<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v4.1.43</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ipvs: SNAT packet replies only for NATed connections</title>
<updated>2017-07-31T17:37:56+00:00</updated>
<author>
<name>Sasha Levin</name>
<email>alexander.levin@verizon.com</email>
</author>
<published>2017-07-31T13:23:23+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=28d8e1bc09f6f81ba353fac534c93256c998384a'/>
<id>28d8e1bc09f6f81ba353fac534c93256c998384a</id>
<content type='text'>
[ Upstream commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b ]

We do not check if packet from real server is for NAT
connection before performing SNAT. This causes problems
for setups that use DR/TUN and allow local clients to
access the real server directly, for example:

- local client in director creates IPVS-DR/TUN connection
CIP-&gt;VIP and the request packets are routed to RIP.
Talks are finished but IPVS connection is not expired yet.

- second local client creates non-IPVS connection CIP-&gt;RIP
with same reply tuple RIP-&gt;CIP and when replies are received
on LOCAL_IN we wrongly assign them for the first client
connection because RIP-&gt;CIP matches the reply direction.
As result, IPVS SNATs replies for non-IPVS connections.

The problem is more visible to local UDP clients but in rare
cases it can happen also for TCP or remote clients when the
real server sends the reply traffic via the director.

So, better to be more precise for the reply traffic.
As replies are not expected for DR/TUN connections, better
to not touch them.

Reported-by: Nick Moriarty &lt;nick.moriarty@york.ac.uk&gt;
Tested-by: Nick Moriarty &lt;nick.moriarty@york.ac.uk&gt;
Signed-off-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Simon Horman &lt;horms@verge.net.au&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 3c5ab3f395d66a9e4e937fcfdf6ebc63894f028b ]

We do not check if packet from real server is for NAT
connection before performing SNAT. This causes problems
for setups that use DR/TUN and allow local clients to
access the real server directly, for example:

- local client in director creates IPVS-DR/TUN connection
CIP-&gt;VIP and the request packets are routed to RIP.
Talks are finished but IPVS connection is not expired yet.

- second local client creates non-IPVS connection CIP-&gt;RIP
with same reply tuple RIP-&gt;CIP and when replies are received
on LOCAL_IN we wrongly assign them for the first client
connection because RIP-&gt;CIP matches the reply direction.
As result, IPVS SNATs replies for non-IPVS connections.

The problem is more visible to local UDP clients but in rare
cases it can happen also for TCP or remote clients when the
real server sends the reply traffic via the director.

So, better to be more precise for the reply traffic.
As replies are not expected for DR/TUN connections, better
to not touch them.

Reported-by: Nick Moriarty &lt;nick.moriarty@york.ac.uk&gt;
Tested-by: Nick Moriarty &lt;nick.moriarty@york.ac.uk&gt;
Signed-off-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Signed-off-by: Simon Horman &lt;horms@verge.net.au&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: Check if PMKID attribute is of expected size</title>
<updated>2017-07-31T17:37:54+00:00</updated>
<author>
<name>Srinivas Dasari</name>
<email>dasaris@qti.qualcomm.com</email>
</author>
<published>2017-07-06T22:43:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=371d2b7115822448a16e2dc83463cf9da5a4e1f0'/>
<id>371d2b7115822448a16e2dc83463cf9da5a4e1f0</id>
<content type='text'>
[ Upstream commit 9361df14d1cbf966409d5d6f48bb334384fbe138 ]

nla policy checks for only maximum length of the attribute data
when the attribute type is NLA_BINARY. If userspace sends less
data than specified, the wireless drivers may access illegal
memory. When type is NLA_UNSPEC, nla policy check ensures that
userspace sends minimum specified length number of bytes.

Remove type assignment to NLA_BINARY from nla_policy of
NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
WLAN_PMKID_LEN bytes are received from userspace with
NL80211_ATTR_PMKID.

Fixes: 67fbb16be69d ("nl80211: PMKSA caching support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari &lt;dasaris@qti.qualcomm.com&gt;
Signed-off-by: Jouni Malinen &lt;jouni@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 9361df14d1cbf966409d5d6f48bb334384fbe138 ]

nla policy checks for only maximum length of the attribute data
when the attribute type is NLA_BINARY. If userspace sends less
data than specified, the wireless drivers may access illegal
memory. When type is NLA_UNSPEC, nla policy check ensures that
userspace sends minimum specified length number of bytes.

Remove type assignment to NLA_BINARY from nla_policy of
NL80211_ATTR_PMKID to make this NLA_UNSPEC and to make sure minimum
WLAN_PMKID_LEN bytes are received from userspace with
NL80211_ATTR_PMKID.

Fixes: 67fbb16be69d ("nl80211: PMKSA caching support")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari &lt;dasaris@qti.qualcomm.com&gt;
Signed-off-by: Jouni Malinen &lt;jouni@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: Validate frequencies nested in NL80211_ATTR_SCAN_FREQUENCIES</title>
<updated>2017-07-31T17:37:54+00:00</updated>
<author>
<name>Srinivas Dasari</name>
<email>dasaris@qti.qualcomm.com</email>
</author>
<published>2017-07-06T22:43:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7189535967e9928349200f1922ca8e82e309eb6f'/>
<id>7189535967e9928349200f1922ca8e82e309eb6f</id>
<content type='text'>
[ Upstream commit d7f13f7450369281a5d0ea463cc69890a15923ae ]

validate_scan_freqs() retrieves frequencies from attributes
nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with
nla_get_u32(), which reads 4 bytes from each attribute
without validating the size of data received. Attributes
nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy.

Validate size of each attribute before parsing to avoid potential buffer
overread.

Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari &lt;dasaris@qti.qualcomm.com&gt;
Signed-off-by: Jouni Malinen &lt;jouni@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d7f13f7450369281a5d0ea463cc69890a15923ae ]

validate_scan_freqs() retrieves frequencies from attributes
nested in the attribute NL80211_ATTR_SCAN_FREQUENCIES with
nla_get_u32(), which reads 4 bytes from each attribute
without validating the size of data received. Attributes
nested in NL80211_ATTR_SCAN_FREQUENCIES don't have an nla policy.

Validate size of each attribute before parsing to avoid potential buffer
overread.

Fixes: 2a519311926 ("cfg80211/nl80211: scanning (and mac80211 update to use it)")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari &lt;dasaris@qti.qualcomm.com&gt;
Signed-off-by: Jouni Malinen &lt;jouni@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>cfg80211: Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE</title>
<updated>2017-07-31T17:37:54+00:00</updated>
<author>
<name>Srinivas Dasari</name>
<email>dasaris@qti.qualcomm.com</email>
</author>
<published>2017-07-06T22:43:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e61d75e0d800c7f4469d391e3598b890be11d95c'/>
<id>e61d75e0d800c7f4469d391e3598b890be11d95c</id>
<content type='text'>
[ Upstream commit 8feb69c7bd89513be80eb19198d48f154b254021 ]

Buffer overread may happen as nl80211_set_station() reads 4 bytes
from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
validating the size of data received when userspace sends less
than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
the buffer overread.

Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari &lt;dasaris@qti.qualcomm.com&gt;
Signed-off-by: Jouni Malinen &lt;jouni@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8feb69c7bd89513be80eb19198d48f154b254021 ]

Buffer overread may happen as nl80211_set_station() reads 4 bytes
from the attribute NL80211_ATTR_LOCAL_MESH_POWER_MODE without
validating the size of data received when userspace sends less
than 4 bytes of data with NL80211_ATTR_LOCAL_MESH_POWER_MODE.
Define nla_policy for NL80211_ATTR_LOCAL_MESH_POWER_MODE to avoid
the buffer overread.

Fixes: 3b1c5a5307f ("{cfg,nl}80211: mesh power mode primitives and userspace access")
Cc: stable@vger.kernel.org
Signed-off-by: Srinivas Dasari &lt;dasaris@qti.qualcomm.com&gt;
Signed-off-by: Jouni Malinen &lt;jouni@qca.qualcomm.com&gt;
Signed-off-by: Johannes Berg &lt;johannes.berg@intel.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ipv6: dad: don't remove dynamic addresses if link is down</title>
<updated>2017-07-31T17:37:54+00:00</updated>
<author>
<name>Sabrina Dubroca</name>
<email>sd@queasysnail.net</email>
</author>
<published>2017-06-29T14:56:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5f1b07b42274a2e54bcb20a416a0183e014b08d7'/>
<id>5f1b07b42274a2e54bcb20a416a0183e014b08d7</id>
<content type='text'>
[ Upstream commit ec8add2a4c9df723c94a863b8fcd6d93c472deed ]

Currently, when the link for $DEV is down, this command succeeds but the
address is removed immediately by DAD (1):

    ip addr add 1111::12/64 dev $DEV valid_lft 3600 preferred_lft 1800

In the same situation, this will succeed and not remove the address (2):

    ip addr add 1111::12/64 dev $DEV
    ip addr change 1111::12/64 dev $DEV valid_lft 3600 preferred_lft 1800

The comment in addrconf_dad_begin() when !IF_READY makes it look like
this is the intended behavior, but doesn't explain why:

     * If the device is not ready:
     * - keep it tentative if it is a permanent address.
     * - otherwise, kill it.

We clearly cannot prevent userspace from doing (2), but we can make (1)
work consistently with (2).

addrconf_dad_stop() is only called in two cases: if DAD failed, or to
skip DAD when the link is down. In that second case, the fix is to avoid
deleting the address, like we already do for permanent addresses.

Fixes: 3c21edbd1137 ("[IPV6]: Defer IPv6 device initialization until the link becomes ready.")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit ec8add2a4c9df723c94a863b8fcd6d93c472deed ]

Currently, when the link for $DEV is down, this command succeeds but the
address is removed immediately by DAD (1):

    ip addr add 1111::12/64 dev $DEV valid_lft 3600 preferred_lft 1800

In the same situation, this will succeed and not remove the address (2):

    ip addr add 1111::12/64 dev $DEV
    ip addr change 1111::12/64 dev $DEV valid_lft 3600 preferred_lft 1800

The comment in addrconf_dad_begin() when !IF_READY makes it look like
this is the intended behavior, but doesn't explain why:

     * If the device is not ready:
     * - keep it tentative if it is a permanent address.
     * - otherwise, kill it.

We clearly cannot prevent userspace from doing (2), but we can make (1)
work consistently with (2).

addrconf_dad_stop() is only called in two cases: if DAD failed, or to
skip DAD when the link is down. In that second case, the fix is to avoid
deleting the address, like we already do for permanent addresses.

Fixes: 3c21edbd1137 ("[IPV6]: Defer IPv6 device initialization until the link becomes ready.")
Signed-off-by: Sabrina Dubroca &lt;sd@queasysnail.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: prevent sign extension in dev_get_stats()</title>
<updated>2017-07-31T17:37:54+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-06-27T14:02:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d899afc88c951600a91fbe7aa7958e0d147a4ffb'/>
<id>d899afc88c951600a91fbe7aa7958e0d147a4ffb</id>
<content type='text'>
[ Upstream commit 6f64ec74515925cced6df4571638b5a099a49aae ]

Similar to the fix provided by Dominik Heidler in commit
9b3dc0a17d73 ("l2tp: cast l2tp traffic counter to unsigned")
we need to take care of 32bit kernels in dev_get_stats().

When using atomic_long_read(), we add a 'long' to u64 and
might misinterpret high order bit, unless we cast to unsigned.

Fixes: caf586e5f23ce ("net: add a core netdev-&gt;rx_dropped counter")
Fixes: 015f0688f57ca ("net: net: add a core netdev-&gt;tx_dropped counter")
Fixes: 6e7333d315a76 ("net: add rx_nohandler stat counter")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Jarod Wilson &lt;jarod@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 6f64ec74515925cced6df4571638b5a099a49aae ]

Similar to the fix provided by Dominik Heidler in commit
9b3dc0a17d73 ("l2tp: cast l2tp traffic counter to unsigned")
we need to take care of 32bit kernels in dev_get_stats().

When using atomic_long_read(), we add a 'long' to u64 and
might misinterpret high order bit, unless we cast to unsigned.

Fixes: caf586e5f23ce ("net: add a core netdev-&gt;rx_dropped counter")
Fixes: 015f0688f57ca ("net: net: add a core netdev-&gt;tx_dropped counter")
Fixes: 6e7333d315a76 ("net: add rx_nohandler stat counter")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Jarod Wilson &lt;jarod@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sched: Fix one possible panic when no destroy callback</title>
<updated>2017-07-31T17:37:54+00:00</updated>
<author>
<name>Gao Feng</name>
<email>gfree.wind@vip.163.com</email>
</author>
<published>2017-06-28T04:53:54+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=95c75e16160da42e41177f354289b58e93bb8584'/>
<id>95c75e16160da42e41177f354289b58e93bb8584</id>
<content type='text'>
[ Upstream commit c1a4872ebfb83b1af7144f7b29ac8c4b344a12a8 ]

When qdisc fail to init, qdisc_create would invoke the destroy callback
to cleanup. But there is no check if the callback exists really. So it
would cause the panic if there is no real destroy callback like the qdisc
codel, fq, and so on.

Take codel as an example following:
When a malicious user constructs one invalid netlink msg, it would cause
codel_init-&gt;codel_change-&gt;nla_parse_nested failed.
Then kernel would invoke the destroy callback directly but qdisc codel
doesn't define one. It causes one panic as a result.

Now add one the check for destroy to avoid the possible panic.

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Gao Feng &lt;gfree.wind@vip.163.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c1a4872ebfb83b1af7144f7b29ac8c4b344a12a8 ]

When qdisc fail to init, qdisc_create would invoke the destroy callback
to cleanup. But there is no check if the callback exists really. So it
would cause the panic if there is no real destroy callback like the qdisc
codel, fq, and so on.

Take codel as an example following:
When a malicious user constructs one invalid netlink msg, it would cause
codel_init-&gt;codel_change-&gt;nla_parse_nested failed.
Then kernel would invoke the destroy callback directly but qdisc codel
doesn't define one. It causes one panic as a result.

Now add one the check for destroy to avoid the possible panic.

Fixes: 87b60cfacf9f ("net_sched: fix error recovery at qdisc creation")
Signed-off-by: Gao Feng &lt;gfree.wind@vip.163.com&gt;
Acked-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net_sched: fix error recovery at qdisc creation</title>
<updated>2017-07-31T17:37:54+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2017-02-10T18:31:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a70c6f2d8a91d8c58a58d0fe3736101a2eef91ec'/>
<id>a70c6f2d8a91d8c58a58d0fe3736101a2eef91ec</id>
<content type='text'>
[ Upstream commit 87b60cfacf9f17cf71933c6e33b66e68160af71d ]

Dmitry reported uses after free in qdisc code [1]

The problem here is that ops-&gt;init() can return an error.

qdisc_create_dflt() then call ops-&gt;destroy(),
while qdisc_create() does _not_ call it.

Four qdisc chose to call their own ops-&gt;destroy(), assuming their caller
would not.

This patch makes sure qdisc_create() calls ops-&gt;destroy()
and fixes the four qdisc to avoid double free.

[1]
BUG: KASAN: use-after-free in mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 at addr ffff8801d415d440
Read of size 8 by task syz-executor2/5030
CPU: 0 PID: 5030 Comm: syz-executor2 Not tainted 4.3.5-smp-DEV #119
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000046 ffff8801b435b870 ffffffff81bbbed4 ffff8801db000400
 ffff8801d415d440 ffff8801d415dc40 ffff8801c4988510 ffff8801b435b898
 ffffffff816682b1 ffff8801b435b928 ffff8801d415d440 ffff8801c49880c0
Call Trace:
 [&lt;ffffffff81bbbed4&gt;] __dump_stack lib/dump_stack.c:15 [inline]
 [&lt;ffffffff81bbbed4&gt;] dump_stack+0x6c/0x98 lib/dump_stack.c:51
 [&lt;ffffffff816682b1&gt;] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
 [&lt;ffffffff81668524&gt;] print_address_description mm/kasan/report.c:196 [inline]
 [&lt;ffffffff81668524&gt;] kasan_report_error+0x1b4/0x4b0 mm/kasan/report.c:285
 [&lt;ffffffff81668953&gt;] kasan_report mm/kasan/report.c:305 [inline]
 [&lt;ffffffff81668953&gt;] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:326
 [&lt;ffffffff82527b02&gt;] mq_destroy+0x242/0x290 net/sched/sch_mq.c:33
 [&lt;ffffffff82524bdd&gt;] qdisc_destroy+0x12d/0x290 net/sched/sch_generic.c:953
 [&lt;ffffffff82524e30&gt;] qdisc_create_dflt+0xf0/0x120 net/sched/sch_generic.c:848
 [&lt;ffffffff8252550d&gt;] attach_default_qdiscs net/sched/sch_generic.c:1029 [inline]
 [&lt;ffffffff8252550d&gt;] dev_activate+0x6ad/0x880 net/sched/sch_generic.c:1064
 [&lt;ffffffff824b1db1&gt;] __dev_open+0x221/0x320 net/core/dev.c:1403
 [&lt;ffffffff824b24ce&gt;] __dev_change_flags+0x15e/0x3e0 net/core/dev.c:6858
 [&lt;ffffffff824b27de&gt;] dev_change_flags+0x8e/0x140 net/core/dev.c:6926
 [&lt;ffffffff824f5bf6&gt;] dev_ifsioc+0x446/0x890 net/core/dev_ioctl.c:260
 [&lt;ffffffff824f61fa&gt;] dev_ioctl+0x1ba/0xb80 net/core/dev_ioctl.c:546
 [&lt;ffffffff82430509&gt;] sock_do_ioctl+0x99/0xb0 net/socket.c:879
 [&lt;ffffffff82430d30&gt;] sock_ioctl+0x2a0/0x390 net/socket.c:958
 [&lt;ffffffff816f3b68&gt;] vfs_ioctl fs/ioctl.c:44 [inline]
 [&lt;ffffffff816f3b68&gt;] do_vfs_ioctl+0x8a8/0xe50 fs/ioctl.c:611
 [&lt;ffffffff816f41a4&gt;] SYSC_ioctl fs/ioctl.c:626 [inline]
 [&lt;ffffffff816f41a4&gt;] SyS_ioctl+0x94/0xc0 fs/ioctl.c:617
 [&lt;ffffffff8123e357&gt;] entry_SYSCALL_64_fastpath+0x12/0x17

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 87b60cfacf9f17cf71933c6e33b66e68160af71d ]

Dmitry reported uses after free in qdisc code [1]

The problem here is that ops-&gt;init() can return an error.

qdisc_create_dflt() then call ops-&gt;destroy(),
while qdisc_create() does _not_ call it.

Four qdisc chose to call their own ops-&gt;destroy(), assuming their caller
would not.

This patch makes sure qdisc_create() calls ops-&gt;destroy()
and fixes the four qdisc to avoid double free.

[1]
BUG: KASAN: use-after-free in mq_destroy+0x242/0x290 net/sched/sch_mq.c:33 at addr ffff8801d415d440
Read of size 8 by task syz-executor2/5030
CPU: 0 PID: 5030 Comm: syz-executor2 Not tainted 4.3.5-smp-DEV #119
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 0000000000000046 ffff8801b435b870 ffffffff81bbbed4 ffff8801db000400
 ffff8801d415d440 ffff8801d415dc40 ffff8801c4988510 ffff8801b435b898
 ffffffff816682b1 ffff8801b435b928 ffff8801d415d440 ffff8801c49880c0
Call Trace:
 [&lt;ffffffff81bbbed4&gt;] __dump_stack lib/dump_stack.c:15 [inline]
 [&lt;ffffffff81bbbed4&gt;] dump_stack+0x6c/0x98 lib/dump_stack.c:51
 [&lt;ffffffff816682b1&gt;] kasan_object_err+0x21/0x70 mm/kasan/report.c:158
 [&lt;ffffffff81668524&gt;] print_address_description mm/kasan/report.c:196 [inline]
 [&lt;ffffffff81668524&gt;] kasan_report_error+0x1b4/0x4b0 mm/kasan/report.c:285
 [&lt;ffffffff81668953&gt;] kasan_report mm/kasan/report.c:305 [inline]
 [&lt;ffffffff81668953&gt;] __asan_report_load8_noabort+0x43/0x50 mm/kasan/report.c:326
 [&lt;ffffffff82527b02&gt;] mq_destroy+0x242/0x290 net/sched/sch_mq.c:33
 [&lt;ffffffff82524bdd&gt;] qdisc_destroy+0x12d/0x290 net/sched/sch_generic.c:953
 [&lt;ffffffff82524e30&gt;] qdisc_create_dflt+0xf0/0x120 net/sched/sch_generic.c:848
 [&lt;ffffffff8252550d&gt;] attach_default_qdiscs net/sched/sch_generic.c:1029 [inline]
 [&lt;ffffffff8252550d&gt;] dev_activate+0x6ad/0x880 net/sched/sch_generic.c:1064
 [&lt;ffffffff824b1db1&gt;] __dev_open+0x221/0x320 net/core/dev.c:1403
 [&lt;ffffffff824b24ce&gt;] __dev_change_flags+0x15e/0x3e0 net/core/dev.c:6858
 [&lt;ffffffff824b27de&gt;] dev_change_flags+0x8e/0x140 net/core/dev.c:6926
 [&lt;ffffffff824f5bf6&gt;] dev_ifsioc+0x446/0x890 net/core/dev_ioctl.c:260
 [&lt;ffffffff824f61fa&gt;] dev_ioctl+0x1ba/0xb80 net/core/dev_ioctl.c:546
 [&lt;ffffffff82430509&gt;] sock_do_ioctl+0x99/0xb0 net/socket.c:879
 [&lt;ffffffff82430d30&gt;] sock_ioctl+0x2a0/0x390 net/socket.c:958
 [&lt;ffffffff816f3b68&gt;] vfs_ioctl fs/ioctl.c:44 [inline]
 [&lt;ffffffff816f3b68&gt;] do_vfs_ioctl+0x8a8/0xe50 fs/ioctl.c:611
 [&lt;ffffffff816f41a4&gt;] SYSC_ioctl fs/ioctl.c:626 [inline]
 [&lt;ffffffff816f41a4&gt;] SyS_ioctl+0x94/0xc0 fs/ioctl.c:617
 [&lt;ffffffff8123e357&gt;] entry_SYSCALL_64_fastpath+0x12/0x17

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: Dmitry Vyukov &lt;dvyukov@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: Oops on error in pfkey_msg2xfrm_state()</title>
<updated>2017-07-31T17:37:52+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2017-06-14T10:34:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=ee99c95698470130a10d5145fec30d82b6369140'/>
<id>ee99c95698470130a10d5145fec30d82b6369140</id>
<content type='text'>
[ Upstream commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 ]

There are some missing error codes here so we accidentally return NULL
instead of an error pointer.  It results in a NULL pointer dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1e3d0c2c70cd3edb5deed186c5f5c75f2b84a633 ]

There are some missing error codes here so we accidentally return NULL
instead of an error pointer.  It results in a NULL pointer dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>xfrm: NULL dereference on allocation failure</title>
<updated>2017-07-31T17:37:51+00:00</updated>
<author>
<name>Dan Carpenter</name>
<email>dan.carpenter@oracle.com</email>
</author>
<published>2017-06-14T10:35:37+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1a6224f1a27f6e4946df3037530b0eb8c7e2ba7b'/>
<id>1a6224f1a27f6e4946df3037530b0eb8c7e2ba7b</id>
<content type='text'>
[ Upstream commit e747f64336fc15e1c823344942923195b800aa1e ]

The default error code in pfkey_msg2xfrm_state() is -ENOBUFS.  We
added a new call to security_xfrm_state_alloc() which sets "err" to zero
so there several places where we can return ERR_PTR(0) if kmalloc()
fails.  The caller is expecting error pointers so it leads to a NULL
dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit e747f64336fc15e1c823344942923195b800aa1e ]

The default error code in pfkey_msg2xfrm_state() is -ENOBUFS.  We
added a new call to security_xfrm_state_alloc() which sets "err" to zero
so there several places where we can return ERR_PTR(0) if kmalloc()
fails.  The caller is expecting error pointers so it leads to a NULL
dereference.

Fixes: df71837d5024 ("[LSM-IPSec]: Security association restriction.")
Signed-off-by: Dan Carpenter &lt;dan.carpenter@oracle.com&gt;
Signed-off-by: Steffen Klassert &lt;steffen.klassert@secunet.com&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
