18 Mar, 2019

1 commit


12 Feb, 2019

3 commits

  • The commit ae97fd867aa3 ("MLK-19091 cfg80211: make phy index match
    after wiphy dev is released") manage wiphy_counter matching between
    creating and freeing wiphy device. Then for one wifi instance, the index
    of attached phy is not changed during loadable test. But it ignores
    multiple wifi cards loadable test case, that introduces the phy index
    confliction. So the patch revert the commit.

    Reviewed-by: Richard Zhu
    Signed-off-by: Fugang Duan

    Andy Duan
     
  • During insmod/rmmod test, the phy index increases that cause troube
    for test case. To make global variable wiphy_counter match between
    creat and free wiphy device, it needs to decrease the atomic counter
    when wiphy device is freed.

    Reviewed-by: Richard Zhu
    Signed-off-by: Fugang Duan

    Andy Duan
     
  • [Patch] Pulling the following commits and some general changes
    from custom v3.10 kernel for supporting qcacld2.0 on kernel v4.9.11.
    1. cfg80211: Using new wiphy flag WIPHY_FLAG_DFS_OFFLOAD
    When flag WIPHY_FLAG_DFS_OFFLOAD is defined, the driver would handle
    all the DFS related operations. Therefore the kernel needs to ignore
    the DFS state that it uses to block the userspace calls to the driver
    through cfg80211 APIs. Also it should treat the userspace calls to
    start radar detection as a no-op.

    Please note that changes in util.c is not picked up explicitly.
    Kernel v4.9.11 uses wrapper cfg80211_get_chans_dfs_required which takes
    care of this change.

    Change-Id: I9dd2076945581ca67e54dfc96dd3dbc526c6f0a2
    IRs-Fixed: 202686

    2. New db.txt from git/sforshee/wireless-regdb.git
    CONFIG_CFG80211_INTERNAL_REGDB is enabled in build. This causes
    kernel warn messages as db.txt is empty. A new db.txt is added
    from:
    git://git.kernel.org/pub/scm/linux/kernel/git/sforshee/wireless-regdb.git

    IRs-Fixed: 202686

    3. Picked up the declaration and definition of the function
    cfg80211_is_gratuitous_arp_unsolicited_na

    Change-Id: I1e4083a2327c121073226aa6b75bb6b5b97cec00
    CRs-fixed: 1079453

    Signed-off-by: Nakul Kachhwaha
    Signed-off-by: Fugang Duan

    Nakul Kachhwaha
     

07 Feb, 2019

11 commits

  • [ Upstream commit 4522a70db7aa5e77526a4079628578599821b193 ]

    Use pskb_may_pull() to make sure the optional fields are in skb linear
    parts, so we can safely read them later.

    It's easy to reproduce the issue with a net driver that supports paged
    skb data. Just create a L2TPv3 over IP tunnel and then generates some
    network traffic.
    Once reproduced, rx err in /sys/kernel/debug/l2tp/tunnels will increase.

    Changes in v4:
    1. s/l2tp_v3_pull_opt/l2tp_v3_ensure_opt_in_linear/
    2. s/tunnel->version != L2TP_HDR_VER_2/tunnel->version == L2TP_HDR_VER_3/
    3. Add 'Fixes' in commit messages.

    Changes in v3:
    1. To keep consistency, move the code out of l2tp_recv_common.
    2. Use "net" instead of "net-next", since this is a bug fix.

    Changes in v2:
    1. Only fix L2TPv3 to make code simple.
    To fix both L2TPv3 and L2TPv2, we'd better refactor l2tp_recv_common.
    It's complicated to do so.
    2. Reloading pointers after pskb_may_pull

    Fixes: f7faffa3ff8e ("l2tp: Add L2TPv3 protocol support")
    Fixes: 0d76751fad77 ("l2tp: Add L2TPv3 IP encapsulation (no UDP) support")
    Fixes: a32e0eec7042 ("l2tp: introduce L2TPv3 IP encapsulation support for IPv6")
    Signed-off-by: Jacob Wen
    Acked-by: Guillaume Nault
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Jacob Wen
     
  • commit 62e7b6a57c7b9bf3c6fd99418eeec05b08a85c38 upstream.

    Remove l2specific_len dependency while building l2tpv3 header or
    parsing the received frame since default L2-Specific Sublayer is
    always four bytes long and we don't need to rely on a user supplied
    value.
    Moreover in l2tp netlink code there are no sanity checks to
    enforce the relation between l2specific_len and l2specific_type,
    so sending a malformed netlink message is possible to set
    l2specific_type to L2TP_L2SPECTYPE_DEFAULT (or even
    L2TP_L2SPECTYPE_NONE) and set l2specific_len to a value greater than
    4 leaking memory on the wire and sending corrupted frames.

    Reviewed-by: Guillaume Nault
    Tested-by: Guillaume Nault
    Signed-off-by: Lorenzo Bianconi
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Lorenzo Bianconi
     
  • [ Upstream commit 2e6dc4d95110becfe0ff4c3d4749c33ea166e9e7 ]

    This patch is to improve sctp stream reset events in 4 places:

    1. In sctp_process_strreset_outreq(), the flag should always be set with
    SCTP_STREAM_RESET_INCOMING_SSN instead of OUTGOING, as receiver's in
    stream is reset here.
    2. In sctp_process_strreset_outreq(), move up SCTP_STRRESET_ERR_WRONG_SSN
    check, as the reset has to succeed after reconf_timer stops for the
    in stream reset request retransmission.
    3. In sctp_process_strreset_inreq(), no event should be sent, as no in
    or out stream is reset here.
    4. In sctp_process_strreset_resp(), SCTP_STREAM_RESET_INCOMING_SSN or
    OUTGOING event should always be sent for stream reset requests, no
    matter it fails or succeeds to process the request.

    Fixes: 810544764536 ("sctp: implement receiver-side procedures for the Outgoing SSN Reset Request Parameter")
    Fixes: 16e1a91965b0 ("sctp: implement receiver-side procedures for the Incoming SSN Reset Request Parameter")
    Fixes: 11ae76e67a17 ("sctp: implement receiver-side procedures for the Reconf Response Parameter")
    Reported-by: Ying Xu
    Signed-off-by: Xin Long
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Xin Long
     
  • [ Upstream commit 8220c870cb0f4eaa4e335c9645dbd9a1c461c1dd ]

    This patch is to improve sctp stream adding events in 2 places:

    1. In sctp_process_strreset_addstrm_out(), move up SCTP_MAX_STREAM
    and in stream allocation failure checks, as the adding has to
    succeed after reconf_timer stops for the in stream adding
    request retransmission.

    3. In sctp_process_strreset_addstrm_in(), no event should be sent,
    as no in or out stream is added here.

    Fixes: 50a41591f110 ("sctp: implement receiver-side procedures for the Add Outgoing Streams Request Parameter")
    Fixes: c5c4ebb3ab87 ("sctp: implement receiver-side procedures for the Add Incoming Streams Request Parameter")
    Reported-by: Ying Xu
    Signed-off-by: Xin Long
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Xin Long
     
  • [ Upstream commit 35edfdc77f683c8fd27d7732af06cf6489af60a5 ]

    Assign a default net namespace to netdevs created by init_dummy_netdev().
    Fixes a NULL pointer dereference caused by busy-polling a socket bound to
    an iwlwifi wireless device, which bumps the per-net BUSYPOLLRXPACKETS stat
    if napi_poll() received packets:

    BUG: unable to handle kernel NULL pointer dereference at 0000000000000190
    IP: napi_busy_loop+0xd6/0x200
    Call Trace:
    sock_poll+0x5e/0x80
    do_sys_poll+0x324/0x5a0
    SyS_poll+0x6c/0xf0
    do_syscall_64+0x6b/0x1f0
    entry_SYSCALL_64_after_hwframe+0x3d/0xa2

    Fixes: 7db6b048da3b ("net: Commonize busy polling code to focus on napi_id instead of socket")
    Signed-off-by: Josh Elsasser
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Josh Elsasser
     
  • [ Upstream commit b0cf029234f9b18e10703ba5147f0389c382bccc ]

    When an internally generated frame is handled by rose_xmit(),
    rose_route_frame() is called:

    if (!rose_route_frame(skb, NULL)) {
    dev_kfree_skb(skb);
    stats->tx_errors++;
    return NETDEV_TX_OK;
    }

    We have the same code sequence in Net/Rom where an internally generated
    frame is handled by nr_xmit() calling nr_route_frame(skb, NULL).
    However, in this function NULL argument is tested while it is not in
    rose_route_frame().
    Then kernel panic occurs later on when calling ax25cmp() with a NULL
    ax25_cb argument as reported many times and recently with syzbot.

    We need to test if ax25 is NULL before using it.

    Testing:
    Built kernel with CONFIG_ROSE=y.

    Signed-off-by: Bernard Pidoux
    Acked-by: Dmitry Vyukov
    Reported-by: syzbot+1a2c456a1ea08fa5b5f7@syzkaller.appspotmail.com
    Cc: "David S. Miller"
    Cc: Ralf Baechle
    Cc: Bernard Pidoux
    Cc: linux-hams@vger.kernel.org
    Cc: netdev@vger.kernel.org
    Cc: linux-kernel@vger.kernel.org
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Bernard Pidoux
     
  • [ Upstream commit 63346650c1a94a92be61a57416ac88c0a47c4327 ]

    sk_reset_timer() and sk_stop_timer() properly handle
    sock refcnt for timer function. Switching to them
    could fix a refcounting bug reported by syzbot.

    Reported-and-tested-by: syzbot+defa700d16f1bd1b9a05@syzkaller.appspotmail.com
    Cc: Ralf Baechle
    Cc: linux-hams@vger.kernel.org
    Signed-off-by: Cong Wang
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Cong Wang
     
  • [ Upstream commit 91c524708de6207f59dd3512518d8a1c7b434ee3 ]

    The size of L2TPv2 header with all optional fields is 14 bytes.
    l2tp_udp_recv_core only moves 10 bytes to the linear part of a
    skb. This may lead to l2tp_recv_common read data outside of a skb.

    This patch make sure that there is at least 14 bytes in the linear
    part of a skb to meet the maximum need of l2tp_udp_recv_core and
    l2tp_recv_common. The minimum size of both PPP HDLC-like frame and
    Ethernet frame is larger than 14 bytes, so we are safe to do so.

    Also remove L2TP_HDR_SIZE_NOSEQ, it is unused now.

    Fixes: fd558d186df2 ("l2tp: Split pppol2tp patch into separate l2tp and ppp parts")
    Suggested-by: Guillaume Nault
    Signed-off-by: Jacob Wen
    Acked-by: Guillaume Nault
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Jacob Wen
     
  • [ Upstream commit ef489749aae508e6f17886775c075f12ff919fb1 ]

    skb->cb may contain data from previous layers (in an observed case
    IPv4 with L3 Master Device). In the observed scenario, the data in
    IPCB(skb)->frags was misinterpreted as IP6CB(skb)->frag_max_size,
    eventually caused an unexpected IPv6 fragmentation in ip6_fragment()
    through ip6_finish_output().

    This patch clears IP6CB(skb), which potentially contains garbage data,
    on the SRH ip4ip6 encapsulation.

    Fixes: 32d99d0b6702 ("ipv6: sr: add support for ip4ip6 encapsulation")
    Signed-off-by: Yohei Kanemaru
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Yohei Kanemaru
     
  • [ Upstream commit c5ee066333ebc322a24a00a743ed941a0c68617e ]

    IPv6 does not consider if the socket is bound to a device when binding
    to an address. The result is that a socket can be bound to eth0 and then
    bound to the address of eth1. If the device is a VRF, the result is that
    a socket can only be bound to an address in the default VRF.

    Resolve by considering the device if sk_bound_dev_if is set.

    This problem exists from the beginning of git history.

    Signed-off-by: David Ahern
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    David Ahern
     
  • ade446403bfb ("net: ipv4: do not handle duplicate fragments as
    overlapping") was backported to many stable trees, but it had a problem
    that was "accidentally" fixed by the upstream commit 0ff89efb5246 ("ip:
    fail fast on IP defrag errors")

    This is the fixup for that problem as we do not want the larger patch in
    the older stable trees.

    Fixes: ade446403bfb ("net: ipv4: do not handle duplicate fragments as overlapping")
    Reported-by: Ivan Babrou
    Reported-by: Eric Dumazet
    Signed-off-by: Greg Kroah-Hartman

    Greg Kroah-Hartman
     

31 Jan, 2019

8 commits

  • commit 93171ba6f1deffd82f381d36cb13177872d023f6 upstream.

    Kyungtae Kim detected a potential integer overflow in bcm_[rx|tx]_setup()
    when the conversion into ktime multiplies the given value with NSEC_PER_USEC
    (1000).

    Reference: https://marc.info/?l=linux-can&m=154732118819828&w=2

    Add a check for the given tv_usec, so that the value stays below one second.
    Additionally limit the tv_sec value to a reasonable value for CAN related
    use-cases of 400 days and ensure all values to be positive.

    Reported-by: Kyungtae Kim
    Tested-by: Oliver Hartkopp
    Signed-off-by: Oliver Hartkopp
    Cc: linux-stable # >= 2.6.26
    Tested-by: Kyungtae Kim
    Acked-by: Andre Naujoks
    Signed-off-by: Marc Kleine-Budde
    Signed-off-by: Greg Kroah-Hartman

    Oliver Hartkopp
     
  • [ Upstream commit f6f2a4a2eb92bc73671204198bb2f8ab53ff59fb ]

    Setting the low threshold to 0 has no effect on frags allocation,
    we need to clear high_thresh instead.

    The code was pre-existent to commit 648700f76b03 ("inet: frags:
    use rhashtables for reassembly units"), but before the above,
    such assignment had a different role: prevent concurrent eviction
    from the worker and the netns cleanup helper.

    Fixes: 648700f76b03 ("inet: frags: use rhashtables for reassembly units")
    Signed-off-by: Paolo Abeni
    Signed-off-by: David S. Miller
    Signed-off-by: Sasha Levin
    Signed-off-by: Greg Kroah-Hartman

    Paolo Abeni
     
  • [ Upstream commit 13d7f46386e060df31b727c9975e38306fa51e7a ]

    TCP transmission with MSG_ZEROCOPY fails if the peer closes its end of
    the connection and so transitions this socket to CLOSE_WAIT state.

    Transmission in close wait state is acceptable. Other similar tests in
    the stack (e.g., in FastOpen) accept both states. Relax this test, too.

    Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg276886.html
    Link: https://www.mail-archive.com/netdev@vger.kernel.org/msg227390.html
    Fixes: f214f915e7db ("tcp: enable MSG_ZEROCOPY")
    Reported-by: Marek Majkowski
    Signed-off-by: Willem de Bruijn
    CC: Yuchung Cheng
    CC: Neal Cardwell
    CC: Soheil Hassas Yeganeh
    CC: Alexey Kodanev
    Acked-by: Soheil Hassas Yeganeh
    Reviewed-by: Eric Dumazet
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Willem de Bruijn
     
  • [ Upstream commit f97f4dd8b3bb9d0993d2491e0f22024c68109184 ]

    IPv4 routing tables are flushed in two cases:

    1. In response to events in the netdev and inetaddr notification chains
    2. When a network namespace is being dismantled

    In both cases only routes associated with a dead nexthop group are
    flushed. However, a nexthop group will only be marked as dead in case it
    is populated with actual nexthops using a nexthop device. This is not
    the case when the route in question is an error route (e.g.,
    'blackhole', 'unreachable').

    Therefore, when a network namespace is being dismantled such routes are
    not flushed and leaked [1].

    To reproduce:
    # ip netns add blue
    # ip -n blue route add unreachable 192.0.2.0/24
    # ip netns del blue

    Fix this by not skipping error routes that are not marked with
    RTNH_F_DEAD when flushing the routing tables.

    To prevent the flushing of such routes in case #1, add a parameter to
    fib_table_flush() that indicates if the table is flushed as part of
    namespace dismantle or not.

    Note that this problem does not exist in IPv6 since error routes are
    associated with the loopback device.

    [1]
    unreferenced object 0xffff888066650338 (size 56):
    comm "ip", pid 1206, jiffies 4294786063 (age 26.235s)
    hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 b0 1c 62 61 80 88 ff ff ..........ba....
    e8 8b a1 64 80 88 ff ff 00 07 00 08 fe 00 00 00 ...d............
    backtrace:
    [] inet_rtm_newroute+0x129/0x220
    [] rtnetlink_rcv_msg+0x397/0xa20
    [] netlink_rcv_skb+0x132/0x380
    [] netlink_unicast+0x4c0/0x690
    [] netlink_sendmsg+0x929/0xe10
    [] sock_sendmsg+0xc8/0x110
    [] ___sys_sendmsg+0x77a/0x8f0
    [] __sys_sendmsg+0xf7/0x250
    [] do_syscall_64+0x14d/0x610
    [] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [] 0xffffffffffffffff
    unreferenced object 0xffff888061621c88 (size 48):
    comm "ip", pid 1206, jiffies 4294786063 (age 26.235s)
    hex dump (first 32 bytes):
    6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b kkkkkkkkkkkkkkkk
    6b 6b 6b 6b 6b 6b 6b 6b d8 8e 26 5f 80 88 ff ff kkkkkkkk..&_....
    backtrace:
    [] fib_table_insert+0x978/0x1500
    [] inet_rtm_newroute+0x129/0x220
    [] rtnetlink_rcv_msg+0x397/0xa20
    [] netlink_rcv_skb+0x132/0x380
    [] netlink_unicast+0x4c0/0x690
    [] netlink_sendmsg+0x929/0xe10
    [] sock_sendmsg+0xc8/0x110
    [] ___sys_sendmsg+0x77a/0x8f0
    [] __sys_sendmsg+0xf7/0x250
    [] do_syscall_64+0x14d/0x610
    [] entry_SYSCALL_64_after_hwframe+0x49/0xbe
    [] 0xffffffffffffffff

    Fixes: 8cced9eff1d4 ("[NETNS]: Enable routing configuration in non-initial namespace.")
    Signed-off-by: Ido Schimmel
    Reviewed-by: David Ahern
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Ido Schimmel
     
  • [ Upstream commit 04a4af334b971814eedf4e4a413343ad3287d9a9 ]

    For nested and variable attributes, the expected length of an attribute
    is not known and marked by a negative number. This results in an OOB
    read when the expected length is later used to check if the attribute is
    all zeros. Fix this by using the actual length of the attribute rather
    than the expected length.

    Signed-off-by: Ross Lagerwall
    Acked-by: Pravin B Shelar
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Ross Lagerwall
     
  • [ Upstream commit cd0c4e70fc0ccfa705cdf55efb27519ce9337a26 ]

    Martin reported a set of filters don't work after changing
    from reclassify to continue. Looking into the code, it
    looks like skb protocol is not always fetched for each
    iteration of the filters. But, as demonstrated by Martin,
    TC actions could modify skb->protocol, for example act_vlan,
    this means we have to refetch skb protocol in each iteration,
    rather than using the one we fetch in the beginning of the loop.

    This bug is _not_ introduced by commit 3b3ae880266d
    ("net: sched: consolidate tc_classify{,_compat}"), technically,
    if act_vlan is the only action that modifies skb protocol, then
    it is commit c7e2b9689ef8 ("sched: introduce vlan action") which
    introduced this bug.

    Reported-by: Martin Olsson
    Cc: Jamal Hadi Salim
    Cc: Jiri Pirko
    Signed-off-by: Cong Wang
    Acked-by: Jamal Hadi Salim
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Cong Wang
     
  • [ Upstream commit 6c57f0458022298e4da1729c67bd33ce41c14e7a ]

    In certain cases, pskb_trim_rcsum() may change skb pointers.
    Reinitialize header pointers afterwards to avoid potential
    use-after-frees. Add a note in the documentation of
    pskb_trim_rcsum(). Found by KASAN.

    Signed-off-by: Ross Lagerwall
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Ross Lagerwall
     
  • [ Upstream commit 28c1382fa28f2e2d9d0d6f25ae879b5af2ecbd03 ]

    The skb header should be set to ethernet header before using
    is_skb_forwardable. Because the ethernet header length has been
    considered in is_skb_forwardable(including dev->hard_header_len
    length).

    To reproduce the issue:
    1, add 2 ports on linux bridge br using following commands:
    $ brctl addbr br
    $ brctl addif br eth0
    $ brctl addif br eth1
    2, the MTU of eth0 and eth1 is 1500
    3, send a packet(Data 1480, UDP 8, IP 20, Ethernet 14, VLAN 4)
    from eth0 to eth1

    So the expect result is packet larger than 1500 cannot pass through
    eth0 and eth1. But currently, the packet passes through success, it
    means eth1's MTU limit doesn't take effect.

    Fixes: f6367b4660dd ("bridge: use is_skb_forwardable in forward path")
    Cc: bridge@lists.linux-foundation.org
    Cc: Nkolay Aleksandrov
    Cc: Roopa Prabhu
    Cc: Stephen Hemminger
    Signed-off-by: Yunjian Wang
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Yunjian Wang
     

26 Jan, 2019

5 commits

  • [ Upstream commit 06aa151ad1fc74a49b45336672515774a678d78d ]

    If same destination IP address config is already existing, that config is
    just used. MAC address also should be same.
    However, there is no MAC address checking routine.
    So that MAC address checking routine is added.

    test commands:
    %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
    -j CLUSTERIP --new --hashmode sourceip \
    --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1
    %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
    -j CLUSTERIP --new --hashmode sourceip \
    --clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1

    After this patch, above commands are disallowed.

    Signed-off-by: Taehee Yoo
    Signed-off-by: Pablo Neira Ayuso
    Signed-off-by: Sasha Levin

    Taehee Yoo
     
  • [ Upstream commit 0fbe82e628c817e292ff588cd5847fc935e025f2 ]

    after set SO_DONTROUTE to 1, the IP layer should not route packets if
    the dest IP address is not in link scope. But if the socket has cached
    the dst_entry, such packets would be routed until the sk_dst_cache
    expires. So we should clean the sk_dst_cache when a user set
    SO_DONTROUTE option. Below are server/client python scripts which
    could reprodue this issue:

    server side code:

    ==========================================================================
    import socket
    import struct
    import time

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.bind(('0.0.0.0', 9000))
    s.listen(1)
    sock, addr = s.accept()
    sock.setsockopt(socket.SOL_SOCKET, socket.SO_DONTROUTE, struct.pack('i', 1))
    while True:
    sock.send(b'foo')
    time.sleep(1)
    ==========================================================================

    client side code:
    ==========================================================================
    import socket
    import time

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect(('server_address', 9000))
    while True:
    data = s.recv(1024)
    print(data)
    ==========================================================================

    Signed-off-by: yupeng
    Signed-off-by: David S. Miller
    Signed-off-by: Sasha Levin

    yupeng
     
  • [ Upstream commit d4a7e9bb74b5aaf07b89f6531c080b1130bdf019 ]

    I realized the last patch calls dev_get_by_index_rcu in a branch not
    holding the rcu lock. Add the calls to rcu_read_lock and rcu_read_unlock.

    Fixes: ec90ad334986 ("ipv6: Consider sk_bound_dev_if when binding a socket to a v4 mapped address")
    Signed-off-by: David Ahern
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    David Ahern
     
  • [ Upstream commit f8c468e8537925e0c4607263f498a1b7c0c8982e ]

    Commit dcda9b04713c ("mm, tree wide: replace __GFP_REPEAT by
    __GFP_RETRY_MAYFAIL with more useful semantic") replaced __GFP_REPEAT in
    alloc_skb_with_frags() with __GFP_RETRY_MAYFAIL when the allocation may
    directly reclaim.

    The previous behavior would require reclaim up to 1 << order pages for
    skb aligned header_len of order > PAGE_ALLOC_COSTLY_ORDER before failing,
    otherwise the allocations in alloc_skb() would loop in the page allocator
    looking for memory. __GFP_RETRY_MAYFAIL makes both allocations failable
    under memory pressure, including for the HEAD allocation.

    This can cause, among many other things, write() to fail with ENOTCONN
    during RPC when under memory pressure.

    These allocations should succeed as they did previous to dcda9b04713c
    even if it requires calling the oom killer and additional looping in the
    page allocator to find memory. There is no way to specify the previous
    behavior of __GFP_REPEAT, but it's unlikely to be necessary since the
    previous behavior only guaranteed that 1 << order pages would be reclaimed
    before failing for order > PAGE_ALLOC_COSTLY_ORDER. That reclaim is not
    guaranteed to be contiguous memory, so repeating for such large orders is
    usually not beneficial.

    Removing the setting of __GFP_RETRY_MAYFAIL to restore the previous
    behavior, specifically not allowing alloc_skb() to fail for small orders
    and oom kill if necessary rather than allowing RPCs to fail.

    Fixes: dcda9b04713c ("mm, tree wide: replace __GFP_REPEAT by __GFP_RETRY_MAYFAIL with more useful semantic")
    Signed-off-by: David Rientjes
    Reviewed-by: Eric Dumazet
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    David Rientjes
     
  • [ Upstream commit ec90ad334986fa5856d11dd272f7f22fa86c55c4 ]

    Similar to c5ee066333eb ("ipv6: Consider sk_bound_dev_if when binding a
    socket to an address"), binding a socket to v4 mapped addresses needs to
    consider if the socket is bound to a device.

    This problem also exists from the beginning of git history.

    Signed-off-by: David Ahern
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    David Ahern
     

23 Jan, 2019

12 commits

  • commit 2753ca5d9009c180dbfd4c802c80983b4b6108d1 upstream.

    BUG: KMSAN: uninit-value in tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
    CPU: 0 PID: 4514 Comm: syz-executor485 Not tainted 4.16.0+ #87
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:17 [inline]
    dump_stack+0x185/0x1d0 lib/dump_stack.c:53
    kmsan_report+0x142/0x240 mm/kmsan/kmsan.c:1067
    __msan_warning_32+0x6c/0xb0 mm/kmsan/kmsan_instr.c:683
    tipc_nl_compat_doit+0x404/0xa10 net/tipc/netlink_compat.c:335
    tipc_nl_compat_recv+0x164b/0x2700 net/tipc/netlink_compat.c:1153
    genl_family_rcv_msg net/netlink/genetlink.c:599 [inline]
    genl_rcv_msg+0x1686/0x1810 net/netlink/genetlink.c:624
    netlink_rcv_skb+0x378/0x600 net/netlink/af_netlink.c:2447
    genl_rcv+0x63/0x80 net/netlink/genetlink.c:635
    netlink_unicast_kernel net/netlink/af_netlink.c:1311 [inline]
    netlink_unicast+0x166b/0x1740 net/netlink/af_netlink.c:1337
    netlink_sendmsg+0x1048/0x1310 net/netlink/af_netlink.c:1900
    sock_sendmsg_nosec net/socket.c:630 [inline]
    sock_sendmsg net/socket.c:640 [inline]
    ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
    __sys_sendmsg net/socket.c:2080 [inline]
    SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
    SyS_sendmsg+0x54/0x80 net/socket.c:2087
    do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
    entry_SYSCALL_64_after_hwframe+0x3d/0xa2
    RIP: 0033:0x43fda9
    RSP: 002b:00007ffd0c184ba8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 000000000043fda9
    RDX: 0000000000000000 RSI: 0000000020023000 RDI: 0000000000000003
    RBP: 00000000006ca018 R08: 00000000004002c8 R09: 00000000004002c8
    R10: 00000000004002c8 R11: 0000000000000213 R12: 00000000004016d0
    R13: 0000000000401760 R14: 0000000000000000 R15: 0000000000000000

    Uninit was created at:
    kmsan_save_stack_with_flags mm/kmsan/kmsan.c:278 [inline]
    kmsan_internal_poison_shadow+0xb8/0x1b0 mm/kmsan/kmsan.c:188
    kmsan_kmalloc+0x94/0x100 mm/kmsan/kmsan.c:314
    kmsan_slab_alloc+0x11/0x20 mm/kmsan/kmsan.c:321
    slab_post_alloc_hook mm/slab.h:445 [inline]
    slab_alloc_node mm/slub.c:2737 [inline]
    __kmalloc_node_track_caller+0xaed/0x11c0 mm/slub.c:4369
    __kmalloc_reserve net/core/skbuff.c:138 [inline]
    __alloc_skb+0x2cf/0x9f0 net/core/skbuff.c:206
    alloc_skb include/linux/skbuff.h:984 [inline]
    netlink_alloc_large_skb net/netlink/af_netlink.c:1183 [inline]
    netlink_sendmsg+0x9a6/0x1310 net/netlink/af_netlink.c:1875
    sock_sendmsg_nosec net/socket.c:630 [inline]
    sock_sendmsg net/socket.c:640 [inline]
    ___sys_sendmsg+0xec0/0x1310 net/socket.c:2046
    __sys_sendmsg net/socket.c:2080 [inline]
    SYSC_sendmsg+0x2a3/0x3d0 net/socket.c:2091
    SyS_sendmsg+0x54/0x80 net/socket.c:2087
    do_syscall_64+0x309/0x430 arch/x86/entry/common.c:287
    entry_SYSCALL_64_after_hwframe+0x3d/0xa2

    In tipc_nl_compat_recv(), when the len variable returned by
    nlmsg_attrlen() is 0, the message is still treated as a valid one,
    which is obviously unresonable. When len is zero, it means the
    message not only doesn't contain any valid TLV payload, but also
    TLV header is not included. Under this stituation, tlv_type field
    in TLV header is still accessed in tipc_nl_compat_dumpit() or
    tipc_nl_compat_doit(), but the field space is obviously illegal.
    Of course, it is not initialized.

    Reported-by: syzbot+bca0dc46634781f08b38@syzkaller.appspotmail.com
    Reported-by: syzbot+6bdb590321a7ae40c1a6@syzkaller.appspotmail.com
    Signed-off-by: Ying Xue
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Ying Xue
     
  • commit 974cb0e3e7c963ced06c4e32c5b2884173fa5e01 upstream.

    syzbot reported:

    BUG: KMSAN: uninit-value in __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
    BUG: KMSAN: uninit-value in __fswab32 include/uapi/linux/swab.h:59 [inline]
    BUG: KMSAN: uninit-value in tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
    CPU: 0 PID: 6290 Comm: syz-executor848 Not tainted 4.19.0-rc8+ #70
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x306/0x460 lib/dump_stack.c:113
    kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
    __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
    __arch_swab32 arch/x86/include/uapi/asm/swab.h:10 [inline]
    __fswab32 include/uapi/linux/swab.h:59 [inline]
    tipc_nl_compat_name_table_dump+0x4a8/0xba0 net/tipc/netlink_compat.c:826
    __tipc_nl_compat_dumpit+0x59e/0xdb0 net/tipc/netlink_compat.c:205
    tipc_nl_compat_dumpit+0x63a/0x820 net/tipc/netlink_compat.c:270
    tipc_nl_compat_handle net/tipc/netlink_compat.c:1151 [inline]
    tipc_nl_compat_recv+0x1402/0x2760 net/tipc/netlink_compat.c:1210
    genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
    genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
    netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
    genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
    netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
    netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
    netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
    sock_sendmsg_nosec net/socket.c:621 [inline]
    sock_sendmsg net/socket.c:631 [inline]
    ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
    __sys_sendmsg net/socket.c:2154 [inline]
    __do_sys_sendmsg net/socket.c:2163 [inline]
    __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
    __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
    do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7
    RIP: 0033:0x440179
    Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007ffecec49318 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179
    RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
    RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
    R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00
    R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000

    Uninit was created at:
    kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
    kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
    kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
    kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
    slab_post_alloc_hook mm/slab.h:446 [inline]
    slab_alloc_node mm/slub.c:2727 [inline]
    __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
    __kmalloc_reserve net/core/skbuff.c:138 [inline]
    __alloc_skb+0x422/0xe90 net/core/skbuff.c:206
    alloc_skb include/linux/skbuff.h:996 [inline]
    netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
    netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
    sock_sendmsg_nosec net/socket.c:621 [inline]
    sock_sendmsg net/socket.c:631 [inline]
    ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
    __sys_sendmsg net/socket.c:2154 [inline]
    __do_sys_sendmsg net/socket.c:2163 [inline]
    __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
    __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
    do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7

    We cannot take for granted the thing that the length of data contained
    in TLV is longer than the size of struct tipc_name_table_query in
    tipc_nl_compat_name_table_dump().

    Reported-by: syzbot+06e771a754829716a327@syzkaller.appspotmail.com
    Signed-off-by: Ying Xue
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Ying Xue
     
  • commit edf5ff04a45750ac8ce2435974f001dc9cfbf055 upstream.

    syzbot reports following splat:

    BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
    CPU: 1 PID: 9306 Comm: syz-executor172 Not tainted 4.20.0-rc7+ #2
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
    Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x173/0x1d0 lib/dump_stack.c:113
    kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
    __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:313
    strlen+0x3b/0xa0 lib/string.c:486
    nla_put_string include/net/netlink.h:1154 [inline]
    __tipc_nl_compat_link_set net/tipc/netlink_compat.c:708 [inline]
    tipc_nl_compat_link_set+0x929/0x1220 net/tipc/netlink_compat.c:744
    __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
    tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
    tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
    tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
    genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
    genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
    netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
    genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
    netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
    netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
    netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
    sock_sendmsg_nosec net/socket.c:621 [inline]
    sock_sendmsg net/socket.c:631 [inline]
    ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
    __sys_sendmsg net/socket.c:2154 [inline]
    __do_sys_sendmsg net/socket.c:2163 [inline]
    __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
    __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
    do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7

    The uninitialised access happened in
    nla_put_string(skb, TIPC_NLA_LINK_NAME, lc->name)

    This is because lc->name string is not validated before it's used.

    Reported-by: syzbot+d78b8a29241a195aefb8@syzkaller.appspotmail.com
    Signed-off-by: Ying Xue
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Ying Xue
     
  • commit 0762216c0ad2a2fccd63890648eca491f2c83d9a upstream.

    syzbot reported:

    BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:484
    CPU: 1 PID: 6371 Comm: syz-executor652 Not tainted 4.19.0-rc8+ #70
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x306/0x460 lib/dump_stack.c:113
    kmsan_report+0x1a2/0x2e0 mm/kmsan/kmsan.c:917
    __msan_warning+0x7c/0xe0 mm/kmsan/kmsan_instr.c:500
    strlen+0x3b/0xa0 lib/string.c:484
    nla_put_string include/net/netlink.h:1011 [inline]
    tipc_nl_compat_bearer_enable+0x238/0x7b0 net/tipc/netlink_compat.c:389
    __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
    tipc_nl_compat_doit+0x39f/0xae0 net/tipc/netlink_compat.c:344
    tipc_nl_compat_recv+0x147c/0x2760 net/tipc/netlink_compat.c:1107
    genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
    genl_rcv_msg+0x185c/0x1a20 net/netlink/genetlink.c:626
    netlink_rcv_skb+0x394/0x640 net/netlink/af_netlink.c:2454
    genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
    netlink_unicast_kernel net/netlink/af_netlink.c:1317 [inline]
    netlink_unicast+0x166d/0x1720 net/netlink/af_netlink.c:1343
    netlink_sendmsg+0x1391/0x1420 net/netlink/af_netlink.c:1908
    sock_sendmsg_nosec net/socket.c:621 [inline]
    sock_sendmsg net/socket.c:631 [inline]
    ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
    __sys_sendmsg net/socket.c:2154 [inline]
    __do_sys_sendmsg net/socket.c:2163 [inline]
    __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
    __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
    do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7
    RIP: 0033:0x440179
    Code: 18 89 d0 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 0f 83 fb 13 fc ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007fffef7beee8 EFLAGS: 00000213 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 00000000004002c8 RCX: 0000000000440179
    RDX: 0000000000000000 RSI: 0000000020000100 RDI: 0000000000000003
    RBP: 00000000006ca018 R08: 0000000000000000 R09: 00000000004002c8
    R10: 0000000000000000 R11: 0000000000000213 R12: 0000000000401a00
    R13: 0000000000401a90 R14: 0000000000000000 R15: 0000000000000000

    Uninit was created at:
    kmsan_save_stack_with_flags mm/kmsan/kmsan.c:255 [inline]
    kmsan_internal_poison_shadow+0xc8/0x1d0 mm/kmsan/kmsan.c:180
    kmsan_kmalloc+0xa4/0x120 mm/kmsan/kmsan_hooks.c:104
    kmsan_slab_alloc+0x10/0x20 mm/kmsan/kmsan_hooks.c:113
    slab_post_alloc_hook mm/slab.h:446 [inline]
    slab_alloc_node mm/slub.c:2727 [inline]
    __kmalloc_node_track_caller+0xb43/0x1400 mm/slub.c:4360
    __kmalloc_reserve net/core/skbuff.c:138 [inline]
    __alloc_skb+0x422/0xe90 net/core/skbuff.c:206
    alloc_skb include/linux/skbuff.h:996 [inline]
    netlink_alloc_large_skb net/netlink/af_netlink.c:1189 [inline]
    netlink_sendmsg+0xcaf/0x1420 net/netlink/af_netlink.c:1883
    sock_sendmsg_nosec net/socket.c:621 [inline]
    sock_sendmsg net/socket.c:631 [inline]
    ___sys_sendmsg+0xe47/0x1200 net/socket.c:2116
    __sys_sendmsg net/socket.c:2154 [inline]
    __do_sys_sendmsg net/socket.c:2163 [inline]
    __se_sys_sendmsg+0x307/0x460 net/socket.c:2161
    __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
    do_syscall_64+0xbe/0x100 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7

    The root cause is that we don't validate whether bear name is a valid
    string in tipc_nl_compat_bearer_enable().

    Meanwhile, we also fix the same issue in the following functions:
    tipc_nl_compat_bearer_disable()
    tipc_nl_compat_link_stat_dump()
    tipc_nl_compat_media_set()
    tipc_nl_compat_bearer_set()

    Reported-by: syzbot+b33d5cae0efd35dbfe77@syzkaller.appspotmail.com
    Signed-off-by: Ying Xue
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Ying Xue
     
  • commit 8b66fee7f8ee18f9c51260e7a43ab37db5177a05 upstream.

    syzbot reports following splat:

    BUG: KMSAN: uninit-value in strlen+0x3b/0xa0 lib/string.c:486
    CPU: 1 PID: 11057 Comm: syz-executor0 Not tainted 4.20.0-rc7+ #2
    Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
    Call Trace:
    __dump_stack lib/dump_stack.c:77 [inline]
    dump_stack+0x173/0x1d0 lib/dump_stack.c:113
    kmsan_report+0x12e/0x2a0 mm/kmsan/kmsan.c:613
    __msan_warning+0x82/0xf0 mm/kmsan/kmsan_instr.c:295
    strlen+0x3b/0xa0 lib/string.c:486
    nla_put_string include/net/netlink.h:1154 [inline]
    tipc_nl_compat_link_reset_stats+0x1f0/0x360 net/tipc/netlink_compat.c:760
    __tipc_nl_compat_doit net/tipc/netlink_compat.c:311 [inline]
    tipc_nl_compat_doit+0x3aa/0xaf0 net/tipc/netlink_compat.c:344
    tipc_nl_compat_handle net/tipc/netlink_compat.c:1107 [inline]
    tipc_nl_compat_recv+0x14d7/0x2760 net/tipc/netlink_compat.c:1210
    genl_family_rcv_msg net/netlink/genetlink.c:601 [inline]
    genl_rcv_msg+0x185f/0x1a60 net/netlink/genetlink.c:626
    netlink_rcv_skb+0x444/0x640 net/netlink/af_netlink.c:2477
    genl_rcv+0x63/0x80 net/netlink/genetlink.c:637
    netlink_unicast_kernel net/netlink/af_netlink.c:1310 [inline]
    netlink_unicast+0xf40/0x1020 net/netlink/af_netlink.c:1336
    netlink_sendmsg+0x127f/0x1300 net/netlink/af_netlink.c:1917
    sock_sendmsg_nosec net/socket.c:621 [inline]
    sock_sendmsg net/socket.c:631 [inline]
    ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
    __sys_sendmsg net/socket.c:2154 [inline]
    __do_sys_sendmsg net/socket.c:2163 [inline]
    __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
    __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
    do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7
    RIP: 0033:0x457ec9
    Code: 6d b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 3d 01 f0 ff ff 0f 83 3b b7 fb ff c3 66 2e 0f 1f 84 00 00 00 00
    RSP: 002b:00007f2557338c78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
    RAX: ffffffffffffffda RBX: 0000000000000003 RCX: 0000000000457ec9
    RDX: 0000000000000000 RSI: 00000000200001c0 RDI: 0000000000000003
    RBP: 000000000073bf00 R08: 0000000000000000 R09: 0000000000000000
    R10: 0000000000000000 R11: 0000000000000246 R12: 00007f25573396d4
    R13: 00000000004cb478 R14: 00000000004d86c8 R15: 00000000ffffffff

    Uninit was created at:
    kmsan_save_stack_with_flags mm/kmsan/kmsan.c:204 [inline]
    kmsan_internal_poison_shadow+0x92/0x150 mm/kmsan/kmsan.c:158
    kmsan_kmalloc+0xa6/0x130 mm/kmsan/kmsan_hooks.c:176
    kmsan_slab_alloc+0xe/0x10 mm/kmsan/kmsan_hooks.c:185
    slab_post_alloc_hook mm/slab.h:446 [inline]
    slab_alloc_node mm/slub.c:2759 [inline]
    __kmalloc_node_track_caller+0xe18/0x1030 mm/slub.c:4383
    __kmalloc_reserve net/core/skbuff.c:137 [inline]
    __alloc_skb+0x309/0xa20 net/core/skbuff.c:205
    alloc_skb include/linux/skbuff.h:998 [inline]
    netlink_alloc_large_skb net/netlink/af_netlink.c:1182 [inline]
    netlink_sendmsg+0xb82/0x1300 net/netlink/af_netlink.c:1892
    sock_sendmsg_nosec net/socket.c:621 [inline]
    sock_sendmsg net/socket.c:631 [inline]
    ___sys_sendmsg+0xdb9/0x11b0 net/socket.c:2116
    __sys_sendmsg net/socket.c:2154 [inline]
    __do_sys_sendmsg net/socket.c:2163 [inline]
    __se_sys_sendmsg+0x305/0x460 net/socket.c:2161
    __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2161
    do_syscall_64+0xbc/0xf0 arch/x86/entry/common.c:291
    entry_SYSCALL_64_after_hwframe+0x63/0xe7

    The uninitialised access happened in tipc_nl_compat_link_reset_stats:
    nla_put_string(skb, TIPC_NLA_LINK_NAME, name)

    This is because name string is not validated before it's used.

    Reported-by: syzbot+e01d94b5a4c266be6e4c@syzkaller.appspotmail.com
    Signed-off-by: Ying Xue
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Ying Xue
     
  • commit 400b8b9a2a17918f8ce00786f596f530e7f30d50 upstream.

    The similar issue as fixed in Commit 4a2eb0c37b47 ("sctp: initialize
    sin6_flowinfo for ipv6 addrs in sctp_inet6addr_event") also exists
    in sctp_inetaddr_event, as Alexander noticed.

    To fix it, allocate sctp_sockaddr_entry with kzalloc for both sctp
    ipv4 and ipv6 addresses, as does in sctp_v4/6_copy_addrlist().

    Reported-by: Alexander Potapenko
    Signed-off-by: Xin Long
    Reported-by: syzbot+ae0c70c0c2d40c51bb92@syzkaller.appspotmail.com
    Acked-by: Marcelo Ricardo Leitner
    Acked-by: Neil Horman
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Xin Long
     
  • commit e2c8d550a973bb34fc28bc8d0ec996f84562fb8a upstream.

    The [ip,ip6,arp]_tables use x_tables_info internally and the underlying
    memory is already accounted to kmemcg. Do the same for ebtables. The
    syzbot, by using setsockopt(EBT_SO_SET_ENTRIES), was able to OOM the
    whole system from a restricted memcg, a potential DoS.

    By accounting the ebt_table_info, the memory used for ebt_table_info can
    be contained within the memcg of the allocating process. However the
    lifetime of ebt_table_info is independent of the allocating process and
    is tied to the network namespace. So, the oom-killer will not be able to
    relieve the memory pressure due to ebt_table_info memory. The memory for
    ebt_table_info is allocated through vmalloc. Currently vmalloc does not
    handle the oom-killed allocating process correctly and one large
    allocation can bypass memcg limit enforcement. So, with this patch,
    at least the small allocations will be contained. For large allocations,
    we need to fix vmalloc.

    Reported-by: syzbot+7713f3aa67be76b1552c@syzkaller.appspotmail.com
    Signed-off-by: Shakeel Butt
    Reviewed-by: Kirill Tkhai
    Signed-off-by: Pablo Neira Ayuso
    Signed-off-by: Greg Kroah-Hartman

    Shakeel Butt
     
  • commit 81c88b18de1f11f70c97f28ced8d642c00bb3955 upstream.

    If we ignore the error we'll hit a null dereference a little later.

    Reported-by: syzbot+4b98281f2401ab849f4b@syzkaller.appspotmail.com
    Signed-off-by: J. Bruce Fields
    Signed-off-by: Anna Schumaker
    Signed-off-by: Greg Kroah-Hartman

    J. Bruce Fields
     
  • commit e7c87bd6cc4ec7b0ac1ed0a88a58f8206c577488 upstream.

    Syzkaller was able to construct a packet of negative length by
    redirecting from bpf_prog_test_run_skb with BPF_PROG_TYPE_LWT_XMIT:

    BUG: KASAN: slab-out-of-bounds in memcpy include/linux/string.h:345 [inline]
    BUG: KASAN: slab-out-of-bounds in skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
    BUG: KASAN: slab-out-of-bounds in __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
    Read of size 4294967282 at addr ffff8801d798009c by task syz-executor2/12942

    kasan_report.cold.9+0x242/0x309 mm/kasan/report.c:412
    check_memory_region_inline mm/kasan/kasan.c:260 [inline]
    check_memory_region+0x13e/0x1b0 mm/kasan/kasan.c:267
    memcpy+0x23/0x50 mm/kasan/kasan.c:302
    memcpy include/linux/string.h:345 [inline]
    skb_copy_from_linear_data include/linux/skbuff.h:3421 [inline]
    __pskb_copy_fclone+0x2dd/0xeb0 net/core/skbuff.c:1395
    __pskb_copy include/linux/skbuff.h:1053 [inline]
    pskb_copy include/linux/skbuff.h:2904 [inline]
    skb_realloc_headroom+0xe7/0x120 net/core/skbuff.c:1539
    ipip6_tunnel_xmit net/ipv6/sit.c:965 [inline]
    sit_tunnel_xmit+0xe1b/0x30d0 net/ipv6/sit.c:1029
    __netdev_start_xmit include/linux/netdevice.h:4325 [inline]
    netdev_start_xmit include/linux/netdevice.h:4334 [inline]
    xmit_one net/core/dev.c:3219 [inline]
    dev_hard_start_xmit+0x295/0xc90 net/core/dev.c:3235
    __dev_queue_xmit+0x2f0d/0x3950 net/core/dev.c:3805
    dev_queue_xmit+0x17/0x20 net/core/dev.c:3838
    __bpf_tx_skb net/core/filter.c:2016 [inline]
    __bpf_redirect_common net/core/filter.c:2054 [inline]
    __bpf_redirect+0x5cf/0xb20 net/core/filter.c:2061
    ____bpf_clone_redirect net/core/filter.c:2094 [inline]
    bpf_clone_redirect+0x2f6/0x490 net/core/filter.c:2066
    bpf_prog_41f2bcae09cd4ac3+0xb25/0x1000

    The generated test constructs a packet with mac header, network
    header, skb->data pointing to network header and skb->len 0.

    Redirecting to a sit0 through __bpf_redirect_no_mac pulls the
    mac length, even though skb->data already is at skb->network_header.
    bpf_prog_test_run_skb has already pulled it as LWT_XMIT !is_l2.

    Update the offset calculation to pull only if skb->data differs
    from skb->network_header, which is not true in this case.

    The test itself can be run only from commit 1cf1cae963c2 ("bpf:
    introduce BPF_PROG_TEST_RUN command"), but the same type of packets
    with skb at network header could already be built from lwt xmit hooks,
    so this fix is more relevant to that commit.

    Also set the mac header on redirect from LWT_XMIT, as even after this
    change to __bpf_redirect_no_mac that field is expected to be set, but
    is not yet in ip_finish_output2.

    Fixes: 3a0af8fd61f9 ("bpf: BPF for lightweight tunnel infrastructure")
    Reported-by: syzbot
    Signed-off-by: Willem de Bruijn
    Acked-by: Martin KaFai Lau
    Signed-off-by: Daniel Borkmann
    Signed-off-by: Greg Kroah-Hartman

    Willem de Bruijn
     
  • [ Upstream commit 4a06fa67c4da20148803525151845276cdb995c1 ]

    Commit 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call
    pskb_may_pull") avoided a read beyond the end of the skb linear
    segment by calling pskb_may_pull.

    That function can trigger a BUG_ON in pskb_expand_head if the skb is
    shared, which it is when when peeking. It can also return ENOMEM.

    Avoid both by switching to safer skb_header_pointer.

    Fixes: 2efd4fca703a ("ip: in cmsg IP(V6)_ORIGDSTADDR call pskb_may_pull")
    Reported-by: syzbot
    Suggested-by: Eric Dumazet
    Signed-off-by: Willem de Bruijn
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Willem de Bruijn
     
  • [ Upstream commit d972f3dce8d161e2142da0ab1ef25df00e2f21a9 ]

    'dev' is non NULL when the addr_len check triggers so it must goto a label
    that does the dev_put otherwise dev will have a leaked refcount.

    This bug causes the ib_ipoib module to become unloadable when using
    systemd-network as it triggers this check on InfiniBand links.

    Fixes: 99137b7888f4 ("packet: validate address length")
    Reported-by: Leon Romanovsky
    Signed-off-by: Jason Gunthorpe
    Acked-by: Willem de Bruijn
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    Jason Gunthorpe
     
  • [ Upstream commit 4c84edc11b76590859b1e45dd676074c59602dc4 ]

    When handling DNAT'ed packets on a bridge device, the neighbour cache entry
    from lookup was used without checking its state. It means that a cache entry
    in the NUD_STALE state will be used directly instead of entering the NUD_DELAY
    state to confirm the reachability of the neighbor.

    This problem becomes worse after commit 2724680bceee ("neigh: Keep neighbour
    cache entries if number of them is small enough."), since all neighbour cache
    entries in the NUD_STALE state will be kept in the neighbour table as long as
    the number of cache entries does not exceed the value specified in gc_thresh1.

    This commit validates the state of a neighbour cache entry before using
    the entry.

    Signed-off-by: JianJhen Chen
    Reviewed-by: JinLin Chen
    Signed-off-by: David S. Miller
    Signed-off-by: Greg Kroah-Hartman

    JianJhen Chen