<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/ipv6, branch v4.9.207</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>Revert "net: sit: fix memory leak in sit_init_net()"</title>
<updated>2019-10-29T08:15:26+00:00</updated>
<author>
<name>Ajay Kaher</name>
<email>akaher@vmware.com</email>
</author>
<published>2019-10-16T09:03:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=45156a8303266fe29375e677713522cb1ab99fa5'/>
<id>45156a8303266fe29375e677713522cb1ab99fa5</id>
<content type='text'>
This reverts commit 375d6d454a95ebacb9c6eb0b715da05a4458ffef which is
commit 07f12b26e21ab359261bf75cfcb424fdc7daeb6d upstream.

Unnecessarily calling free_netdev() from sit_init_net().
ipip6_dev_free() of 4.9.y called free_netdev(), so no need
to call again after ipip6_dev_free().

Cc: Mao Wenan &lt;maowenan@huawei.com&gt;
Cc: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ajay Kaher &lt;akaher@vmware.com&gt;
Reviewed-by: Mao Wenan &lt;maowenan@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This reverts commit 375d6d454a95ebacb9c6eb0b715da05a4458ffef which is
commit 07f12b26e21ab359261bf75cfcb424fdc7daeb6d upstream.

Unnecessarily calling free_netdev() from sit_init_net().
ipip6_dev_free() of 4.9.y called free_netdev(), so no need
to call again after ipip6_dev_free().

Cc: Mao Wenan &lt;maowenan@huawei.com&gt;
Cc: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Ajay Kaher &lt;akaher@vmware.com&gt;
Reviewed-by: Mao Wenan &lt;maowenan@huawei.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: Handle missing host route in __ipv6_ifa_notify</title>
<updated>2019-10-07T16:53:24+00:00</updated>
<author>
<name>David Ahern</name>
<email>dsahern@gmail.com</email>
</author>
<published>2019-10-04T15:03:09+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4d3ab6e95c319bba6ce8547c8b8d9126f9f8fc5c'/>
<id>4d3ab6e95c319bba6ce8547c8b8d9126f9f8fc5c</id>
<content type='text'>
[ Upstream commit 2d819d250a1393a3e725715425ab70a0e0772a71 ]

Rajendra reported a kernel panic when a link was taken down:

    [ 6870.263084] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
    [ 6870.271856] IP: [&lt;ffffffff8efc5764&gt;] __ipv6_ifa_notify+0x154/0x290

    &lt;snip&gt;

    [ 6870.570501] Call Trace:
    [ 6870.573238] [&lt;ffffffff8efc58c6&gt;] ? ipv6_ifa_notify+0x26/0x40
    [ 6870.579665] [&lt;ffffffff8efc98ec&gt;] ? addrconf_dad_completed+0x4c/0x2c0
    [ 6870.586869] [&lt;ffffffff8efe70c6&gt;] ? ipv6_dev_mc_inc+0x196/0x260
    [ 6870.593491] [&lt;ffffffff8efc9c6a&gt;] ? addrconf_dad_work+0x10a/0x430
    [ 6870.600305] [&lt;ffffffff8f01ade4&gt;] ? __switch_to_asm+0x34/0x70
    [ 6870.606732] [&lt;ffffffff8ea93a7a&gt;] ? process_one_work+0x18a/0x430
    [ 6870.613449] [&lt;ffffffff8ea93d6d&gt;] ? worker_thread+0x4d/0x490
    [ 6870.619778] [&lt;ffffffff8ea93d20&gt;] ? process_one_work+0x430/0x430
    [ 6870.626495] [&lt;ffffffff8ea99dd9&gt;] ? kthread+0xd9/0xf0
    [ 6870.632145] [&lt;ffffffff8f01ade4&gt;] ? __switch_to_asm+0x34/0x70
    [ 6870.638573] [&lt;ffffffff8ea99d00&gt;] ? kthread_park+0x60/0x60
    [ 6870.644707] [&lt;ffffffff8f01ae77&gt;] ? ret_from_fork+0x57/0x70
    [ 6870.650936] Code: 31 c0 31 d2 41 b9 20 00 08 02 b9 09 00 00 0

addrconf_dad_work is kicked to be scheduled when a device is brought
up. There is a race between addrcond_dad_work getting scheduled and
taking the rtnl lock and a process taking the link down (under rtnl).
The latter removes the host route from the inet6_addr as part of
addrconf_ifdown which is run for NETDEV_DOWN. The former attempts
to use the host route in __ipv6_ifa_notify. If the down event removes
the host route due to the race to the rtnl, then the BUG listed above
occurs.

Since the DAD sequence can not be aborted, add a check for the missing
host route in __ipv6_ifa_notify. The only way this should happen is due
to the previously mentioned race. The host route is created when the
address is added to an interface; it is only removed on a down event
where the address is kept. Add a warning if the host route is missing
AND the device is up; this is a situation that should never happen.

Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional")
Reported-by: Rajendra Dendukuri &lt;rajendra.dendukuri@broadcom.com&gt;
Signed-off-by: David Ahern &lt;dsahern@gmail.com&gt;
Reviewed-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 2d819d250a1393a3e725715425ab70a0e0772a71 ]

Rajendra reported a kernel panic when a link was taken down:

    [ 6870.263084] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8
    [ 6870.271856] IP: [&lt;ffffffff8efc5764&gt;] __ipv6_ifa_notify+0x154/0x290

    &lt;snip&gt;

    [ 6870.570501] Call Trace:
    [ 6870.573238] [&lt;ffffffff8efc58c6&gt;] ? ipv6_ifa_notify+0x26/0x40
    [ 6870.579665] [&lt;ffffffff8efc98ec&gt;] ? addrconf_dad_completed+0x4c/0x2c0
    [ 6870.586869] [&lt;ffffffff8efe70c6&gt;] ? ipv6_dev_mc_inc+0x196/0x260
    [ 6870.593491] [&lt;ffffffff8efc9c6a&gt;] ? addrconf_dad_work+0x10a/0x430
    [ 6870.600305] [&lt;ffffffff8f01ade4&gt;] ? __switch_to_asm+0x34/0x70
    [ 6870.606732] [&lt;ffffffff8ea93a7a&gt;] ? process_one_work+0x18a/0x430
    [ 6870.613449] [&lt;ffffffff8ea93d6d&gt;] ? worker_thread+0x4d/0x490
    [ 6870.619778] [&lt;ffffffff8ea93d20&gt;] ? process_one_work+0x430/0x430
    [ 6870.626495] [&lt;ffffffff8ea99dd9&gt;] ? kthread+0xd9/0xf0
    [ 6870.632145] [&lt;ffffffff8f01ade4&gt;] ? __switch_to_asm+0x34/0x70
    [ 6870.638573] [&lt;ffffffff8ea99d00&gt;] ? kthread_park+0x60/0x60
    [ 6870.644707] [&lt;ffffffff8f01ae77&gt;] ? ret_from_fork+0x57/0x70
    [ 6870.650936] Code: 31 c0 31 d2 41 b9 20 00 08 02 b9 09 00 00 0

addrconf_dad_work is kicked to be scheduled when a device is brought
up. There is a race between addrcond_dad_work getting scheduled and
taking the rtnl lock and a process taking the link down (under rtnl).
The latter removes the host route from the inet6_addr as part of
addrconf_ifdown which is run for NETDEV_DOWN. The former attempts
to use the host route in __ipv6_ifa_notify. If the down event removes
the host route due to the race to the rtnl, then the BUG listed above
occurs.

Since the DAD sequence can not be aborted, add a check for the missing
host route in __ipv6_ifa_notify. The only way this should happen is due
to the previously mentioned race. The host route is created when the
address is added to an interface; it is only removed on a down event
where the address is kept. Add a warning if the host route is missing
AND the device is up; this is a situation that should never happen.

Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional")
Reported-by: Rajendra Dendukuri &lt;rajendra.dendukuri@broadcom.com&gt;
Signed-off-by: David Ahern &lt;dsahern@gmail.com&gt;
Reviewed-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: drop incoming packets having a v4mapped source address</title>
<updated>2019-10-07T16:53:20+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-10-02T16:38:55+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c784a010ca2d6721ffe23f99a2b14abe6f63a4eb'/>
<id>c784a010ca2d6721ffe23f99a2b14abe6f63a4eb</id>
<content type='text'>
[ Upstream commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3 ]

This began with a syzbot report. syzkaller was injecting
IPv6 TCP SYN packets having a v4mapped source address.

After an unsuccessful 4-tuple lookup, TCP creates a request
socket (SYN_RECV) and calls reqsk_queue_hash_req()

reqsk_queue_hash_req() calls sk_ehashfn(sk)

At this point we have AF_INET6 sockets, and the heuristic
used by sk_ehashfn() to either hash the IPv4 or IPv6 addresses
is to use ipv6_addr_v4mapped(&amp;sk-&gt;sk_v6_daddr)

For the particular spoofed packet, we end up hashing V4 addresses
which were not initialized by the TCP IPv6 stack, so KMSAN fired
a warning.

I first fixed sk_ehashfn() to test both source and destination addresses,
but then faced various problems, including user-space programs
like packetdrill that had similar assumptions.

Instead of trying to fix the whole ecosystem, it is better
to admit that we have a dual stack behavior, and that we
can not build linux kernels without V4 stack anyway.

The dual stack API automatically forces the traffic to be IPv4
if v4mapped addresses are used at bind() or connect(), so it makes
no sense to allow IPv6 traffic to use the same v4mapped class.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Florian Westphal &lt;fw@strlen.de&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3 ]

This began with a syzbot report. syzkaller was injecting
IPv6 TCP SYN packets having a v4mapped source address.

After an unsuccessful 4-tuple lookup, TCP creates a request
socket (SYN_RECV) and calls reqsk_queue_hash_req()

reqsk_queue_hash_req() calls sk_ehashfn(sk)

At this point we have AF_INET6 sockets, and the heuristic
used by sk_ehashfn() to either hash the IPv4 or IPv6 addresses
is to use ipv6_addr_v4mapped(&amp;sk-&gt;sk_v6_daddr)

For the particular spoofed packet, we end up hashing V4 addresses
which were not initialized by the TCP IPv6 stack, so KMSAN fired
a warning.

I first fixed sk_ehashfn() to test both source and destination addresses,
but then faced various problems, including user-space programs
like packetdrill that had similar assumptions.

Instead of trying to fix the whole ecosystem, it is better
to admit that we have a dual stack behavior, and that we
can not build linux kernels without V4 stack anyway.

The dual stack API automatically forces the traffic to be IPv4
if v4mapped addresses are used at bind() or connect(), so it makes
no sense to allow IPv6 traffic to use the same v4mapped class.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Florian Westphal &lt;fw@strlen.de&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: Fix the link time qualifier of 'ping_v6_proc_exit_net()'</title>
<updated>2019-09-21T05:14:01+00:00</updated>
<author>
<name>Christophe JAILLET</name>
<email>christophe.jaillet@wanadoo.fr</email>
</author>
<published>2019-09-10T11:29:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d2807ced8536d55d296b1d862e5141c7484c191b'/>
<id>d2807ced8536d55d296b1d862e5141c7484c191b</id>
<content type='text'>
[ Upstream commit d23dbc479a8e813db4161a695d67da0e36557846 ]

The '.exit' functions from 'pernet_operations' structure should be marked
as __net_exit, not __net_init.

Fixes: d862e5461423 ("net: ipv6: Implement /proc/net/icmp6.")
Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d23dbc479a8e813db4161a695d67da0e36557846 ]

The '.exit' functions from 'pernet_operations' structure should be marked
as __net_exit, not __net_init.

Fixes: d862e5461423 ("net: ipv6: Implement /proc/net/icmp6.")
Signed-off-by: Christophe JAILLET &lt;christophe.jaillet@wanadoo.fr&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>mld: fix memory leak in mld_del_delrec()</title>
<updated>2019-09-10T09:31:04+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-08-27T10:33:12+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=362da40c50a1b6127f763e52286328b790928014'/>
<id>362da40c50a1b6127f763e52286328b790928014</id>
<content type='text'>
[ Upstream commit a84d016479896b5526a2cc54784e6ffc41c9d6f6 ]

Similar to the fix done for IPv4 in commit e5b1c6c6277d
("igmp: fix memory leak in igmpv3_del_delrec()"), we need to
make sure mca_tomb and mca_sources are not blindly overwritten.

Using swap() then a call to ip6_mc_clear_src() will take care
of the missing free.

BUG: memory leak
unreferenced object 0xffff888117d9db00 (size 64):
  comm "syz-executor247", pid 6918, jiffies 4294943989 (age 25.350s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 fe 88 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;000000005b463030&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [&lt;000000005b463030&gt;] slab_post_alloc_hook mm/slab.h:522 [inline]
    [&lt;000000005b463030&gt;] slab_alloc mm/slab.c:3319 [inline]
    [&lt;000000005b463030&gt;] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
    [&lt;00000000939cbf94&gt;] kmalloc include/linux/slab.h:552 [inline]
    [&lt;00000000939cbf94&gt;] kzalloc include/linux/slab.h:748 [inline]
    [&lt;00000000939cbf94&gt;] ip6_mc_add1_src net/ipv6/mcast.c:2236 [inline]
    [&lt;00000000939cbf94&gt;] ip6_mc_add_src+0x31f/0x420 net/ipv6/mcast.c:2356
    [&lt;00000000d8972221&gt;] ip6_mc_source+0x4a8/0x600 net/ipv6/mcast.c:449
    [&lt;000000002b203d0d&gt;] do_ipv6_setsockopt.isra.0+0x1b92/0x1dd0 net/ipv6/ipv6_sockglue.c:748
    [&lt;000000001f1e2d54&gt;] ipv6_setsockopt+0x89/0xd0 net/ipv6/ipv6_sockglue.c:944
    [&lt;00000000c8f7bdf9&gt;] udpv6_setsockopt+0x4e/0x90 net/ipv6/udp.c:1558
    [&lt;000000005a9a0c5e&gt;] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3139
    [&lt;00000000910b37b2&gt;] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
    [&lt;00000000e9108023&gt;] __do_sys_setsockopt net/socket.c:2100 [inline]
    [&lt;00000000e9108023&gt;] __se_sys_setsockopt net/socket.c:2097 [inline]
    [&lt;00000000e9108023&gt;] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2097
    [&lt;00000000f4818160&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296
    [&lt;000000008d367e8f&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a84d016479896b5526a2cc54784e6ffc41c9d6f6 ]

Similar to the fix done for IPv4 in commit e5b1c6c6277d
("igmp: fix memory leak in igmpv3_del_delrec()"), we need to
make sure mca_tomb and mca_sources are not blindly overwritten.

Using swap() then a call to ip6_mc_clear_src() will take care
of the missing free.

BUG: memory leak
unreferenced object 0xffff888117d9db00 (size 64):
  comm "syz-executor247", pid 6918, jiffies 4294943989 (age 25.350s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 fe 88 00 00 00 00 00 00  ................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
  backtrace:
    [&lt;000000005b463030&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:43 [inline]
    [&lt;000000005b463030&gt;] slab_post_alloc_hook mm/slab.h:522 [inline]
    [&lt;000000005b463030&gt;] slab_alloc mm/slab.c:3319 [inline]
    [&lt;000000005b463030&gt;] kmem_cache_alloc_trace+0x145/0x2c0 mm/slab.c:3548
    [&lt;00000000939cbf94&gt;] kmalloc include/linux/slab.h:552 [inline]
    [&lt;00000000939cbf94&gt;] kzalloc include/linux/slab.h:748 [inline]
    [&lt;00000000939cbf94&gt;] ip6_mc_add1_src net/ipv6/mcast.c:2236 [inline]
    [&lt;00000000939cbf94&gt;] ip6_mc_add_src+0x31f/0x420 net/ipv6/mcast.c:2356
    [&lt;00000000d8972221&gt;] ip6_mc_source+0x4a8/0x600 net/ipv6/mcast.c:449
    [&lt;000000002b203d0d&gt;] do_ipv6_setsockopt.isra.0+0x1b92/0x1dd0 net/ipv6/ipv6_sockglue.c:748
    [&lt;000000001f1e2d54&gt;] ipv6_setsockopt+0x89/0xd0 net/ipv6/ipv6_sockglue.c:944
    [&lt;00000000c8f7bdf9&gt;] udpv6_setsockopt+0x4e/0x90 net/ipv6/udp.c:1558
    [&lt;000000005a9a0c5e&gt;] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3139
    [&lt;00000000910b37b2&gt;] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
    [&lt;00000000e9108023&gt;] __do_sys_setsockopt net/socket.c:2100 [inline]
    [&lt;00000000e9108023&gt;] __se_sys_setsockopt net/socket.c:2097 [inline]
    [&lt;00000000e9108023&gt;] __x64_sys_setsockopt+0x26/0x30 net/socket.c:2097
    [&lt;00000000f4818160&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:296
    [&lt;000000008d367e8f&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1666d49e1d41 ("mld: do not remove mld souce list info when set link down")
Fixes: 9c8bb163ae78 ("igmp, mld: Fix memory leak in igmpv3/mld_del_delrec()")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>inet: switch IP ID generator to siphash</title>
<updated>2019-08-25T08:51:42+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-08-16T23:01:27+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=b97a2f3d58f439d11ececb2faa21dac775d63c5c'/>
<id>b97a2f3d58f439d11ececb2faa21dac775d63c5c</id>
<content type='text'>
commit df453700e8d81b1bdafdf684365ee2b9431fb702 upstream.

According to Amit Klein and Benny Pinkas, IP ID generation is too weak
and might be used by attackers.

Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
having 64bit key and Jenkins hash is risky.

It is time to switch to siphash and its 128bit keys.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Amit Klein &lt;aksecurity@gmail.com&gt;
Reported-by: Benny Pinkas &lt;benny@pinkas.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 4.9: adjust context]
Signed-off-by: Ben Hutchings &lt;ben.hutchings@codethink.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit df453700e8d81b1bdafdf684365ee2b9431fb702 upstream.

According to Amit Klein and Benny Pinkas, IP ID generation is too weak
and might be used by attackers.

Even with recent net_hash_mix() fix (netns: provide pure entropy for net_hash_mix())
having 64bit key and Jenkins hash is risky.

It is time to switch to siphash and its 128bit keys.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Amit Klein &lt;aksecurity@gmail.com&gt;
Reported-by: Benny Pinkas &lt;benny@pinkas.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 4.9: adjust context]
Signed-off-by: Ben Hutchings &lt;ben.hutchings@codethink.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ip6_tunnel: fix possible use-after-free on xmit</title>
<updated>2019-08-11T10:22:17+00:00</updated>
<author>
<name>Haishuang Yan</name>
<email>yanhaishuang@cmss.chinamobile.com</email>
</author>
<published>2019-07-25T16:40:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dfb98836f9a3feb4be8128521d1f4809814b092c'/>
<id>dfb98836f9a3feb4be8128521d1f4809814b092c</id>
<content type='text'>
[ Upstream commit 01f5bffad555f8e22a61f4b1261fe09cf1b96994 ]

ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which
can cause a possible use-after-free accessing iph/ipv6h pointer
since the packet will be 'uncloned' running pskb_expand_head if
it is a cloned gso skb.

Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets")
Signed-off-by: Haishuang Yan &lt;yanhaishuang@cmss.chinamobile.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 01f5bffad555f8e22a61f4b1261fe09cf1b96994 ]

ip4ip6/ip6ip6 tunnels run iptunnel_handle_offloads on xmit which
can cause a possible use-after-free accessing iph/ipv6h pointer
since the packet will be 'uncloned' running pskb_expand_head if
it is a cloned gso skb.

Fixes: 0e9a709560db ("ip6_tunnel, ip6_gre: fix setting of DSCP on encapsulated packets")
Signed-off-by: Haishuang Yan &lt;yanhaishuang@cmss.chinamobile.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: check sk sk_type and protocol early in ip_mroute_set/getsockopt</title>
<updated>2019-08-04T07:33:43+00:00</updated>
<author>
<name>Xin Long</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2017-02-24T08:29:06+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1e531ad4316cb47c6c2b42f3257d1841a6e837e7'/>
<id>1e531ad4316cb47c6c2b42f3257d1841a6e837e7</id>
<content type='text'>
[ Upstream commit 99253eb750fda6a644d5188fb26c43bad8d5a745 ]

Commit 5e1859fbcc3c ("ipv4: ipmr: various fixes and cleanups") fixed
the issue for ipv4 ipmr:

  ip_mroute_setsockopt() &amp; ip_mroute_getsockopt() should not
  access/set raw_sk(sk)-&gt;ipmr_table before making sure the socket
  is a raw socket, and protocol is IGMP

The same fix should be done for ipv6 ipmr as well.

This patch can fix the panic caused by overwriting the same offset
as ipmr_table as in raw_sk(sk) when accessing other type's socket
by ip_mroute_setsockopt().

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 99253eb750fda6a644d5188fb26c43bad8d5a745 ]

Commit 5e1859fbcc3c ("ipv4: ipmr: various fixes and cleanups") fixed
the issue for ipv4 ipmr:

  ip_mroute_setsockopt() &amp; ip_mroute_getsockopt() should not
  access/set raw_sk(sk)-&gt;ipmr_table before making sure the socket
  is a raw socket, and protocol is IGMP

The same fix should be done for ipv6 ipmr as well.

This patch can fix the panic caused by overwriting the same offset
as ipmr_table as in raw_sk(sk) when accessing other type's socket
by ip_mroute_setsockopt().

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: ipv6: nf_defrag: accept duplicate fragments again</title>
<updated>2019-07-21T07:05:53+00:00</updated>
<author>
<name>Guillaume Nault</name>
<email>gnault@redhat.com</email>
</author>
<published>2019-06-06T16:04:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ac1cd6c960bf60799a72ac23644ff5fd95b4021f'/>
<id>ac1cd6c960bf60799a72ac23644ff5fd95b4021f</id>
<content type='text'>
[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]

When fixing the skb leak introduced by the conversion to rbtree, I
forgot about the special case of duplicate fragments. The condition
under the 'insert_error' label isn't effective anymore as
nf_ct_frg6_gather() doesn't override the returned value anymore. So
duplicate fragments now get NF_DROP verdict.

To accept duplicate fragments again, handle them specially as soon as
inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
translate to NF_STOLEN verdict, like any accepted fragment. However,
such packets don't carry any new information and aren't queued, so we
just drop them immediately.

Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
Signed-off-by: Guillaume Nault &lt;gnault@redhat.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8a3dca632538c550930ce8bafa8c906b130d35cf ]

When fixing the skb leak introduced by the conversion to rbtree, I
forgot about the special case of duplicate fragments. The condition
under the 'insert_error' label isn't effective anymore as
nf_ct_frg6_gather() doesn't override the returned value anymore. So
duplicate fragments now get NF_DROP verdict.

To accept duplicate fragments again, handle them specially as soon as
inet_frag_queue_insert() reports them. Return -EINPROGRESS which will
translate to NF_STOLEN verdict, like any accepted fragment. However,
such packets don't carry any new information and aren't queued, so we
just drop them immediately.

Fixes: a0d56cb911ca ("netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments")
Signed-off-by: Guillaume Nault &lt;gnault@redhat.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>netfilter: ipv6: nf_defrag: fix leakage of unqueued fragments</title>
<updated>2019-07-21T07:05:52+00:00</updated>
<author>
<name>Guillaume Nault</name>
<email>gnault@redhat.com</email>
</author>
<published>2019-06-02T13:13:47+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=87a3cb06055668cde432d6d0350ebfc3384b5077'/>
<id>87a3cb06055668cde432d6d0350ebfc3384b5077</id>
<content type='text'>
[ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ]

With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
after the skb has been added to the fragment queue and
nf_ct_frag6_gather() was adapted to handle this case.

But nf_ct_frag6_queue() can still fail before the fragment has been
queued. nf_ct_frag6_gather() can't handle this case anymore, because it
has no way to know if nf_ct_frag6_queue() queued the fragment before
failing. If it didn't, the skb is lost as the error code is overwritten
with -EINPROGRESS.

Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
that nf_ct_frag6_gather() can propagate the error as is.

Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
Signed-off-by: Guillaume Nault &lt;gnault@redhat.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a0d56cb911ca301de81735f1d73c2aab424654ba ]

With commit 997dd9647164 ("net: IP6 defrag: use rbtrees in
nf_conntrack_reasm.c"), nf_ct_frag6_reasm() is now called from
nf_ct_frag6_queue(). With this change, nf_ct_frag6_queue() can fail
after the skb has been added to the fragment queue and
nf_ct_frag6_gather() was adapted to handle this case.

But nf_ct_frag6_queue() can still fail before the fragment has been
queued. nf_ct_frag6_gather() can't handle this case anymore, because it
has no way to know if nf_ct_frag6_queue() queued the fragment before
failing. If it didn't, the skb is lost as the error code is overwritten
with -EINPROGRESS.

Fix this by setting -EINPROGRESS directly in nf_ct_frag6_queue(), so
that nf_ct_frag6_gather() can propagate the error as is.

Fixes: 997dd9647164 ("net: IP6 defrag: use rbtrees in nf_conntrack_reasm.c")
Signed-off-by: Guillaume Nault &lt;gnault@redhat.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Sasha Levin &lt;sashal@kernel.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
