This is a note to let you know that I've just added the patch titled
ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:37:51 CEST 2018
From: Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com>
Date: Thu, 8 Mar 2018 17:00:02 +0100
Subject: ipv6: fix access to non-linear packet in ndisc_fill_redirect_hdr_option()
From: Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com>
[ Upstream commit 9f62c15f28b0d1d746734666d88a79f08ba1e43e ]
Fix the following slab-out-of-bounds kasan report in
ndisc_fill_redirect_hdr_option when the incoming ipv6 packet is not
linear and the accessed data are not in the linear data region of orig_skb.
[ 1503.122508] ==================================================================
[ 1503.122832] BUG: KASAN: slab-out-of-bounds in ndisc_send_redirect+0x94e/0x990
[ 1503.123036] Read of size 1184 at addr ffff8800298ab6b0 by task netperf/1932
[ 1503.123220] CPU: 0 PID: 1932 Comm: netperf Not tainted 4.16.0-rc2+ #124
[ 1503.123347] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.10.2-2.fc27 04/01/2014
[ 1503.123527] Call Trace:
[ 1503.123579] <IRQ>
[ 1503.123638] print_address_description+0x6e/0x280
[ 1503.123849] kasan_report+0x233/0x350
[ 1503.123946] memcpy+0x1f/0x50
[ 1503.124037] ndisc_send_redirect+0x94e/0x990
[ 1503.125150] ip6_forward+0x1242/0x13b0
[...]
[ 1503.153890] Allocated by task 1932:
[ 1503.153982] kasan_kmalloc+0x9f/0xd0
[ 1503.154074] __kmalloc_track_caller+0xb5/0x160
[ 1503.154198] __kmalloc_reserve.isra.41+0x24/0x70
[ 1503.154324] __alloc_skb+0x130/0x3e0
[ 1503.154415] sctp_packet_transmit+0x21a/0x1810
[ 1503.154533] sctp_outq_flush+0xc14/0x1db0
[ 1503.154624] sctp_do_sm+0x34e/0x2740
[ 1503.154715] sctp_primitive_SEND+0x57/0x70
[ 1503.154807] sctp_sendmsg+0xaa6/0x1b10
[ 1503.154897] sock_sendmsg+0x68/0x80
[ 1503.154987] ___sys_sendmsg+0x431/0x4b0
[ 1503.155078] __sys_sendmsg+0xa4/0x130
[ 1503.155168] do_syscall_64+0x171/0x3f0
[ 1503.155259] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1503.155436] Freed by task 1932:
[ 1503.155527] __kasan_slab_free+0x134/0x180
[ 1503.155618] kfree+0xbc/0x180
[ 1503.155709] skb_release_data+0x27f/0x2c0
[ 1503.155800] consume_skb+0x94/0xe0
[ 1503.155889] sctp_chunk_put+0x1aa/0x1f0
[ 1503.155979] sctp_inq_pop+0x2f8/0x6e0
[ 1503.156070] sctp_assoc_bh_rcv+0x6a/0x230
[ 1503.156164] sctp_inq_push+0x117/0x150
[ 1503.156255] sctp_backlog_rcv+0xdf/0x4a0
[ 1503.156346] __release_sock+0x142/0x250
[ 1503.156436] release_sock+0x80/0x180
[ 1503.156526] sctp_sendmsg+0xbb0/0x1b10
[ 1503.156617] sock_sendmsg+0x68/0x80
[ 1503.156708] ___sys_sendmsg+0x431/0x4b0
[ 1503.156799] __sys_sendmsg+0xa4/0x130
[ 1503.156889] do_syscall_64+0x171/0x3f0
[ 1503.156980] entry_SYSCALL_64_after_hwframe+0x42/0xb7
[ 1503.157158] The buggy address belongs to the object at ffff8800298ab600
which belongs to the cache kmalloc-1024 of size 1024
[ 1503.157444] The buggy address is located 176 bytes inside of
1024-byte region [ffff8800298ab600, ffff8800298aba00)
[ 1503.157702] The buggy address belongs to the page:
[ 1503.157820] page:ffffea0000a62a00 count:1 mapcount:0 mapping:0000000000000000 index:0x0 compound_mapcount: 0
[ 1503.158053] flags: 0x4000000000008100(slab|head)
[ 1503.158171] raw: 4000000000008100 0000000000000000 0000000000000000 00000001800e000e
[ 1503.158350] raw: dead000000000100 dead000000000200 ffff880036002600 0000000000000000
[ 1503.158523] page dumped because: kasan: bad access detected
[ 1503.158698] Memory state around the buggy address:
[ 1503.158816] ffff8800298ab900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1503.158988] ffff8800298ab980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 1503.159165] >ffff8800298aba00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 1503.159338] ^
[ 1503.159436] ffff8800298aba80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1503.159610] ffff8800298abb00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1503.159785] ==================================================================
[ 1503.159964] Disabling lock debugging due to kernel taint
The test scenario to trigger the issue consists of 4 devices:
- H0: data sender, connected to LAN0
- H1: data receiver, connected to LAN1
- GW0 and GW1: routers between LAN0 and LAN1. Both of them have an
ethernet connection on LAN0 and LAN1
On H{0,1} set GW0 as default gateway while on GW0 set GW1 as next hop for
data from LAN0 to LAN1.
Moreover create an ip6ip6 tunnel between H0 and H1 and send 3 concurrent
data streams (TCP/UDP/SCTP) from H0 to H1 through ip6ip6 tunnel (send
buffer size is set to 16K). While data streams are active flush the route
cache on HA multiple times.
I have not been able to identify a given commit that introduced the issue
since, using the reproducer described above, the kasan report has been
triggered from 4.14 and I have not gone back further.
Reported-by: Jianlin Shi <jishi(a)redhat.com>
Reviewed-by: Stefano Brivio <sbrivio(a)redhat.com>
Reviewed-by: Eric Dumazet <edumazet(a)google.com>
Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi(a)redhat.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
net/ipv6/ndisc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/net/ipv6/ndisc.c
+++ b/net/ipv6/ndisc.c
@@ -1554,7 +1554,8 @@ static void ndisc_fill_redirect_hdr_opti
*(opt++) = (rd_len >> 3);
opt += 6;
- memcpy(opt, ipv6_hdr(orig_skb), rd_len - 8);
+ skb_copy_bits(orig_skb, skb_network_offset(orig_skb), opt,
+ rd_len - 8);
}
void ndisc_send_redirect(struct sk_buff *skb, const struct in6_addr *target)
Patches currently in stable-queue which might be from lorenzo.bianconi(a)redhat.com are
queue-4.15/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch
This is a note to let you know that I've just added the patch titled
ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:37:51 CEST 2018
From: Eric Dumazet <edumazet(a)google.com>
Date: Mon, 5 Mar 2018 08:51:03 -0800
Subject: ieee802154: 6lowpan: fix possible NULL deref in lowpan_device_event()
From: Eric Dumazet <edumazet(a)google.com>
[ Upstream commit ca0edb131bdf1e6beaeb2b8289fd6b374b74147d ]
A tun device type can trivially be set to arbitrary value using
TUNSETLINK ioctl().
Therefore, lowpan_device_event() must really check that ieee802154_ptr
is not NULL.
Fixes: 2c88b5283f60d ("ieee802154: 6lowpan: remove check on null")
Signed-off-by: Eric Dumazet <edumazet(a)google.com>
Cc: Alexander Aring <alex.aring(a)gmail.com>
Cc: Stefan Schmidt <stefan(a)osg.samsung.com>
Reported-by: syzbot <syzkaller(a)googlegroups.com>
Acked-by: Stefan Schmidt <stefan(a)osg.samsung.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
net/ieee802154/6lowpan/core.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
--- a/net/ieee802154/6lowpan/core.c
+++ b/net/ieee802154/6lowpan/core.c
@@ -206,9 +206,13 @@ static inline void lowpan_netlink_fini(v
static int lowpan_device_event(struct notifier_block *unused,
unsigned long event, void *ptr)
{
- struct net_device *wdev = netdev_notifier_info_to_dev(ptr);
+ struct net_device *ndev = netdev_notifier_info_to_dev(ptr);
+ struct wpan_dev *wpan_dev;
- if (wdev->type != ARPHRD_IEEE802154)
+ if (ndev->type != ARPHRD_IEEE802154)
+ return NOTIFY_DONE;
+ wpan_dev = ndev->ieee802154_ptr;
+ if (!wpan_dev)
return NOTIFY_DONE;
switch (event) {
@@ -217,8 +221,8 @@ static int lowpan_device_event(struct no
* also delete possible lowpan interfaces which belongs
* to the wpan interface.
*/
- if (wdev->ieee802154_ptr->lowpan_dev)
- lowpan_dellink(wdev->ieee802154_ptr->lowpan_dev, NULL);
+ if (wpan_dev->lowpan_dev)
+ lowpan_dellink(wpan_dev->lowpan_dev, NULL);
break;
default:
return NOTIFY_DONE;
Patches currently in stable-queue which might be from edumazet(a)google.com are
queue-4.15/ipv6-fix-access-to-non-linear-packet-in-ndisc_fill_redirect_hdr_option.patch
queue-4.15/skbuff-fix-not-waking-applications-when-errors-are-enqueued.patch
queue-4.15/l2tp-do-not-accept-arbitrary-sockets.patch
queue-4.15/tcp-purge-write-queue-upon-aborting-the-connection.patch
queue-4.15/net-use-skb_to_full_sk-in-skb_update_prio.patch
queue-4.15/ieee802154-6lowpan-fix-possible-null-deref-in-lowpan_device_event.patch
This is a note to let you know that I've just added the patch titled
dpaa_eth: remove duplicate increment of the tx_errors counter
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
dpaa_eth-remove-duplicate-increment-of-the-tx_errors-counter.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:37:51 CEST 2018
From: Camelia Groza <camelia.groza(a)nxp.com>
Date: Wed, 14 Mar 2018 08:37:32 -0500
Subject: dpaa_eth: remove duplicate increment of the tx_errors counter
From: Camelia Groza <camelia.groza(a)nxp.com>
[ Upstream commit 82d141cd19d088ee41feafde4a6f86eeb40d93c5 ]
The tx_errors counter is incremented by the dpaa_xmit caller.
Signed-off-by: Camelia Groza <camelia.groza(a)nxp.com>
Signed-off-by: Madalin Bucur <madalin.bucur(a)nxp.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -2008,7 +2008,6 @@ static inline int dpaa_xmit(struct dpaa_
}
if (unlikely(err < 0)) {
- percpu_stats->tx_errors++;
percpu_stats->tx_fifo_errors++;
return err;
}
Patches currently in stable-queue which might be from camelia.groza(a)nxp.com are
queue-4.15/dpaa_eth-remove-duplicate-increment-of-the-tx_errors-counter.patch
queue-4.15/dpaa_eth-remove-duplicate-initialization.patch
queue-4.15/dpaa_eth-increment-the-rx-dropped-counter-when-needed.patch
This is a note to let you know that I've just added the patch titled
dpaa_eth: remove duplicate initialization
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
dpaa_eth-remove-duplicate-initialization.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:37:51 CEST 2018
From: Camelia Groza <camelia.groza(a)nxp.com>
Date: Wed, 14 Mar 2018 08:37:30 -0500
Subject: dpaa_eth: remove duplicate initialization
From: Camelia Groza <camelia.groza(a)nxp.com>
[ Upstream commit 565186362b73226a288830abe595f05f0cec0bbc ]
The fd_format has already been initialized at this point.
Signed-off-by: Camelia Groza <camelia.groza(a)nxp.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -2278,7 +2278,6 @@ static enum qman_cb_dqrr_result rx_defau
vaddr = phys_to_virt(addr);
prefetch(vaddr + qm_fd_get_offset(fd));
- fd_format = qm_fd_get_format(fd);
/* The only FD types that we may receive are contig and S/G */
WARN_ON((fd_format != qm_fd_contig) && (fd_format != qm_fd_sg));
Patches currently in stable-queue which might be from camelia.groza(a)nxp.com are
queue-4.15/dpaa_eth-remove-duplicate-increment-of-the-tx_errors-counter.patch
queue-4.15/dpaa_eth-remove-duplicate-initialization.patch
queue-4.15/dpaa_eth-increment-the-rx-dropped-counter-when-needed.patch
This is a note to let you know that I've just added the patch titled
dpaa_eth: fix error in dpaa_remove()
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
dpaa_eth-fix-error-in-dpaa_remove.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:37:51 CEST 2018
From: Madalin Bucur <madalin.bucur(a)nxp.com>
Date: Wed, 14 Mar 2018 08:37:29 -0500
Subject: dpaa_eth: fix error in dpaa_remove()
From: Madalin Bucur <madalin.bucur(a)nxp.com>
[ Upstream commit 88075256ee817041d68c2387f29065b5cb2b342a ]
The recent changes that make the driver probing compatible with DSA
were not propagated in the dpa_remove() function, breaking the
module unload function. Using the proper device to address the issue.
Signed-off-by: Madalin Bucur <madalin.bucur(a)nxp.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -2860,7 +2860,7 @@ static int dpaa_remove(struct platform_d
struct device *dev;
int err;
- dev = &pdev->dev;
+ dev = pdev->dev.parent;
net_dev = dev_get_drvdata(dev);
priv = netdev_priv(net_dev);
Patches currently in stable-queue which might be from madalin.bucur(a)nxp.com are
queue-4.15/dpaa_eth-remove-duplicate-increment-of-the-tx_errors-counter.patch
queue-4.15/soc-fsl-qbman-fix-issue-in-qman_delete_cgr_safe.patch
queue-4.15/dpaa_eth-fix-error-in-dpaa_remove.patch
This is a note to let you know that I've just added the patch titled
dpaa_eth: increment the RX dropped counter when needed
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
dpaa_eth-increment-the-rx-dropped-counter-when-needed.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:37:51 CEST 2018
From: Camelia Groza <camelia.groza(a)nxp.com>
Date: Wed, 14 Mar 2018 08:37:31 -0500
Subject: dpaa_eth: increment the RX dropped counter when needed
From: Camelia Groza <camelia.groza(a)nxp.com>
[ Upstream commit e4d1b37c17d000a3da9368a3e260fb9ea4927c25 ]
Signed-off-by: Camelia Groza <camelia.groza(a)nxp.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/net/ethernet/freescale/dpaa/dpaa_eth.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
+++ b/drivers/net/ethernet/freescale/dpaa/dpaa_eth.c
@@ -2310,8 +2310,10 @@ static enum qman_cb_dqrr_result rx_defau
skb_len = skb->len;
- if (unlikely(netif_receive_skb(skb) == NET_RX_DROP))
+ if (unlikely(netif_receive_skb(skb) == NET_RX_DROP)) {
+ percpu_stats->rx_dropped++;
return qman_cb_dqrr_consume;
+ }
percpu_stats->rx_packets++;
percpu_stats->rx_bytes += skb_len;
Patches currently in stable-queue which might be from camelia.groza(a)nxp.com are
queue-4.15/dpaa_eth-remove-duplicate-increment-of-the-tx_errors-counter.patch
queue-4.15/dpaa_eth-remove-duplicate-initialization.patch
queue-4.15/dpaa_eth-increment-the-rx-dropped-counter-when-needed.patch
This is a note to let you know that I've just added the patch titled
devlink: Remove redundant free on error path
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
devlink-remove-redundant-free-on-error-path.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:37:51 CEST 2018
From: Arkadi Sharshevsky <arkadis(a)mellanox.com>
Date: Sun, 18 Mar 2018 17:37:22 +0200
Subject: devlink: Remove redundant free on error path
From: Arkadi Sharshevsky <arkadis(a)mellanox.com>
[ Upstream commit 7fe4d6dcbcb43fe0282d4213fc52be178bb30e91 ]
The current code performs unneeded free. Remove the redundant skb freeing
during the error path.
Fixes: 1555d204e743 ("devlink: Support for pipeline debug (dpipe)")
Signed-off-by: Arkadi Sharshevsky <arkadis(a)mellanox.com>
Acked-by: Jiri Pirko <jiri(a)mellanox.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
net/core/devlink.c | 16 ++++------------
1 file changed, 4 insertions(+), 12 deletions(-)
--- a/net/core/devlink.c
+++ b/net/core/devlink.c
@@ -1776,7 +1776,7 @@ send_done:
if (!nlh) {
err = devlink_dpipe_send_and_alloc_skb(&skb, info);
if (err)
- goto err_skb_send_alloc;
+ return err;
goto send_done;
}
@@ -1785,7 +1785,6 @@ send_done:
nla_put_failure:
err = -EMSGSIZE;
err_table_put:
-err_skb_send_alloc:
genlmsg_cancel(skb, hdr);
nlmsg_free(skb);
return err;
@@ -2051,7 +2050,7 @@ static int devlink_dpipe_entries_fill(st
table->counters_enabled,
&dump_ctx);
if (err)
- goto err_entries_dump;
+ return err;
send_done:
nlh = nlmsg_put(dump_ctx.skb, info->snd_portid, info->snd_seq,
@@ -2059,16 +2058,10 @@ send_done:
if (!nlh) {
err = devlink_dpipe_send_and_alloc_skb(&dump_ctx.skb, info);
if (err)
- goto err_skb_send_alloc;
+ return err;
goto send_done;
}
return genlmsg_reply(dump_ctx.skb, info);
-
-err_entries_dump:
-err_skb_send_alloc:
- genlmsg_cancel(dump_ctx.skb, dump_ctx.hdr);
- nlmsg_free(dump_ctx.skb);
- return err;
}
static int devlink_nl_cmd_dpipe_entries_get(struct sk_buff *skb,
@@ -2207,7 +2200,7 @@ send_done:
if (!nlh) {
err = devlink_dpipe_send_and_alloc_skb(&skb, info);
if (err)
- goto err_skb_send_alloc;
+ return err;
goto send_done;
}
return genlmsg_reply(skb, info);
@@ -2215,7 +2208,6 @@ send_done:
nla_put_failure:
err = -EMSGSIZE;
err_table_put:
-err_skb_send_alloc:
genlmsg_cancel(skb, hdr);
nlmsg_free(skb);
return err;
Patches currently in stable-queue which might be from arkadis(a)mellanox.com are
queue-4.15/devlink-remove-redundant-free-on-error-path.patch
queue-4.15/team-fix-double-free-in-error-path.patch
This is a note to let you know that I've just added the patch titled
dccp: check sk for closed state in dccp_sendmsg()
to the 4.15-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch
and it can be found in the queue-4.15 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:37:51 CEST 2018
From: Alexey Kodanev <alexey.kodanev(a)oracle.com>
Date: Tue, 6 Mar 2018 22:57:01 +0300
Subject: dccp: check sk for closed state in dccp_sendmsg()
From: Alexey Kodanev <alexey.kodanev(a)oracle.com>
[ Upstream commit 67f93df79aeefc3add4e4b31a752600f834236e2 ]
dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
therefore if DCCP socket is disconnected and dccp_sendmsg() is
called after it, it will cause a NULL pointer dereference in
dccp_write_xmit().
This crash and the reproducer was reported by syzbot. Looks like
it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
use-after-free in DCCP code") is applied.
Reported-by: syzbot+f99ab3887ab65d70f816(a)syzkaller.appspotmail.com
Signed-off-by: Alexey Kodanev <alexey.kodanev(a)oracle.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
net/dccp/proto.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/net/dccp/proto.c
+++ b/net/dccp/proto.c
@@ -789,6 +789,11 @@ int dccp_sendmsg(struct sock *sk, struct
if (skb == NULL)
goto out_release;
+ if (sk->sk_state == DCCP_CLOSED) {
+ rc = -ENOTCONN;
+ goto out_discard;
+ }
+
skb_reserve(skb, sk->sk_prot->max_header);
rc = memcpy_from_msg(skb_put(skb, len), msg, len);
if (rc != 0)
Patches currently in stable-queue which might be from alexey.kodanev(a)oracle.com are
queue-4.15/sch_netem-fix-skb-leak-in-netem_enqueue.patch
queue-4.15/macvlan-filter-out-unsupported-feature-flags.patch
queue-4.15/dccp-check-sk-for-closed-state-in-dccp_sendmsg.patch
This is a note to let you know that I've just added the patch titled
team: Fix double free in error path
to the 4.14-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=sum…
The filename of the patch is:
team-fix-double-free-in-error-path.patch
and it can be found in the queue-4.14 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable(a)vger.kernel.org> know about it.
>From foo@baz Wed Mar 28 18:38:30 CEST 2018
From: Arkadi Sharshevsky <arkadis(a)mellanox.com>
Date: Thu, 8 Mar 2018 12:42:10 +0200
Subject: team: Fix double free in error path
From: Arkadi Sharshevsky <arkadis(a)mellanox.com>
[ Upstream commit cbcc607e18422555db569b593608aec26111cb0b ]
The __send_and_alloc_skb() receives a skb ptr as a parameter but in
case it fails the skb is not valid:
- Send failed and released the skb internally.
- Allocation failed.
The current code tries to release the skb in case of failure which
causes redundant freeing.
Fixes: 9b00cf2d1024 ("team: implement multipart netlink messages for options transfers")
Signed-off-by: Arkadi Sharshevsky <arkadis(a)mellanox.com>
Acked-by: Jiri Pirko <jiri(a)mellanox.com>
Signed-off-by: David S. Miller <davem(a)davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh(a)linuxfoundation.org>
---
drivers/net/team/team.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -2394,7 +2394,7 @@ send_done:
if (!nlh) {
err = __send_and_alloc_skb(&skb, team, portid, send_func);
if (err)
- goto errout;
+ return err;
goto send_done;
}
@@ -2680,7 +2680,7 @@ send_done:
if (!nlh) {
err = __send_and_alloc_skb(&skb, team, portid, send_func);
if (err)
- goto errout;
+ return err;
goto send_done;
}
Patches currently in stable-queue which might be from arkadis(a)mellanox.com are
queue-4.14/devlink-remove-redundant-free-on-error-path.patch
queue-4.14/team-fix-double-free-in-error-path.patch