<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ipv4, branch v3.16.80</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>inet: stop leaking jiffies on the wire</title>
<updated>2019-12-19T15:58:53+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-11-01T17:32:19+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c1fb8e44ba97f8589b7fc5137e4b45561a27dcc5'/>
<id>c1fb8e44ba97f8589b7fc5137e4b45561a27dcc5</id>
<content type='text'>
commit a904a0693c189691eeee64f6c6b188bd7dc244e9 upstream.

Historically linux tried to stick to RFC 791, 1122, 2003
for IPv4 ID field generation.

RFC 6864 made clear that no matter how hard we try,
we can not ensure unicity of IP ID within maximum
lifetime for all datagrams with a given source
address/destination address/protocol tuple.

Linux uses a per socket inet generator (inet_id), initialized
at connection startup with a XOR of 'jiffies' and other
fields that appear clear on the wire.

Thiemo Nagel pointed that this strategy is a privacy
concern as this provides 16 bits of entropy to fingerprint
devices.

Let's switch to a random starting point, this is just as
good as far as RFC 6864 is concerned and does not leak
anything critical.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Thiemo Nagel &lt;tnagel@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: drop changes in chelsio]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit a904a0693c189691eeee64f6c6b188bd7dc244e9 upstream.

Historically linux tried to stick to RFC 791, 1122, 2003
for IPv4 ID field generation.

RFC 6864 made clear that no matter how hard we try,
we can not ensure unicity of IP ID within maximum
lifetime for all datagrams with a given source
address/destination address/protocol tuple.

Linux uses a per socket inet generator (inet_id), initialized
at connection startup with a XOR of 'jiffies' and other
fields that appear clear on the wire.

Thiemo Nagel pointed that this strategy is a privacy
concern as this provides 16 bits of entropy to fingerprint
devices.

Let's switch to a random starting point, this is just as
good as far as RFC 6864 is concerned and does not leak
anything critical.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Thiemo Nagel &lt;tnagel@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: drop changes in chelsio]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: ipv4: avoid mixed n_redirects and rate_tokens usage</title>
<updated>2019-12-19T15:58:12+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2019-10-04T13:11:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cce25545927688855dd10a7b61c64f350b1af818'/>
<id>cce25545927688855dd10a7b61c64f350b1af818</id>
<content type='text'>
commit b406472b5ad79ede8d10077f0c8f05505ace8b6d upstream.

Since commit c09551c6ff7f ("net: ipv4: use a dedicated counter
for icmp_v4 redirect packets") we use 'n_redirects' to account
for redirect packets, but we still use 'rate_tokens' to compute
the redirect packets exponential backoff.

If the device sent to the relevant peer any ICMP error packet
after sending a redirect, it will also update 'rate_token' according
to the leaking bucket schema; typically 'rate_token' will raise
above BITS_PER_LONG and the redirect packets backoff algorithm
will produce undefined behavior.

Fix the issue using 'n_redirects' to compute the exponential backoff
in ip_rt_send_redirect().

Note that we still clear rate_tokens after a redirect silence period,
to avoid changing an established behaviour.

The root cause predates git history; before the mentioned commit in
the critical scenario, the kernel stopped sending redirects, after
the mentioned commit the behavior more randomic.

Reported-by: Xiumei Mu &lt;xmu@redhat.com&gt;
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: c09551c6ff7f ("net: ipv4: use a dedicated counter for icmp_v4 redirect packets")
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Acked-by: Lorenzo Bianconi &lt;lorenzo.bianconi@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b406472b5ad79ede8d10077f0c8f05505ace8b6d upstream.

Since commit c09551c6ff7f ("net: ipv4: use a dedicated counter
for icmp_v4 redirect packets") we use 'n_redirects' to account
for redirect packets, but we still use 'rate_tokens' to compute
the redirect packets exponential backoff.

If the device sent to the relevant peer any ICMP error packet
after sending a redirect, it will also update 'rate_token' according
to the leaking bucket schema; typically 'rate_token' will raise
above BITS_PER_LONG and the redirect packets backoff algorithm
will produce undefined behavior.

Fix the issue using 'n_redirects' to compute the exponential backoff
in ip_rt_send_redirect().

Note that we still clear rate_tokens after a redirect silence period,
to avoid changing an established behaviour.

The root cause predates git history; before the mentioned commit in
the critical scenario, the kernel stopped sending redirects, after
the mentioned commit the behavior more randomic.

Reported-by: Xiumei Mu &lt;xmu@redhat.com&gt;
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Fixes: c09551c6ff7f ("net: ipv4: use a dedicated counter for icmp_v4 redirect packets")
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Acked-by: Lorenzo Bianconi &lt;lorenzo.bianconi@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: ipv4: use a dedicated counter for icmp_v4 redirect packets</title>
<updated>2019-12-19T15:58:11+00:00</updated>
<author>
<name>Lorenzo Bianconi</name>
<email>lorenzo.bianconi@redhat.com</email>
</author>
<published>2019-02-06T18:18:04+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d4df303d9f271ac3bb45bea6e913aff32f8f9239'/>
<id>d4df303d9f271ac3bb45bea6e913aff32f8f9239</id>
<content type='text'>
commit c09551c6ff7fe16a79a42133bcecba5fc2fc3291 upstream.

According to the algorithm described in the comment block at the
beginning of ip_rt_send_redirect, the host should try to send
'ip_rt_redirect_number' ICMP redirect packets with an exponential
backoff and then stop sending them at all assuming that the destination
ignores redirects.
If the device has previously sent some ICMP error packets that are
rate-limited (e.g TTL expired) and continues to receive traffic,
the redirect packets will never be transmitted. This happens since
peer-&gt;rate_tokens will be typically greater than 'ip_rt_redirect_number'
and so it will never be reset even if the redirect silence timeout
(ip_rt_redirect_silence) has elapsed without receiving any packet
requiring redirects.

Fix it by using a dedicated counter for the number of ICMP redirect
packets that has been sent by the host

I have not been able to identify a given commit that introduced the
issue since ip_rt_send_redirect implements the same rate-limiting
algorithm from commit 1da177e4c3f4 ("Linux-2.6.12-rc2")

Signed-off-by: Lorenzo Bianconi &lt;lorenzo.bianconi@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c09551c6ff7fe16a79a42133bcecba5fc2fc3291 upstream.

According to the algorithm described in the comment block at the
beginning of ip_rt_send_redirect, the host should try to send
'ip_rt_redirect_number' ICMP redirect packets with an exponential
backoff and then stop sending them at all assuming that the destination
ignores redirects.
If the device has previously sent some ICMP error packets that are
rate-limited (e.g TTL expired) and continues to receive traffic,
the redirect packets will never be transmitted. This happens since
peer-&gt;rate_tokens will be typically greater than 'ip_rt_redirect_number'
and so it will never be reset even if the redirect silence timeout
(ip_rt_redirect_silence) has elapsed without receiving any packet
requiring redirects.

Fix it by using a dedicated counter for the number of ICMP redirect
packets that has been sent by the host

I have not been able to identify a given commit that introduced the
issue since ip_rt_send_redirect implements the same rate-limiting
algorithm from commit 1da177e4c3f4 ("Linux-2.6.12-rc2")

Signed-off-by: Lorenzo Bianconi &lt;lorenzo.bianconi@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context, indentation]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tcp: fix tcp_ecn_withdraw_cwr() to clear TCP_ECN_QUEUE_CWR</title>
<updated>2019-11-22T15:57:28+00:00</updated>
<author>
<name>Neal Cardwell</name>
<email>ncardwell@google.com</email>
</author>
<published>2019-09-09T20:56:02+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b82e198c5c252b12b8b0878494aee6c8535da98f'/>
<id>b82e198c5c252b12b8b0878494aee6c8535da98f</id>
<content type='text'>
commit af38d07ed391b21f7405fa1f936ca9686787d6d2 upstream.

Fix tcp_ecn_withdraw_cwr() to clear the correct bit:
TCP_ECN_QUEUE_CWR.

Rationale: basically, TCP_ECN_DEMAND_CWR is a bit that is purely about
the behavior of data receivers, and deciding whether to reflect
incoming IP ECN CE marks as outgoing TCP th-&gt;ece marks. The
TCP_ECN_QUEUE_CWR bit is purely about the behavior of data senders,
and deciding whether to send CWR. The tcp_ecn_withdraw_cwr() function
is only called from tcp_undo_cwnd_reduction() by data senders during
an undo, so it should zero the sender-side state,
TCP_ECN_QUEUE_CWR. It does not make sense to stop the reflection of
incoming CE bits on incoming data packets just because outgoing
packets were spuriously retransmitted.

The bug has been reproduced with packetdrill to manifest in a scenario
with RFC3168 ECN, with an incoming data packet with CE bit set and
carrying a TCP timestamp value that causes cwnd undo. Before this fix,
the IP CE bit was ignored and not reflected in the TCP ECE header bit,
and sender sent a TCP CWR ('W') bit on the next outgoing data packet,
even though the cwnd reduction had been undone.  After this fix, the
sender properly reflects the CE bit and does not set the W bit.

Note: the bug actually predates 2005 git history; this Fixes footer is
chosen to be the oldest SHA1 I have tested (from Sep 2007) for which
the patch applies cleanly (since before this commit the code was in a
.h file).

Fixes: bdf1ee5d3bd3 ("[TCP]: Move code from tcp_ecn.h to tcp*.c and tcp.h &amp; remove it")
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Acked-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Acked-by: Soheil Hassas Yeganeh &lt;soheil@google.com&gt;
Cc: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit af38d07ed391b21f7405fa1f936ca9686787d6d2 upstream.

Fix tcp_ecn_withdraw_cwr() to clear the correct bit:
TCP_ECN_QUEUE_CWR.

Rationale: basically, TCP_ECN_DEMAND_CWR is a bit that is purely about
the behavior of data receivers, and deciding whether to reflect
incoming IP ECN CE marks as outgoing TCP th-&gt;ece marks. The
TCP_ECN_QUEUE_CWR bit is purely about the behavior of data senders,
and deciding whether to send CWR. The tcp_ecn_withdraw_cwr() function
is only called from tcp_undo_cwnd_reduction() by data senders during
an undo, so it should zero the sender-side state,
TCP_ECN_QUEUE_CWR. It does not make sense to stop the reflection of
incoming CE bits on incoming data packets just because outgoing
packets were spuriously retransmitted.

The bug has been reproduced with packetdrill to manifest in a scenario
with RFC3168 ECN, with an incoming data packet with CE bit set and
carrying a TCP timestamp value that causes cwnd undo. Before this fix,
the IP CE bit was ignored and not reflected in the TCP ECE header bit,
and sender sent a TCP CWR ('W') bit on the next outgoing data packet,
even though the cwnd reduction had been undone.  After this fix, the
sender properly reflects the CE bit and does not set the W bit.

Note: the bug actually predates 2005 git history; this Fixes footer is
chosen to be the oldest SHA1 I have tested (from Sep 2007) for which
the patch applies cleanly (since before this commit the code was in a
.h file).

Fixes: bdf1ee5d3bd3 ("[TCP]: Move code from tcp_ecn.h to tcp*.c and tcp.h &amp; remove it")
Signed-off-by: Neal Cardwell &lt;ncardwell@google.com&gt;
Acked-by: Yuchung Cheng &lt;ycheng@google.com&gt;
Acked-by: Soheil Hassas Yeganeh &lt;soheil@google.com&gt;
Cc: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>igmp: fix memory leak in igmpv3_del_delrec()</title>
<updated>2019-10-31T22:15:00+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-06-27T08:27:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a19230f4a8340452f62daae11fd8f12b19a8c00c'/>
<id>a19230f4a8340452f62daae11fd8f12b19a8c00c</id>
<content type='text'>
commit e5b1c6c6277d5a283290a8c033c72544746f9b5b upstream.

im-&gt;tomb and/or im-&gt;sources might not be NULL, but we
currently overwrite their values blindly.

Using swap() will make sure the following call to kfree_pmc(pmc)
will properly free the psf structures.

Tested with the C repro provided by syzbot, which basically does :

 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
 setsockopt(3, SOL_IP, IP_ADD_MEMBERSHIP, "\340\0\0\2\177\0\0\1\0\0\0\0", 12) = 0
 ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=0}) = 0
 setsockopt(3, SOL_IP, IP_MSFILTER, "\340\0\0\2\177\0\0\1\1\0\0\0\1\0\0\0\377\377\377\377", 20) = 0
 ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP}) = 0
 exit_group(0)                    = ?

BUG: memory leak
unreferenced object 0xffff88811450f140 (size 64):
  comm "softirq", pid 0, jiffies 4294942448 (age 32.070s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00  ................
    00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;00000000c7bad083&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [&lt;00000000c7bad083&gt;] slab_post_alloc_hook mm/slab.h:439 [inline]
    [&lt;00000000c7bad083&gt;] slab_alloc mm/slab.c:3326 [inline]
    [&lt;00000000c7bad083&gt;] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
    [&lt;000000009acc4151&gt;] kmalloc include/linux/slab.h:547 [inline]
    [&lt;000000009acc4151&gt;] kzalloc include/linux/slab.h:742 [inline]
    [&lt;000000009acc4151&gt;] ip_mc_add1_src net/ipv4/igmp.c:1976 [inline]
    [&lt;000000009acc4151&gt;] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2100
    [&lt;000000004ac14566&gt;] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2484
    [&lt;0000000052d8f995&gt;] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:959
    [&lt;000000004ee1e21f&gt;] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1248
    [&lt;0000000066cdfe74&gt;] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2618
    [&lt;000000009383a786&gt;] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3126
    [&lt;00000000d8ac0c94&gt;] __sys_setsockopt+0x98/0x120 net/socket.c:2072
    [&lt;000000001b1e9666&gt;] __do_sys_setsockopt net/socket.c:2083 [inline]
    [&lt;000000001b1e9666&gt;] __se_sys_setsockopt net/socket.c:2080 [inline]
    [&lt;000000001b1e9666&gt;] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080
    [&lt;00000000420d395e&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [&lt;000000007fd83a4b&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Hangbin Liu &lt;liuhangbin@gmail.com&gt;
Reported-by: syzbot+6ca1abd0db68b5173a4f@syzkaller.appspotmail.com
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit e5b1c6c6277d5a283290a8c033c72544746f9b5b upstream.

im-&gt;tomb and/or im-&gt;sources might not be NULL, but we
currently overwrite their values blindly.

Using swap() will make sure the following call to kfree_pmc(pmc)
will properly free the psf structures.

Tested with the C repro provided by syzbot, which basically does :

 socket(PF_INET, SOCK_DGRAM, IPPROTO_IP) = 3
 setsockopt(3, SOL_IP, IP_ADD_MEMBERSHIP, "\340\0\0\2\177\0\0\1\0\0\0\0", 12) = 0
 ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=0}) = 0
 setsockopt(3, SOL_IP, IP_MSFILTER, "\340\0\0\2\177\0\0\1\1\0\0\0\1\0\0\0\377\377\377\377", 20) = 0
 ioctl(3, SIOCSIFFLAGS, {ifr_name="lo", ifr_flags=IFF_UP}) = 0
 exit_group(0)                    = ?

BUG: memory leak
unreferenced object 0xffff88811450f140 (size 64):
  comm "softirq", pid 0, jiffies 4294942448 (age 32.070s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 ff ff ff ff 00 00 00 00  ................
    00 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;00000000c7bad083&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [&lt;00000000c7bad083&gt;] slab_post_alloc_hook mm/slab.h:439 [inline]
    [&lt;00000000c7bad083&gt;] slab_alloc mm/slab.c:3326 [inline]
    [&lt;00000000c7bad083&gt;] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
    [&lt;000000009acc4151&gt;] kmalloc include/linux/slab.h:547 [inline]
    [&lt;000000009acc4151&gt;] kzalloc include/linux/slab.h:742 [inline]
    [&lt;000000009acc4151&gt;] ip_mc_add1_src net/ipv4/igmp.c:1976 [inline]
    [&lt;000000009acc4151&gt;] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2100
    [&lt;000000004ac14566&gt;] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2484
    [&lt;0000000052d8f995&gt;] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:959
    [&lt;000000004ee1e21f&gt;] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1248
    [&lt;0000000066cdfe74&gt;] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2618
    [&lt;000000009383a786&gt;] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3126
    [&lt;00000000d8ac0c94&gt;] __sys_setsockopt+0x98/0x120 net/socket.c:2072
    [&lt;000000001b1e9666&gt;] __do_sys_setsockopt net/socket.c:2083 [inline]
    [&lt;000000001b1e9666&gt;] __se_sys_setsockopt net/socket.c:2080 [inline]
    [&lt;000000001b1e9666&gt;] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2080
    [&lt;00000000420d395e&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [&lt;000000007fd83a4b&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 24803f38a5c0 ("igmp: do not remove igmp souce list info when set link down")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Hangbin Liu &lt;liuhangbin@gmail.com&gt;
Reported-by: syzbot+6ca1abd0db68b5173a4f@syzkaller.appspotmail.com
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4/igmp: fix build error if !CONFIG_IP_MULTICAST</title>
<updated>2019-10-05T15:19:44+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-05-23T01:35:16+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4fd933e50b9278fe4ff061658aff987b5e90792f'/>
<id>4fd933e50b9278fe4ff061658aff987b5e90792f</id>
<content type='text'>
commit 903869bd10e6719b9df6718e785be7ec725df59f upstream.

ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST

Fixes: 3580d04aa674 ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: kbuild test robot &lt;lkp@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 903869bd10e6719b9df6718e785be7ec725df59f upstream.

ip_sf_list_clear_all() needs to be defined even if !CONFIG_IP_MULTICAST

Fixes: 3580d04aa674 ("ipv4/igmp: fix another memory leak in igmpv3_del_delrec()")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: kbuild test robot &lt;lkp@intel.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4/igmp: fix another memory leak in igmpv3_del_delrec()</title>
<updated>2019-10-05T15:19:43+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-05-22T23:51:22+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b03e7435b937fc6916d252fc962c2508ff2f2ac9'/>
<id>b03e7435b937fc6916d252fc962c2508ff2f2ac9</id>
<content type='text'>
commit 3580d04aa674383c42de7b635d28e52a1e5bc72c upstream.

syzbot reported memory leaks [1] that I have back tracked to
a missing cleanup from igmpv3_del_delrec() when
(im-&gt;sfmode != MCAST_INCLUDE)

Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely
handle the cleanups before freeing.

[1]

BUG: memory leak
unreferenced object 0xffff888123e32b00 (size 64):
  comm "softirq", pid 0, jiffies 4294942968 (age 8.010s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;000000006105011b&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
    [&lt;000000006105011b&gt;] slab_post_alloc_hook mm/slab.h:439 [inline]
    [&lt;000000006105011b&gt;] slab_alloc mm/slab.c:3326 [inline]
    [&lt;000000006105011b&gt;] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
    [&lt;000000004bba8073&gt;] kmalloc include/linux/slab.h:547 [inline]
    [&lt;000000004bba8073&gt;] kzalloc include/linux/slab.h:742 [inline]
    [&lt;000000004bba8073&gt;] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline]
    [&lt;000000004bba8073&gt;] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085
    [&lt;00000000a46a65a0&gt;] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475
    [&lt;000000005956ca89&gt;] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957
    [&lt;00000000848e2d2f&gt;] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246
    [&lt;00000000b9db185c&gt;] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616
    [&lt;000000003028e438&gt;] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130
    [&lt;0000000015b65589&gt;] __sys_setsockopt+0x98/0x120 net/socket.c:2078
    [&lt;00000000ac198ef0&gt;] __do_sys_setsockopt net/socket.c:2089 [inline]
    [&lt;00000000ac198ef0&gt;] __se_sys_setsockopt net/socket.c:2086 [inline]
    [&lt;00000000ac198ef0&gt;] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086
    [&lt;000000000a770437&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [&lt;00000000d3adb93b&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Hangbin Liu &lt;liuhangbin@gmail.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 3580d04aa674383c42de7b635d28e52a1e5bc72c upstream.

syzbot reported memory leaks [1] that I have back tracked to
a missing cleanup from igmpv3_del_delrec() when
(im-&gt;sfmode != MCAST_INCLUDE)

Add ip_sf_list_clear_all() and kfree_pmc() helpers to explicitely
handle the cleanups before freeing.

[1]

BUG: memory leak
unreferenced object 0xffff888123e32b00 (size 64):
  comm "softirq", pid 0, jiffies 4294942968 (age 8.010s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 e0 00 00 01 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;000000006105011b&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
    [&lt;000000006105011b&gt;] slab_post_alloc_hook mm/slab.h:439 [inline]
    [&lt;000000006105011b&gt;] slab_alloc mm/slab.c:3326 [inline]
    [&lt;000000006105011b&gt;] kmem_cache_alloc_trace+0x13d/0x280 mm/slab.c:3553
    [&lt;000000004bba8073&gt;] kmalloc include/linux/slab.h:547 [inline]
    [&lt;000000004bba8073&gt;] kzalloc include/linux/slab.h:742 [inline]
    [&lt;000000004bba8073&gt;] ip_mc_add1_src net/ipv4/igmp.c:1961 [inline]
    [&lt;000000004bba8073&gt;] ip_mc_add_src+0x36b/0x400 net/ipv4/igmp.c:2085
    [&lt;00000000a46a65a0&gt;] ip_mc_msfilter+0x22d/0x310 net/ipv4/igmp.c:2475
    [&lt;000000005956ca89&gt;] do_ip_setsockopt.isra.0+0x1795/0x1930 net/ipv4/ip_sockglue.c:957
    [&lt;00000000848e2d2f&gt;] ip_setsockopt+0x3b/0xb0 net/ipv4/ip_sockglue.c:1246
    [&lt;00000000b9db185c&gt;] udp_setsockopt+0x4e/0x90 net/ipv4/udp.c:2616
    [&lt;000000003028e438&gt;] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3130
    [&lt;0000000015b65589&gt;] __sys_setsockopt+0x98/0x120 net/socket.c:2078
    [&lt;00000000ac198ef0&gt;] __do_sys_setsockopt net/socket.c:2089 [inline]
    [&lt;00000000ac198ef0&gt;] __se_sys_setsockopt net/socket.c:2086 [inline]
    [&lt;00000000ac198ef0&gt;] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2086
    [&lt;000000000a770437&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [&lt;00000000d3adb93b&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Hangbin Liu &lt;liuhangbin@gmail.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>igmp: add a missing spin_lock_init()</title>
<updated>2019-10-05T15:19:43+00:00</updated>
<author>
<name>WANG Cong</name>
<email>xiyou.wangcong@gmail.com</email>
</author>
<published>2017-06-20T17:46:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6e26abbc3621699bd17fb4559a2a2249e32c2421'/>
<id>6e26abbc3621699bd17fb4559a2a2249e32c2421</id>
<content type='text'>
commit b4846fc3c8559649277e3e4e6b5cec5348a8d208 upstream.

Andrey reported a lockdep warning on non-initialized
spinlock:

 INFO: trying to register non-static key.
 the code is fine but needs lockdep annotation.
 turning off the locking correctness validator.
 CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 Call Trace:
  __dump_stack lib/dump_stack.c:16
  dump_stack+0x292/0x395 lib/dump_stack.c:52
  register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755
  ? 0xffffffffa0000000
  __lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255
  lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855
  __raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135
  _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175
  spin_lock_bh ./include/linux/spinlock.h:304
  ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076
  igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194
  ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736

We miss a spin_lock_init() in igmpv3_add_delrec(), probably
because previously we never use it on this code path. Since
we already unlink it from the global mc_tomb list, it is
probably safe not to acquire this spinlock here. It does not
harm to have it although, to avoid conditional locking.

Fixes: c38b7d327aaf ("igmp: acquire pmc lock for ip_mc_clear_src()")
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b4846fc3c8559649277e3e4e6b5cec5348a8d208 upstream.

Andrey reported a lockdep warning on non-initialized
spinlock:

 INFO: trying to register non-static key.
 the code is fine but needs lockdep annotation.
 turning off the locking correctness validator.
 CPU: 1 PID: 4099 Comm: a.out Not tainted 4.12.0-rc6+ #9
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 Call Trace:
  __dump_stack lib/dump_stack.c:16
  dump_stack+0x292/0x395 lib/dump_stack.c:52
  register_lock_class+0x717/0x1aa0 kernel/locking/lockdep.c:755
  ? 0xffffffffa0000000
  __lock_acquire+0x269/0x3690 kernel/locking/lockdep.c:3255
  lock_acquire+0x22d/0x560 kernel/locking/lockdep.c:3855
  __raw_spin_lock_bh ./include/linux/spinlock_api_smp.h:135
  _raw_spin_lock_bh+0x36/0x50 kernel/locking/spinlock.c:175
  spin_lock_bh ./include/linux/spinlock.h:304
  ip_mc_clear_src+0x27/0x1e0 net/ipv4/igmp.c:2076
  igmpv3_clear_delrec+0xee/0x4f0 net/ipv4/igmp.c:1194
  ip_mc_destroy_dev+0x4e/0x190 net/ipv4/igmp.c:1736

We miss a spin_lock_init() in igmpv3_add_delrec(), probably
because previously we never use it on this code path. Since
we already unlink it from the global mc_tomb list, it is
probably safe not to acquire this spinlock here. It does not
harm to have it although, to avoid conditional locking.

Fixes: c38b7d327aaf ("igmp: acquire pmc lock for ip_mc_clear_src()")
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>igmp: acquire pmc lock for ip_mc_clear_src()</title>
<updated>2019-10-05T15:19:43+00:00</updated>
<author>
<name>WANG Cong</name>
<email>xiyou.wangcong@gmail.com</email>
</author>
<published>2017-06-12T16:52:26+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ba9d3bec402bd9d937aecd0ff2142e4ab5e96e33'/>
<id>ba9d3bec402bd9d937aecd0ff2142e4ab5e96e33</id>
<content type='text'>
commit c38b7d327aafd1e3ad7ff53eefac990673b65667 upstream.

Andrey reported a use-after-free in add_grec():

        for (psf = *psf_list; psf; psf = psf_next) {
		...
                psf_next = psf-&gt;sf_next;

where the struct ip_sf_list's were already freed by:

 kfree+0xe8/0x2b0 mm/slub.c:3882
 ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078
 ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618
 ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609
 inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411
 sock_release+0x8d/0x1e0 net/socket.c:597
 sock_close+0x16/0x20 net/socket.c:1072

This happens because we don't hold pmc-&gt;lock in ip_mc_clear_src()
and a parallel mr_ifc_timer timer could jump in and access them.

The RCU lock is there but it is merely for pmc itself, this
spinlock could actually ensure we don't access them in parallel.

Thanks to Eric and Long for discussion on this bug.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Cc: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Reviewed-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit c38b7d327aafd1e3ad7ff53eefac990673b65667 upstream.

Andrey reported a use-after-free in add_grec():

        for (psf = *psf_list; psf; psf = psf_next) {
		...
                psf_next = psf-&gt;sf_next;

where the struct ip_sf_list's were already freed by:

 kfree+0xe8/0x2b0 mm/slub.c:3882
 ip_mc_clear_src+0x69/0x1c0 net/ipv4/igmp.c:2078
 ip_mc_dec_group+0x19a/0x470 net/ipv4/igmp.c:1618
 ip_mc_drop_socket+0x145/0x230 net/ipv4/igmp.c:2609
 inet_release+0x4e/0x1c0 net/ipv4/af_inet.c:411
 sock_release+0x8d/0x1e0 net/socket.c:597
 sock_close+0x16/0x20 net/socket.c:1072

This happens because we don't hold pmc-&gt;lock in ip_mc_clear_src()
and a parallel mr_ifc_timer timer could jump in and access them.

The RCU lock is there but it is merely for pmc itself, this
spinlock could actually ensure we don't access them in parallel.

Thanks to Eric and Long for discussion on this bug.

Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Cc: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: Cong Wang &lt;xiyou.wangcong@gmail.com&gt;
Reviewed-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: Use return value of inet_iif() for __raw_v4_lookup in the while loop</title>
<updated>2019-09-23T20:12:01+00:00</updated>
<author>
<name>Stephen Suryaputra</name>
<email>ssuryaextr@gmail.com</email>
</author>
<published>2019-06-25T00:14:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=0c0c20a940b19138e42b57a68c2b1aafbb9846de'/>
<id>0c0c20a940b19138e42b57a68c2b1aafbb9846de</id>
<content type='text'>
commit 38c73529de13e1e10914de7030b659a2f8b01c3b upstream.

In commit 19e4e768064a8 ("ipv4: Fix raw socket lookup for local
traffic"), the dif argument to __raw_v4_lookup() is coming from the
returned value of inet_iif() but the change was done only for the first
lookup. Subsequent lookups in the while loop still use skb-&gt;dev-&gt;ifIndex.

Fixes: 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic")
Signed-off-by: Stephen Suryaputra &lt;ssuryaextr@gmail.com&gt;
Reviewed-by: David Ahern &lt;dsahern@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 38c73529de13e1e10914de7030b659a2f8b01c3b upstream.

In commit 19e4e768064a8 ("ipv4: Fix raw socket lookup for local
traffic"), the dif argument to __raw_v4_lookup() is coming from the
returned value of inet_iif() but the change was done only for the first
lookup. Subsequent lookups in the while loop still use skb-&gt;dev-&gt;ifIndex.

Fixes: 19e4e768064a8 ("ipv4: Fix raw socket lookup for local traffic")
Signed-off-by: Stephen Suryaputra &lt;ssuryaextr@gmail.com&gt;
Reviewed-by: David Ahern &lt;dsahern@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 3.16: adjust context]
Signed-off-by: Ben Hutchings &lt;ben@decadent.org.uk&gt;
</pre>
</div>
</content>
</entry>
</feed>
