<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v3.12.69</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>net: ping: check minimum size on ICMP header length</title>
<updated>2016-12-13T15:57:24+00:00</updated>
<author>
<name>Kees Cook</name>
<email>keescook@chromium.org</email>
</author>
<published>2016-12-05T18:34:38+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3b395fd11b5bc1933e5ffcb83ad92e4a33977ee7'/>
<id>3b395fd11b5bc1933e5ffcb83ad92e4a33977ee7</id>
<content type='text'>
[ Upstream commit 0eab121ef8750a5c8637d51534d5e9143fb0633f ]

Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
was no check that the iovec contained enough bytes for an ICMP header,
and the read loop would walk across neighboring stack contents. Since the
iov_iter conversion, bad arguments are noticed, but the returned error is
EFAULT. Returning EINVAL is a clearer error and also solves the problem
prior to v3.19.

This was found using trinity with KASAN on v3.18:

BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
Read of size 8 by task trinity-c2/9623
page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[&lt;ffffffc000209c98&gt;] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
[&lt;ffffffc000209e54&gt;] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
[&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
[&lt;ffffffc000f18dc4&gt;] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
[&lt;     inline     &gt;] print_address_description mm/kasan/report.c:147
[&lt;     inline     &gt;] kasan_report_error mm/kasan/report.c:236
[&lt;ffffffc000373dcc&gt;] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
[&lt;     inline     &gt;] check_memory_region mm/kasan/kasan.c:264
[&lt;ffffffc00037352c&gt;] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
[&lt;ffffffc0005b9624&gt;] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
[&lt;     inline     &gt;] memcpy_from_msg include/linux/skbuff.h:2667
[&lt;ffffffc000ddeba0&gt;] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
[&lt;ffffffc000dded30&gt;] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
[&lt;ffffffc000dc91dc&gt;] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
[&lt;     inline     &gt;] __sock_sendmsg_nosec net/socket.c:624
[&lt;     inline     &gt;] __sock_sendmsg net/socket.c:632
[&lt;ffffffc000cab61c&gt;] sock_sendmsg+0x124/0x164 net/socket.c:643
[&lt;     inline     &gt;] SYSC_sendto net/socket.c:1797
[&lt;ffffffc000cad270&gt;] SyS_sendto+0x178/0x1d8 net/socket.c:1761

CVE-2016-8399

Reported-by: Qidan He &lt;i@flanker017.me&gt;
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 0eab121ef8750a5c8637d51534d5e9143fb0633f ]

Prior to commit c0371da6047a ("put iov_iter into msghdr") in v3.19, there
was no check that the iovec contained enough bytes for an ICMP header,
and the read loop would walk across neighboring stack contents. Since the
iov_iter conversion, bad arguments are noticed, but the returned error is
EFAULT. Returning EINVAL is a clearer error and also solves the problem
prior to v3.19.

This was found using trinity with KASAN on v3.18:

BUG: KASAN: stack-out-of-bounds in memcpy_fromiovec+0x60/0x114 at addr ffffffc071077da0
Read of size 8 by task trinity-c2/9623
page:ffffffbe034b9a08 count:0 mapcount:0 mapping:          (null) index:0x0
flags: 0x0()
page dumped because: kasan: bad access detected
CPU: 0 PID: 9623 Comm: trinity-c2 Tainted: G    BU         3.18.0-dirty #15
Hardware name: Google Tegra210 Smaug Rev 1,3+ (DT)
Call trace:
[&lt;ffffffc000209c98&gt;] dump_backtrace+0x0/0x1ac arch/arm64/kernel/traps.c:90
[&lt;ffffffc000209e54&gt;] show_stack+0x10/0x1c arch/arm64/kernel/traps.c:171
[&lt;     inline     &gt;] __dump_stack lib/dump_stack.c:15
[&lt;ffffffc000f18dc4&gt;] dump_stack+0x7c/0xd0 lib/dump_stack.c:50
[&lt;     inline     &gt;] print_address_description mm/kasan/report.c:147
[&lt;     inline     &gt;] kasan_report_error mm/kasan/report.c:236
[&lt;ffffffc000373dcc&gt;] kasan_report+0x380/0x4b8 mm/kasan/report.c:259
[&lt;     inline     &gt;] check_memory_region mm/kasan/kasan.c:264
[&lt;ffffffc00037352c&gt;] __asan_load8+0x20/0x70 mm/kasan/kasan.c:507
[&lt;ffffffc0005b9624&gt;] memcpy_fromiovec+0x5c/0x114 lib/iovec.c:15
[&lt;     inline     &gt;] memcpy_from_msg include/linux/skbuff.h:2667
[&lt;ffffffc000ddeba0&gt;] ping_common_sendmsg+0x50/0x108 net/ipv4/ping.c:674
[&lt;ffffffc000dded30&gt;] ping_v4_sendmsg+0xd8/0x698 net/ipv4/ping.c:714
[&lt;ffffffc000dc91dc&gt;] inet_sendmsg+0xe0/0x12c net/ipv4/af_inet.c:749
[&lt;     inline     &gt;] __sock_sendmsg_nosec net/socket.c:624
[&lt;     inline     &gt;] __sock_sendmsg net/socket.c:632
[&lt;ffffffc000cab61c&gt;] sock_sendmsg+0x124/0x164 net/socket.c:643
[&lt;     inline     &gt;] SYSC_sendto net/socket.c:1797
[&lt;ffffffc000cad270&gt;] SyS_sendto+0x178/0x1d8 net/socket.c:1761

CVE-2016-8399

Reported-by: Qidan He &lt;i@flanker017.me&gt;
Fixes: c319b4d76b9e ("net: ipv4: add IPPROTO_ICMP socket kind")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook &lt;keescook@chromium.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: avoid signed overflows for SO_{SND|RCV}BUFFORCE</title>
<updated>2016-12-13T15:57:21+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-12-02T17:44:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=40c753f1714416931dc093b960aa3fcac4a545c5'/>
<id>40c753f1714416931dc093b960aa3fcac4a545c5</id>
<content type='text'>
[ Upstream commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 ]

CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...

Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.

This needs to be backported to all known linux kernels.

Again, many thanks to syzkaller team for discovering this gem.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b98b0bc8c431e3ceb4b26b0dfc8db509518fb290 ]

CAP_NET_ADMIN users should not be allowed to set negative
sk_sndbuf or sk_rcvbuf values, as it can lead to various memory
corruptions, crashes, OOM...

Note that before commit 82981930125a ("net: cleanups in
sock_setsockopt()"), the bug was even more serious, since SO_SNDBUF
and SO_RCVBUF were vulnerable.

This needs to be backported to all known linux kernels.

Again, many thanks to syzkaller team for discovering this gem.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>packet: fix race condition in packet_set_ring</title>
<updated>2016-12-13T15:57:17+00:00</updated>
<author>
<name>Philip Pettersson</name>
<email>philip.pettersson@gmail.com</email>
</author>
<published>2016-11-30T22:55:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c80480c4ad5208431a7fb003472bd576bbe6ebb7'/>
<id>c80480c4ad5208431a7fb003472bd576bbe6ebb7</id>
<content type='text'>
[ Upstream commit 84ac7260236a49c79eede91617700174c2c19b0c ]

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson &lt;philip.pettersson@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 84ac7260236a49c79eede91617700174c2c19b0c ]

When packet_set_ring creates a ring buffer it will initialize a
struct timer_list if the packet version is TPACKET_V3. This value
can then be raced by a different thread calling setsockopt to
set the version to TPACKET_V1 before packet_set_ring has finished.

This leads to a use-after-free on a function pointer in the
struct timer_list when the socket is closed as the previously
initialized timer will not be deleted.

The bug is fixed by taking lock_sock(sk) in packet_setsockopt when
changing the packet version while also taking the lock at the start
of packet_set_ring.

Fixes: f6fb8f100b80 ("af-packet: TPACKET_V3 flexible buffer implementation.")
Signed-off-by: Philip Pettersson &lt;philip.pettersson@gmail.com&gt;
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net/dccp: fix use-after-free in dccp_invalid_packet</title>
<updated>2016-12-13T15:57:14+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-11-28T14:26:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7d4c3e3e3d69e854333e664a3e6071a8da65e879'/>
<id>7d4c3e3e3d69e854333e664a3e6071a8da65e879</id>
<content type='text'>
[ Upstream commit 648f0c28df282636c0c8a7a19ca3ce5fc80a39c3 ]

pskb_may_pull() can reallocate skb-&gt;head, we need to reload dh pointer
in dccp_invalid_packet() or risk use after free.

Bug found by Andrey Konovalov using syzkaller.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 648f0c28df282636c0c8a7a19ca3ce5fc80a39c3 ]

pskb_may_pull() can reallocate skb-&gt;head, we need to reload dh pointer
in dccp_invalid_packet() or risk use after free.

Bug found by Andrey Konovalov using syzkaller.

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net/sched: pedit: make sure that offset is valid</title>
<updated>2016-12-13T15:57:11+00:00</updated>
<author>
<name>Amir Vadai</name>
<email>amir@vadai.me</email>
</author>
<published>2016-11-28T10:56:40+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f277a1310514bff1c5f05c93b33bd7caf2e119fb'/>
<id>f277a1310514bff1c5f05c93b33bd7caf2e119fb</id>
<content type='text'>
[ Upstream commit 95c2027bfeda21a28eb245121e6a249f38d0788e ]

Add a validation function to make sure offset is valid:
1. Not below skb head (could happen when offset is negative).
2. Validate both 'offset' and 'at'.

Signed-off-by: Amir Vadai &lt;amir@vadai.me&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 95c2027bfeda21a28eb245121e6a249f38d0788e ]

Add a validation function to make sure offset is valid:
1. Not below skb head (could happen when offset is negative).
2. Validate both 'offset' and 'at'.

Signed-off-by: Amir Vadai &lt;amir@vadai.me&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>l2tp: fix racy SOCK_ZAPPED flag check in l2tp_ip{,6}_bind()</title>
<updated>2016-12-13T15:57:06+00:00</updated>
<author>
<name>Guillaume Nault</name>
<email>g.nault@alphalink.fr</email>
</author>
<published>2016-11-18T21:13:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c20932ae0d412f1aabf3514891cdd6ae6a08ae01'/>
<id>c20932ae0d412f1aabf3514891cdd6ae6a08ae01</id>
<content type='text'>
[ Upstream commit 32c231164b762dddefa13af5a0101032c70b50ef ]

Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
Without lock, a concurrent call could modify the socket flags between
the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
would then leave a stale pointer there, generating use-after-free
errors when walking through the list or modifying adjacent entries.

BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
Write of size 8 by task syz-executor/10987
CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
 ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
Call Trace:
 [&lt;ffffffff829f835b&gt;] dump_stack+0xb3/0x118 lib/dump_stack.c:15
 [&lt;ffffffff8174d3cc&gt;] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [&lt;     inline     &gt;] print_address_description mm/kasan/report.c:194
 [&lt;ffffffff8174d666&gt;] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
 [&lt;     inline     &gt;] kasan_report mm/kasan/report.c:303
 [&lt;ffffffff8174db7e&gt;] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
 [&lt;     inline     &gt;] __write_once_size ./include/linux/compiler.h:249
 [&lt;     inline     &gt;] __hlist_del ./include/linux/list.h:622
 [&lt;     inline     &gt;] hlist_del_init ./include/linux/list.h:637
 [&lt;ffffffff8579047e&gt;] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
 [&lt;ffffffff850b2dfd&gt;] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [&lt;ffffffff851dc5a0&gt;] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [&lt;ffffffff84c4581d&gt;] sock_release+0x8d/0x1d0 net/socket.c:570
 [&lt;ffffffff84c45976&gt;] sock_close+0x16/0x20 net/socket.c:1017
 [&lt;ffffffff817a108c&gt;] __fput+0x28c/0x780 fs/file_table.c:208
 [&lt;ffffffff817a1605&gt;] ____fput+0x15/0x20 fs/file_table.c:244
 [&lt;ffffffff813774f9&gt;] task_work_run+0xf9/0x170
 [&lt;ffffffff81324aae&gt;] do_exit+0x85e/0x2a00
 [&lt;ffffffff81326dc8&gt;] do_group_exit+0x108/0x330
 [&lt;ffffffff81348cf7&gt;] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [&lt;ffffffff811b49af&gt;] do_signal+0x7f/0x18f0
 [&lt;ffffffff810039bf&gt;] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [&lt;     inline     &gt;] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [&lt;ffffffff81006060&gt;] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [&lt;ffffffff85e4d726&gt;] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
Allocated:
PID = 10987
 [ 1116.897025] [&lt;ffffffff811ddcb6&gt;] save_stack_trace+0x16/0x20
 [ 1116.897025] [&lt;ffffffff8174c736&gt;] save_stack+0x46/0xd0
 [ 1116.897025] [&lt;ffffffff8174c9ad&gt;] kasan_kmalloc+0xad/0xe0
 [ 1116.897025] [&lt;ffffffff8174cee2&gt;] kasan_slab_alloc+0x12/0x20
 [ 1116.897025] [&lt;     inline     &gt;] slab_post_alloc_hook mm/slab.h:417
 [ 1116.897025] [&lt;     inline     &gt;] slab_alloc_node mm/slub.c:2708
 [ 1116.897025] [&lt;     inline     &gt;] slab_alloc mm/slub.c:2716
 [ 1116.897025] [&lt;ffffffff817476a8&gt;] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
 [ 1116.897025] [&lt;ffffffff84c4f6a9&gt;] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
 [ 1116.897025] [&lt;ffffffff84c58ac8&gt;] sk_alloc+0x38/0xae0 net/core/sock.c:1388
 [ 1116.897025] [&lt;ffffffff851ddf67&gt;] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
 [ 1116.897025] [&lt;ffffffff84c4af7b&gt;] __sock_create+0x37b/0x640 net/socket.c:1153
 [ 1116.897025] [&lt;     inline     &gt;] sock_create net/socket.c:1193
 [ 1116.897025] [&lt;     inline     &gt;] SYSC_socket net/socket.c:1223
 [ 1116.897025] [&lt;ffffffff84c4b46f&gt;] SyS_socket+0xef/0x1b0 net/socket.c:1203
 [ 1116.897025] [&lt;ffffffff85e4d685&gt;] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10987
 [ 1116.897025] [&lt;ffffffff811ddcb6&gt;] save_stack_trace+0x16/0x20
 [ 1116.897025] [&lt;ffffffff8174c736&gt;] save_stack+0x46/0xd0
 [ 1116.897025] [&lt;ffffffff8174cf61&gt;] kasan_slab_free+0x71/0xb0
 [ 1116.897025] [&lt;     inline     &gt;] slab_free_hook mm/slub.c:1352
 [ 1116.897025] [&lt;     inline     &gt;] slab_free_freelist_hook mm/slub.c:1374
 [ 1116.897025] [&lt;     inline     &gt;] slab_free mm/slub.c:2951
 [ 1116.897025] [&lt;ffffffff81748b28&gt;] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
 [ 1116.897025] [&lt;     inline     &gt;] sk_prot_free net/core/sock.c:1369
 [ 1116.897025] [&lt;ffffffff84c541eb&gt;] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
 [ 1116.897025] [&lt;ffffffff84c5aca4&gt;] sk_destruct+0x44/0x80 net/core/sock.c:1452
 [ 1116.897025] [&lt;ffffffff84c5ad33&gt;] __sk_free+0x53/0x220 net/core/sock.c:1460
 [ 1116.897025] [&lt;ffffffff84c5af23&gt;] sk_free+0x23/0x30 net/core/sock.c:1471
 [ 1116.897025] [&lt;ffffffff84c5cb6c&gt;] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
 [ 1116.897025] [&lt;ffffffff8579044e&gt;] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
 [ 1116.897025] [&lt;ffffffff850b2dfd&gt;] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [ 1116.897025] [&lt;ffffffff851dc5a0&gt;] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [ 1116.897025] [&lt;ffffffff84c4581d&gt;] sock_release+0x8d/0x1d0 net/socket.c:570
 [ 1116.897025] [&lt;ffffffff84c45976&gt;] sock_close+0x16/0x20 net/socket.c:1017
 [ 1116.897025] [&lt;ffffffff817a108c&gt;] __fput+0x28c/0x780 fs/file_table.c:208
 [ 1116.897025] [&lt;ffffffff817a1605&gt;] ____fput+0x15/0x20 fs/file_table.c:244
 [ 1116.897025] [&lt;ffffffff813774f9&gt;] task_work_run+0xf9/0x170
 [ 1116.897025] [&lt;ffffffff81324aae&gt;] do_exit+0x85e/0x2a00
 [ 1116.897025] [&lt;ffffffff81326dc8&gt;] do_group_exit+0x108/0x330
 [ 1116.897025] [&lt;ffffffff81348cf7&gt;] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [ 1116.897025] [&lt;ffffffff811b49af&gt;] do_signal+0x7f/0x18f0
 [ 1116.897025] [&lt;ffffffff810039bf&gt;] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [ 1116.897025] [&lt;     inline     &gt;] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [ 1116.897025] [&lt;ffffffff81006060&gt;] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [ 1116.897025] [&lt;ffffffff85e4d726&gt;] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
&gt;ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================

The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.

Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
Reported-by: Baozeng Ding &lt;sploving1@gmail.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Baozeng Ding &lt;sploving1@gmail.com&gt;
Signed-off-by: Guillaume Nault &lt;g.nault@alphalink.fr&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 32c231164b762dddefa13af5a0101032c70b50ef ]

Lock socket before checking the SOCK_ZAPPED flag in l2tp_ip6_bind().
Without lock, a concurrent call could modify the socket flags between
the sock_flag(sk, SOCK_ZAPPED) test and the lock_sock() call. This way,
a socket could be inserted twice in l2tp_ip6_bind_table. Releasing it
would then leave a stale pointer there, generating use-after-free
errors when walking through the list or modifying adjacent entries.

BUG: KASAN: use-after-free in l2tp_ip6_close+0x22e/0x290 at addr ffff8800081b0ed8
Write of size 8 by task syz-executor/10987
CPU: 0 PID: 10987 Comm: syz-executor Not tainted 4.8.0+ #39
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.8.2-0-g33fbe13 by qemu-project.org 04/01/2014
 ffff880031d97838 ffffffff829f835b ffff88001b5a1640 ffff8800081b0ec0
 ffff8800081b15a0 ffff8800081b6d20 ffff880031d97860 ffffffff8174d3cc
 ffff880031d978f0 ffff8800081b0e80 ffff88001b5a1640 ffff880031d978e0
Call Trace:
 [&lt;ffffffff829f835b&gt;] dump_stack+0xb3/0x118 lib/dump_stack.c:15
 [&lt;ffffffff8174d3cc&gt;] kasan_object_err+0x1c/0x70 mm/kasan/report.c:156
 [&lt;     inline     &gt;] print_address_description mm/kasan/report.c:194
 [&lt;ffffffff8174d666&gt;] kasan_report_error+0x1f6/0x4d0 mm/kasan/report.c:283
 [&lt;     inline     &gt;] kasan_report mm/kasan/report.c:303
 [&lt;ffffffff8174db7e&gt;] __asan_report_store8_noabort+0x3e/0x40 mm/kasan/report.c:329
 [&lt;     inline     &gt;] __write_once_size ./include/linux/compiler.h:249
 [&lt;     inline     &gt;] __hlist_del ./include/linux/list.h:622
 [&lt;     inline     &gt;] hlist_del_init ./include/linux/list.h:637
 [&lt;ffffffff8579047e&gt;] l2tp_ip6_close+0x22e/0x290 net/l2tp/l2tp_ip6.c:239
 [&lt;ffffffff850b2dfd&gt;] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [&lt;ffffffff851dc5a0&gt;] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [&lt;ffffffff84c4581d&gt;] sock_release+0x8d/0x1d0 net/socket.c:570
 [&lt;ffffffff84c45976&gt;] sock_close+0x16/0x20 net/socket.c:1017
 [&lt;ffffffff817a108c&gt;] __fput+0x28c/0x780 fs/file_table.c:208
 [&lt;ffffffff817a1605&gt;] ____fput+0x15/0x20 fs/file_table.c:244
 [&lt;ffffffff813774f9&gt;] task_work_run+0xf9/0x170
 [&lt;ffffffff81324aae&gt;] do_exit+0x85e/0x2a00
 [&lt;ffffffff81326dc8&gt;] do_group_exit+0x108/0x330
 [&lt;ffffffff81348cf7&gt;] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [&lt;ffffffff811b49af&gt;] do_signal+0x7f/0x18f0
 [&lt;ffffffff810039bf&gt;] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [&lt;     inline     &gt;] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [&lt;ffffffff81006060&gt;] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [&lt;ffffffff85e4d726&gt;] entry_SYSCALL_64_fastpath+0xc4/0xc6
Object at ffff8800081b0ec0, in cache L2TP/IPv6 size: 1448
Allocated:
PID = 10987
 [ 1116.897025] [&lt;ffffffff811ddcb6&gt;] save_stack_trace+0x16/0x20
 [ 1116.897025] [&lt;ffffffff8174c736&gt;] save_stack+0x46/0xd0
 [ 1116.897025] [&lt;ffffffff8174c9ad&gt;] kasan_kmalloc+0xad/0xe0
 [ 1116.897025] [&lt;ffffffff8174cee2&gt;] kasan_slab_alloc+0x12/0x20
 [ 1116.897025] [&lt;     inline     &gt;] slab_post_alloc_hook mm/slab.h:417
 [ 1116.897025] [&lt;     inline     &gt;] slab_alloc_node mm/slub.c:2708
 [ 1116.897025] [&lt;     inline     &gt;] slab_alloc mm/slub.c:2716
 [ 1116.897025] [&lt;ffffffff817476a8&gt;] kmem_cache_alloc+0xc8/0x2b0 mm/slub.c:2721
 [ 1116.897025] [&lt;ffffffff84c4f6a9&gt;] sk_prot_alloc+0x69/0x2b0 net/core/sock.c:1326
 [ 1116.897025] [&lt;ffffffff84c58ac8&gt;] sk_alloc+0x38/0xae0 net/core/sock.c:1388
 [ 1116.897025] [&lt;ffffffff851ddf67&gt;] inet6_create+0x2d7/0x1000 net/ipv6/af_inet6.c:182
 [ 1116.897025] [&lt;ffffffff84c4af7b&gt;] __sock_create+0x37b/0x640 net/socket.c:1153
 [ 1116.897025] [&lt;     inline     &gt;] sock_create net/socket.c:1193
 [ 1116.897025] [&lt;     inline     &gt;] SYSC_socket net/socket.c:1223
 [ 1116.897025] [&lt;ffffffff84c4b46f&gt;] SyS_socket+0xef/0x1b0 net/socket.c:1203
 [ 1116.897025] [&lt;ffffffff85e4d685&gt;] entry_SYSCALL_64_fastpath+0x23/0xc6
Freed:
PID = 10987
 [ 1116.897025] [&lt;ffffffff811ddcb6&gt;] save_stack_trace+0x16/0x20
 [ 1116.897025] [&lt;ffffffff8174c736&gt;] save_stack+0x46/0xd0
 [ 1116.897025] [&lt;ffffffff8174cf61&gt;] kasan_slab_free+0x71/0xb0
 [ 1116.897025] [&lt;     inline     &gt;] slab_free_hook mm/slub.c:1352
 [ 1116.897025] [&lt;     inline     &gt;] slab_free_freelist_hook mm/slub.c:1374
 [ 1116.897025] [&lt;     inline     &gt;] slab_free mm/slub.c:2951
 [ 1116.897025] [&lt;ffffffff81748b28&gt;] kmem_cache_free+0xc8/0x330 mm/slub.c:2973
 [ 1116.897025] [&lt;     inline     &gt;] sk_prot_free net/core/sock.c:1369
 [ 1116.897025] [&lt;ffffffff84c541eb&gt;] __sk_destruct+0x32b/0x4f0 net/core/sock.c:1444
 [ 1116.897025] [&lt;ffffffff84c5aca4&gt;] sk_destruct+0x44/0x80 net/core/sock.c:1452
 [ 1116.897025] [&lt;ffffffff84c5ad33&gt;] __sk_free+0x53/0x220 net/core/sock.c:1460
 [ 1116.897025] [&lt;ffffffff84c5af23&gt;] sk_free+0x23/0x30 net/core/sock.c:1471
 [ 1116.897025] [&lt;ffffffff84c5cb6c&gt;] sk_common_release+0x28c/0x3e0 ./include/net/sock.h:1589
 [ 1116.897025] [&lt;ffffffff8579044e&gt;] l2tp_ip6_close+0x1fe/0x290 net/l2tp/l2tp_ip6.c:243
 [ 1116.897025] [&lt;ffffffff850b2dfd&gt;] inet_release+0xed/0x1c0 net/ipv4/af_inet.c:415
 [ 1116.897025] [&lt;ffffffff851dc5a0&gt;] inet6_release+0x50/0x70 net/ipv6/af_inet6.c:422
 [ 1116.897025] [&lt;ffffffff84c4581d&gt;] sock_release+0x8d/0x1d0 net/socket.c:570
 [ 1116.897025] [&lt;ffffffff84c45976&gt;] sock_close+0x16/0x20 net/socket.c:1017
 [ 1116.897025] [&lt;ffffffff817a108c&gt;] __fput+0x28c/0x780 fs/file_table.c:208
 [ 1116.897025] [&lt;ffffffff817a1605&gt;] ____fput+0x15/0x20 fs/file_table.c:244
 [ 1116.897025] [&lt;ffffffff813774f9&gt;] task_work_run+0xf9/0x170
 [ 1116.897025] [&lt;ffffffff81324aae&gt;] do_exit+0x85e/0x2a00
 [ 1116.897025] [&lt;ffffffff81326dc8&gt;] do_group_exit+0x108/0x330
 [ 1116.897025] [&lt;ffffffff81348cf7&gt;] get_signal+0x617/0x17a0 kernel/signal.c:2307
 [ 1116.897025] [&lt;ffffffff811b49af&gt;] do_signal+0x7f/0x18f0
 [ 1116.897025] [&lt;ffffffff810039bf&gt;] exit_to_usermode_loop+0xbf/0x150 arch/x86/entry/common.c:156
 [ 1116.897025] [&lt;     inline     &gt;] prepare_exit_to_usermode arch/x86/entry/common.c:190
 [ 1116.897025] [&lt;ffffffff81006060&gt;] syscall_return_slowpath+0x1a0/0x1e0 arch/x86/entry/common.c:259
 [ 1116.897025] [&lt;ffffffff85e4d726&gt;] entry_SYSCALL_64_fastpath+0xc4/0xc6
Memory state around the buggy address:
 ffff8800081b0d80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
 ffff8800081b0e00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
&gt;ffff8800081b0e80: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
                                                    ^
 ffff8800081b0f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
 ffff8800081b0f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

==================================================================

The same issue exists with l2tp_ip_bind() and l2tp_ip_bind_table.

Fixes: c51ce49735c1 ("l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case")
Reported-by: Baozeng Ding &lt;sploving1@gmail.com&gt;
Reported-by: Andrey Konovalov &lt;andreyknvl@google.com&gt;
Tested-by: Baozeng Ding &lt;sploving1@gmail.com&gt;
Signed-off-by: Guillaume Nault &lt;g.nault@alphalink.fr&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ip6_tunnel: disable caching when the traffic class is inherited</title>
<updated>2016-12-13T15:56:51+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2016-11-16T15:26:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1c38b671960b2abe6116b506986836a7d07503e5'/>
<id>1c38b671960b2abe6116b506986836a7d07503e5</id>
<content type='text'>
[ Upstream commit b5c2d49544e5930c96e2632a7eece3f4325a1888 ]

If an ip6 tunnel is configured to inherit the traffic class from
the inner header, the dst_cache must be disabled or it will foul
the policy routing.

The issue is apprently there since at leat Linux-2.6.12-rc2.

Reported-by: Liam McBirnie &lt;liam.mcbirnie@boeing.com&gt;
Cc: Liam McBirnie &lt;liam.mcbirnie@boeing.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b5c2d49544e5930c96e2632a7eece3f4325a1888 ]

If an ip6 tunnel is configured to inherit the traffic class from
the inner header, the dst_cache must be disabled or it will foul
the policy routing.

The issue is apprently there since at leat Linux-2.6.12-rc2.

Reported-by: Liam McBirnie &lt;liam.mcbirnie@boeing.com&gt;
Cc: Liam McBirnie &lt;liam.mcbirnie@boeing.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv4: Set skb-&gt;protocol properly for local output</title>
<updated>2016-12-12T15:12:12+00:00</updated>
<author>
<name>Eli Cooper</name>
<email>elicooper@gmx.com</email>
</author>
<published>2016-12-01T02:05:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a9c4561ef479f2cb522504276bce86c8dbeaa31d'/>
<id>a9c4561ef479f2cb522504276bce86c8dbeaa31d</id>
<content type='text'>
commit f4180439109aa720774baafdd798b3234ab1a0d2 upstream.

When xfrm is applied to TSO/GSO packets, it follows this path:

    xfrm_output() -&gt; xfrm_output_gso() -&gt; skb_gso_segment()

where skb_gso_segment() relies on skb-&gt;protocol to function properly.

This patch sets skb-&gt;protocol to ETH_P_IP before dst_output() is called,
fixing a bug where GSO packets sent through a sit tunnel are dropped
when xfrm is involved.

Signed-off-by: Eli Cooper &lt;elicooper@gmx.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f4180439109aa720774baafdd798b3234ab1a0d2 upstream.

When xfrm is applied to TSO/GSO packets, it follows this path:

    xfrm_output() -&gt; xfrm_output_gso() -&gt; skb_gso_segment()

where skb_gso_segment() relies on skb-&gt;protocol to function properly.

This patch sets skb-&gt;protocol to ETH_P_IP before dst_output() is called,
fixing a bug where GSO packets sent through a sit tunnel are dropped
when xfrm is involved.

Signed-off-by: Eli Cooper &lt;elicooper@gmx.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: Set skb-&gt;protocol properly for local output</title>
<updated>2016-12-12T15:12:12+00:00</updated>
<author>
<name>Eli Cooper</name>
<email>elicooper@gmx.com</email>
</author>
<published>2016-12-01T02:05:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bd03e19dda9fc28bf8060626fe15730108904195'/>
<id>bd03e19dda9fc28bf8060626fe15730108904195</id>
<content type='text'>
commit b4e479a96fc398ccf83bb1cffb4ffef8631beaf1 upstream.

When xfrm is applied to TSO/GSO packets, it follows this path:

    xfrm_output() -&gt; xfrm_output_gso() -&gt; skb_gso_segment()

where skb_gso_segment() relies on skb-&gt;protocol to function properly.

This patch sets skb-&gt;protocol to ETH_P_IPV6 before dst_output() is called,
fixing a bug where GSO packets sent through an ipip6 tunnel are dropped
when xfrm is involved.

Signed-off-by: Eli Cooper &lt;elicooper@gmx.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit b4e479a96fc398ccf83bb1cffb4ffef8631beaf1 upstream.

When xfrm is applied to TSO/GSO packets, it follows this path:

    xfrm_output() -&gt; xfrm_output_gso() -&gt; skb_gso_segment()

where skb_gso_segment() relies on skb-&gt;protocol to function properly.

This patch sets skb-&gt;protocol to ETH_P_IPV6 before dst_output() is called,
fixing a bug where GSO packets sent through an ipip6 tunnel are dropped
when xfrm is involved.

Signed-off-by: Eli Cooper &lt;elicooper@gmx.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: limit scan results cache size</title>
<updated>2016-12-12T12:55:52+00:00</updated>
<author>
<name>Johannes Berg</name>
<email>johannes.berg@intel.com</email>
</author>
<published>2016-11-15T11:05:11+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e525af57bbeb5c040463cd7afa658a33df52e828'/>
<id>e525af57bbeb5c040463cd7afa658a33df52e828</id>
<content type='text'>
commit 9853a55ef1bb66d7411136046060bbfb69c714fa upstream.

It's possible to make scanning consume almost arbitrary amounts
of memory, e.g. by sending beacon frames with random BSSIDs at
high rates while somebody is scanning.

Limit the number of BSS table entries we're willing to cache to
1000, limiting maximum memory usage to maybe 4-5MB, but lower
in practice - that would be the case for having both full-sized
beacon and probe response frames for each entry; this seems not
possible in practice, so a limit of 1000 entries will likely be
closer to 0.5 MB.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 9853a55ef1bb66d7411136046060bbfb69c714fa upstream.

It's possible to make scanning consume almost arbitrary amounts
of memory, e.g. by sending beacon frames with random BSSIDs at
high rates while somebody is scanning.

Limit the number of BSS table entries we're willing to cache to
1000, limiting maximum memory usage to maybe 4-5MB, but lower
in practice - that would be the case for having both full-sized
beacon and probe response frames for each entry; this seems not
possible in practice, so a limit of 1000 entries will likely be
closer to 0.5 MB.

Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Jiri Slaby &lt;jslaby@suse.cz&gt;

</pre>
</div>
</content>
</entry>
</feed>
