flag is set, but rest of code doesn't care
and just checks if the attribute itself is present.

So always validate.  Alternative is to reject if we have the attribute
without the flag but that would change abi.

Reported-by: syzbot+0ab777c27d2bb7588f73@syzkaller.appspotmail.com
Cc: Mathias Krause <minipli@googlemail.com>
Fixes: ecd7918745234 ("xfrm_user: ensure user supplied esn replay window is valid")
Fixes: d8647b79c3b7e ("xfrm: Add user interface for esn and big anti-replay windows")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-04-08 14:26:28 +02:00
Tyler Wear
2e82ba6591 qtaguid: Fix return error 
Reference net device correctly.

CRs-fixed: 2218668
Change-Id: I86657f8e0a5cab3e96863ab7befccdd8040a71ea
Signed-off-by: Tyler Wear <twear@codeaurora.org>
 2018-04-06 13:46:17 -07:00
Isaac J. Manjarres
7ed7e2acf0 Merge remote-tracking branch 'remotes/origin/tmp-51e322a' into msm-4.14 
* remotes/origin/tmp-51e322a:
  Linux 4.14.32
  s390/qeth: on channel error, reject further cmd requests
  s390/qeth: lock read device while queueing next buffer
  s390/qeth: when thread completes, wake up all waiters
  s390/qeth: free netdevice when removing a card
  dpaa_eth: remove duplicate increment of the tx_errors counter
  dpaa_eth: increment the RX dropped counter when needed
  dpaa_eth: remove duplicate initialization
  dpaa_eth: fix error in dpaa_remove()
  soc/fsl/qbman: fix issue in qman_delete_cgr_safe()
  team: Fix double free in error path
  skbuff: Fix not waking applications when errors are enqueued
  qede: Fix qedr link update
  net: systemport: Rewrite __bcm_sysport_tx_reclaim()
  net: Only honor ifindex in IP_PKTINFO if non-0
  netlink: avoid a double skb free in genlmsg_mcast()
  net/iucv: Free memory obtained by kzalloc
  net: fec: Fix unbalanced PM runtime calls
  net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface
  net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred
  l2tp: do not accept arbitrary sockets
  ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
  dccp: check sk for closed state in dccp_sendmsg()
  net: Fix hlist corruptions in inet_evict_bucket()
  net: use skb_to_full_sk() in skb_update_prio()
  ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
  sch_netem: fix skb leak in netem_enqueue()
  kcm: lock lower socket in kcm_attach
  rhashtable: Fix rhlist duplicates insertion
  ppp: avoid loop in xmit recursion detection code
  net sched actions: return explicit error when tunnel_key mode is not specified
  net: phy: Tell caller result of phy_change()
  mlxsw: spectrum_buffers: Set a minimum quota for CPU port traffic
  ipv6: sr: fix scheduling in RCU when creating seg6 lwtunnel state
  ipv6: sr: fix NULL pointer dereference when setting encap source address
  ipv6: old_dport should be a __be16 in __ip6_datagram_connect()
  net: ipv6: keep sk status consistent after datagram connect failure
  macvlan: filter out unsupported feature flags
  devlink: Remove redundant free on error path
  net: phy: relax error checking when creating sysfs link netdev->phydev
  sysfs: symlink: export sysfs_create_link_nowarn()
  qed: Fix non TCP packets should be dropped on iWARP ll2 connection
  tcp: purge write queue upon aborting the connection
  tcp: reset sk_send_head in tcp_write_queue_purge

Change-Id: Ief39b9585daef847f0456cfe8fa70ba0178ea127
Signed-off-by: Isaac J. Manjarres <isaacm@codeaurora.org>
 2018-04-02 13:49:25 -07:00
Greg Kroah-Hartman
51e322a7f1 This is the 4.14.32 stable release 
-----BEGIN PGP SIGNATURE-----
 
 iQIzBAABCAAdFiEEZH8oZUiU471FcZm+ONu9yGCSaT4FAlq/swYACgkQONu9yGCS
 aT4nzRAAvGd/yvI4f4KdSWrhAWDkpS6n40BMXHAsfRh4z6lBFs310nuYtm6UJqYc
 9PTg6jMHFO01oRwDGUFr1uZnD64Ov9YhWwrLt6tQ4wZsA34O1vna9rBB6YEPtaxZ
 jt9c8bzLFjqLzBdeEf4B31jsDKspUzIgopUx5rDeFrVZDhg4Ie2RLIWRIHztQgON
 OKMoGL3MOWp9v6MB99Ya4GZyzP1BYQaED630SK2pQtBcMWT4ObA4nxIwY6biLmQw
 03SFNwjCCk9o5vpIkBb+B5CogrhSOoSKmE4wNjav7MRTdz6wJCFbS3TI596OT8v7
 jTOKo29Z+sqkVIwrox8u0tclblLQ3yKY4Jikt5vwgA0COzuctVnbe8G+2flcUKY4
 +XxO/RYNNC8s4GWYCEWlaPbHMsctg8l7LfaPVkfUvf6EpgQl6PU6ioqsObd/kt6F
 v7ztiDMvZOHxFM/5aX3ICdSkfDlauiKDUu2N9spfNWJQCcKFYkpEeZ+lVAE4jyiP
 wvtnp/LMtqQJZ/gucH4RIjzvWJAj5oJ9yuQB46jV3P+OvhfhIJ4MhPbfmGAH/HNY
 zw3BlHcWa5bU5lmwlavaBzCYeKKx6OOeTVJwSf7QGTnDMQFaCmTgozkSYx1BqZHj
 Y2pjHWQBGpHc3JBGhvkJSlTsF3Dcy1xzQqx+mNNgOCOaRqWiOgg=
 =nvns
 -----END PGP SIGNATURE-----

Merge 4.14.32 into android-4.14

Changes in 4.14.32
	tcp: reset sk_send_head in tcp_write_queue_purge
	tcp: purge write queue upon aborting the connection
	qed: Fix non TCP packets should be dropped on iWARP ll2 connection
	sysfs: symlink: export sysfs_create_link_nowarn()
	net: phy: relax error checking when creating sysfs link netdev->phydev
	devlink: Remove redundant free on error path
	macvlan: filter out unsupported feature flags
	net: ipv6: keep sk status consistent after datagram connect failure
	ipv6: old_dport should be a __be16 in __ip6_datagram_connect()
	ipv6: sr: fix NULL pointer dereference when setting encap source address
	ipv6: sr: fix scheduling in RCU when creating seg6 lwtunnel state
	mlxsw: spectrum_buffers: Set a minimum quota for CPU port traffic
	net: phy: Tell caller result of phy_change()
	net sched actions: return explicit error when tunnel_key mode is not specified
	ppp: avoid loop in xmit recursion detection code
	rhashtable: Fix rhlist duplicates insertion
	kcm: lock lower socket in kcm_attach
	sch_netem: fix skb leak in netem_enqueue()
	ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
	net: use skb_to_full_sk() in skb_update_prio()
	net: Fix hlist corruptions in inet_evict_bucket()
	dccp: check sk for closed state in dccp_sendmsg()
	ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
	l2tp: do not accept arbitrary sockets
	net: ethernet: arc: Fix a potential memory leak if an optional regulator is deferred
	net: ethernet: ti: cpsw: add check for in-band mode setting with RGMII PHY interface
	net: fec: Fix unbalanced PM runtime calls
	net/iucv: Free memory obtained by kzalloc
	netlink: avoid a double skb free in genlmsg_mcast()
	net: Only honor ifindex in IP_PKTINFO if non-0
	net: systemport: Rewrite __bcm_sysport_tx_reclaim()
	qede: Fix qedr link update
	skbuff: Fix not waking applications when errors are enqueued
	team: Fix double free in error path
	soc/fsl/qbman: fix issue in qman_delete_cgr_safe()
	dpaa_eth: fix error in dpaa_remove()
	dpaa_eth: remove duplicate initialization
	dpaa_eth: increment the RX dropped counter when needed
	dpaa_eth: remove duplicate increment of the tx_errors counter
	s390/qeth: free netdevice when removing a card
	s390/qeth: when thread completes, wake up all waiters
	s390/qeth: lock read device while queueing next buffer
	s390/qeth: on channel error, reject further cmd requests
	Linux 4.14.32

Signed-off-by: Greg Kroah-Hartman <gregkh@google.com>
 2018-04-01 10:23:42 +02:00
Vinicius Costa Gomes
329f4710f8 skbuff: Fix not waking applications when errors are enqueued 
[ Upstream commit 6e5d58fdc9bedd0255a8781b258f10bbdc63e975 ]

When errors are enqueued to the error queue via sock_queue_err_skb()
function, it is possible that the waiting application is not notified.

Calling 'sk->sk_data_ready()' would not notify applications that
selected only POLLERR events in poll() (for example).

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: Randy E. Witt <randy.e.witt@intel.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-03-31 18:10:42 +02:00
David Ahern
474aa51497 net: Only honor ifindex in IP_PKTINFO if non-0 
[ Upstream commit 2cbb4ea7de167b02ffa63e9cdfdb07a7e7094615 ]

Only allow ifindex from IP_PKTINFO to override SO_BINDTODEVICE settings
if the index is actually set in the message.

Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-03-31 18:10:41 +02:00
Nicolas Dichtel
06d3f43d52 netlink: avoid a double skb free in genlmsg_mcast() 
[ Upstream commit 02a2385f37a7c6594c9d89b64c4a1451276f08eb ]

nlmsg_multicast() consumes always the skb, thus the original skb must be
freed only when this function is called with a clone.

Fixes: cb9f7a9a5c96 ("netlink: ensure to loop over all netns in genlmsg_multicast_allns()")
Reported-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
Signed-off-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-03-31 18:10:41 +02:00
Arvind Yadav
2980f37b61 net/iucv: Free memory obtained by kzalloc 
[ Upstream commit fa6a91e9b907231d2e38ea5ed89c537b3525df3d ]

Free memory by calling put_device(), if afiucv_iucv_init is not
successful.

Signed-off-by: Arvind Yadav <arvind.yadav.cs@gmail.com>
Reviewed-by: Cornelia Huck <cohuck@redhat.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: Julian Wiedmann <jwi@linux.vnet.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-03-31 18:10:41 +02:00
Eric Dumazet
2d5b0ed04c l2tp: do not accept arbitrary sockets 
[ Upstream commit 17cfe79a65f98abe535261856c5aef14f306dff7 ]

syzkaller found an issue caused by lack of sufficient checks
in l2tp_tunnel_create()

RAW sockets can not be considered as UDP ones for instance.

In another patch, we shall replace all pr_err() by less intrusive
pr_debug() so that syzkaller can find other bugs faster.
Acked-by: Guillaume Nault <g.nault@alphalink.fr>
Acked-by: James Chapman <jchapman@katalix.com>

==================================================================
BUG: KASAN: slab-out-of-bounds in setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
dst_release: dst:00000000d53d0d0f refcnt:-1
Write of size 1 at addr ffff8801d013b798 by task syz-executor3/6242

CPU: 1 PID: 6242 Comm: syz-executor3 Not tainted 4.16.0-rc2+ #253
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:17 [inline]
 dump_stack+0x194/0x24d lib/dump_stack.c:53
 print_address_description+0x73/0x250 mm/kasan/report.c:256
 kasan_report_error mm/kasan/report.c:354 [inline]
 kasan_report+0x23b/0x360 mm/kasan/report.c:412
 __asan_report_store1_noabort+0x17/0x20 mm/kasan/report.c:435
 setup_udp_tunnel_sock+0x3ee/0x5f0 net/ipv4/udp_tunnel.c:69
 l2tp_tunnel_create+0x1354/0x17f0 net/l2tp/l2tp_core.c:1596
 pppol2tp_connect+0x14b1/0x1dd0 net/l2tp/l2tp_ppp.c:707
 SYSC_connect+0x213/0x4a0 net/socket.c:1640
 SyS_connect+0x24/0x30 net/socket.c:1621
 do_syscall_64+0x280/0x940 arch/x86/entry/common.c:287
 entry_SYSCALL_64_after_hwframe+0x42/0xb7

Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-03-31 18:10:41 +02:00
Lorenzo Bianconi
18c647456a ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option() 
[ Upstream commit 9f62c15f28b0d1d746734666d88a79f08ba1e43e ]

Fix the following slab-out-of-bounds kasan report in
ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not
linear and the accessed data are not in the linear data region of orig_skb.

[ 1503.122508] ==================================================================
[ 1503.122832] BUG: KASAN: slab-out-of-bounds in ndisc_send_redirect+0x94e/0x990
[ 1503.123036] Read of size 1184 at addr ffff8800298ab6b0 by task netperf/1932

[ 1503.123220] CPU: 0 PID: 1932 Comm: netperf Not tainted 4.16.0-rc2+ #124
[ 1503.123347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-2.fc27 04/01/2014
[ 1503.123527] Call Trace:
[ 1503.123579]  <IRQ>
[ 1503.123638]  print_address_description+0x6e/0x280
[ 1503.123849]  kasan_report+0x233/0x350
[ 1503.123946]  memcpy+0x1f/0x50
[ 1503.124037]  ndisc_send_redirect+0x94e/0x990
[ 1503.125150]  ip6_forward+0x1242/0x13b0
[...]
[ 1503.153890] Allocated by task 1932:
[ 1503.153982]  kasan_kmalloc+0x9f/0xd0
[ 1503.154074]  __kmalloc_track_caller+0xb5/0x160
[ 1503.154198]  __kmalloc_reserve.isra.41+0x24/0x70
[ 1503.154324]  __alloc_skb+0x130/0x3e0
[ 1503.154415]  sctp_packet_transmit+0x21a/0x1810
[ 1503.154533]  sctp_outq_flush+0xc14/0x1db0
[ 1503.154624]  sctp_do_sm+0x34e/0x2740
[ 1503.154715]  sctp_primitive_SEND+0x57/0x70
[ 1503.154807]  sctp_sendmsg+0xaa6/0x1b10
[ 1503.154897]  sock_sendmsg+0x68/0x80
[ 1503.154987]  ___sys_sendmsg+0x431/0x4b0
[ 1503.155078]  __sys_sendmsg+0xa4/0x130
[ 1503.155168]  do_syscall_64+0x171/0x3f0
[ 1503.155259]  entry_SYSCALL_64_after_hwframe+0x42/0xb7

[ 1503.155436] Freed by task 1932:
[ 1503.155527]  __kasan_slab_free+0x134/0x180
[ 1503.155618]  kfree+0xbc/0x180
[ 1503.155709]  skb_release_data+0x27f/0x2c0
[ 1503.155800]  consume_skb+0x94/0xe0
[ 1503.155889]  sctp_chunk_put+0x1aa/0x1f0
[ 1503.155979]  sctp_inq_pop+0x2f8/0x6e0
[ 1503.156070]  sctp_assoc_bh_rcv+0x6a/0x230
[ 1503.156164]  sctp_inq_push+0x117/0x150
[ 1503.156255]  sctp_backlog_rcv+0xdf/0x4a0
[ 1503.156346]  __release_sock+0x142/0x250
[ 1503.156436]  release_sock+0x80/0x180
[ 1503.156526]  sctp_sendmsg+0xbb0/0x1b10
[ 1503.156617]  sock_sendmsg+0x68/0x80
[ 1503.156708]  ___sys_sendmsg+0x431/0x4b0
[ 1503.156799]  __sys_sendmsg+0xa4/0x130
[ 1503.156889]  do_syscall_64+0x171/0x3f0
[ 1503.156980]  entry_SYSCALL_64_after_hwframe+0x42/0xb7

[ 1503.157158] The buggy address belongs to the object at ffff8800298ab600
                which belongs to the cache kmalloc-1024 of size 1024
[ 1503.157444] The buggy address is located 176 bytes inside of
                1024-byte region [ffff8800298ab600, ffff8800298aba00)
[ 1503.157702] The buggy address belongs to the page:
[ 1503.157820] page:ffffea0000a62a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
[ 1503.158053] flags: 0x4000000000008100(slab|head)
[ 1503.158171] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e
[ 1503.158350] raw: dead000000000100 dead000000000200 ffff880036002600 0000000000000000
[ 1503.158523] page dumped because: kasan: bad access detected

[ 1503.158698] Memory state around the buggy address:
[ 1503.158816]  ffff8800298ab900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1503.158988]  ffff8800298ab980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1503.159165] >ffff8800298aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1503.159338]                    ^
[ 1503.159436]  ffff8800298aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1503.159610]  ffff8800298abb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1503.159785] ==================================================================
[ 1503.159964] Disabling lock debugging due to kernel taint

The test scenario to trigger the issue consists of 4 devices:
- H0: data sender, connected to LAN0
- H1: data receiver, connected to LAN1
- GW0 and GW1: routers between LAN0 and LAN1. Both of them have an
  ethernet connection on LAN0 and LAN1
On H{0,1} set GW0 as default gateway while on GW0 set GW1 as next hop for
data from LAN0 to LAN1.
Moreover create an ip6ip6 tunnel between H0 and H1 and send 3 concurrent
data streams (TCP/UDP/SCTP) from H0 to H1 through ip6ip6 tunnel (send
buffer size is set to 16K). While data streams are active flush the route
cache on HA multiple times.
I have not been able to identify a given commit that introduced the issue
since, using the reproducer described above, the kasan report has been
triggered from 4.14 and I have not gone back further.

Reported-by: Jianlin Shi <jishi@redhat.com>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-03-31 18:10:41 +02:00
Alexey Kodanev
91d27e0c30 dccp: check sk for closed state in dccp_sendmsg() 
[ Upstream commit 67f93df79aeefc3add4e4b31a752600f834236e2 ]

dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().

This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.

Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com
Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 2018-03-31 18:10:40 +02:00