<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net, branch v4.4.181</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>ethtool: check the return value of get_regs_len</title>
<updated>2019-06-11T10:24:13+00:00</updated>
<author>
<name>Yunsheng Lin</name>
<email>linyunsheng@huawei.com</email>
</author>
<published>2018-12-26T11:51:46+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f1d7eebd9d67f0710e225bcfd08f32a643f449d6'/>
<id>f1d7eebd9d67f0710e225bcfd08f32a643f449d6</id>
<content type='text'>
commit f9fc54d313fab2834f44f516459cdc8ac91d797f upstream.

The return type for get_regs_len in struct ethtool_ops is int,
the hns3 driver may return error when failing to get the regs
len by sending cmd to firmware.

Signed-off-by: Yunsheng Lin &lt;linyunsheng@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit f9fc54d313fab2834f44f516459cdc8ac91d797f upstream.

The return type for get_regs_len in struct ethtool_ops is int,
the hns3 driver may return error when failing to get the regs
len by sending cmd to firmware.

Signed-off-by: Yunsheng Lin &lt;linyunsheng@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Cc: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>pktgen: do not sleep with the thread lock held.</title>
<updated>2019-06-11T10:24:12+00:00</updated>
<author>
<name>Paolo Abeni</name>
<email>pabeni@redhat.com</email>
</author>
<published>2019-06-06T13:45:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=44657dbba7c4d176bf813998cd937e6987a3cac6'/>
<id>44657dbba7c4d176bf813998cd937e6987a3cac6</id>
<content type='text'>
[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ]

Currently, the process issuing a "start" command on the pktgen procfs
interface, acquires the pktgen thread lock and never release it, until
all pktgen threads are completed. The above can blocks indefinitely any
other pktgen command and any (even unrelated) netdevice removal - as
the pktgen netdev notifier acquires the same lock.

The issue is demonstrated by the following script, reported by Matteo:

ip -b - &lt;&lt;'EOF'
	link add type dummy
	link add type veth
	link set dummy0 up
EOF
modprobe pktgen
echo reset &gt;/proc/net/pktgen/pgctrl
{
	echo rem_device_all
	echo add_device dummy0
} &gt;/proc/net/pktgen/kpktgend_0
echo count 0 &gt;/proc/net/pktgen/dummy0
echo start &gt;/proc/net/pktgen/pgctrl &amp;
sleep 1
rmmod veth

Fix the above releasing the thread lock around the sleep call.

Additionally we must prevent racing with forcefull rmmod - as the
thread lock no more protects from them. Instead, acquire a self-reference
before waiting for any thread. As a side effect, running

rmmod pktgen

while some thread is running now fails with "module in use" error,
before this patch such command hanged indefinitely.

Note: the issue predates the commit reported in the fixes tag, but
this fix can't be applied before the mentioned commit.

v1 -&gt; v2:
 - no need to check for thread existence after flipping the lock,
   pktgen threads are freed only at net exit time
 -

Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.")
Reported-and-tested-by: Matteo Croce &lt;mcroce@redhat.com&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 720f1de4021f09898b8c8443f3b3e995991b6e3a ]

Currently, the process issuing a "start" command on the pktgen procfs
interface, acquires the pktgen thread lock and never release it, until
all pktgen threads are completed. The above can blocks indefinitely any
other pktgen command and any (even unrelated) netdevice removal - as
the pktgen netdev notifier acquires the same lock.

The issue is demonstrated by the following script, reported by Matteo:

ip -b - &lt;&lt;'EOF'
	link add type dummy
	link add type veth
	link set dummy0 up
EOF
modprobe pktgen
echo reset &gt;/proc/net/pktgen/pgctrl
{
	echo rem_device_all
	echo add_device dummy0
} &gt;/proc/net/pktgen/kpktgend_0
echo count 0 &gt;/proc/net/pktgen/dummy0
echo start &gt;/proc/net/pktgen/pgctrl &amp;
sleep 1
rmmod veth

Fix the above releasing the thread lock around the sleep call.

Additionally we must prevent racing with forcefull rmmod - as the
thread lock no more protects from them. Instead, acquire a self-reference
before waiting for any thread. As a side effect, running

rmmod pktgen

while some thread is running now fails with "module in use" error,
before this patch such command hanged indefinitely.

Note: the issue predates the commit reported in the fixes tag, but
this fix can't be applied before the mentioned commit.

v1 -&gt; v2:
 - no need to check for thread existence after flipping the lock,
   pktgen threads are freed only at net exit time
 -

Fixes: 6146e6a43b35 ("[PKTGEN]: Removes thread_{un,}lock() macros.")
Reported-and-tested-by: Matteo Croce &lt;mcroce@redhat.com&gt;
Signed-off-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: rds: fix memory leak in rds_ib_flush_mr_pool</title>
<updated>2019-06-11T10:24:12+00:00</updated>
<author>
<name>Zhu Yanjun</name>
<email>yanjun.zhu@oracle.com</email>
</author>
<published>2019-06-06T08:00:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=eded0b11c7a398c6f57e449f02f9d682964335fd'/>
<id>eded0b11c7a398c6f57e449f02f9d682964335fd</id>
<content type='text'>
[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ]

When the following tests last for several hours, the problem will occur.

Server:
    rds-stress -r 1.1.1.16 -D 1M
Client:
    rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30

The following will occur.

"
Starting up....
tsks   tx/s   rx/s  tx+rx K/s    mbi K/s    mbo K/s tx us/c   rtt us cpu
%
  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
"
&gt;From vmcore, we can find that clean_list is NULL.

&gt;From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker.
Then rds_ib_mr_pool_flush_worker calls
"
 rds_ib_flush_mr_pool(pool, 0, NULL);
"
Then in function
"
int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool,
                         int free_all, struct rds_ib_mr **ibmr_ret)
"
ibmr_ret is NULL.

In the source code,
"
...
list_to_llist_nodes(pool, &amp;unmap_list, &amp;clean_nodes, &amp;clean_tail);
if (ibmr_ret)
        *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);

/* more than one entry in llist nodes */
if (clean_nodes-&gt;next)
        llist_add_batch(clean_nodes-&gt;next, clean_tail, &amp;pool-&gt;clean_list);
...
"
When ibmr_ret is NULL, llist_entry is not executed. clean_nodes-&gt;next
instead of clean_nodes is added in clean_list.
So clean_nodes is discarded. It can not be used again.
The workqueue is executed periodically. So more and more clean_nodes are
discarded. Finally the clean_list is NULL.
Then this problem will occur.

Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist")
Signed-off-by: Zhu Yanjun &lt;yanjun.zhu@oracle.com&gt;
Acked-by: Santosh Shilimkar &lt;santosh.shilimkar@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 85cb928787eab6a2f4ca9d2a798b6f3bed53ced1 ]

When the following tests last for several hours, the problem will occur.

Server:
    rds-stress -r 1.1.1.16 -D 1M
Client:
    rds-stress -r 1.1.1.14 -s 1.1.1.16 -D 1M -T 30

The following will occur.

"
Starting up....
tsks   tx/s   rx/s  tx+rx K/s    mbi K/s    mbo K/s tx us/c   rtt us cpu
%
  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
  1      0      0       0.00       0.00       0.00    0.00 0.00 -1.00
"
&gt;From vmcore, we can find that clean_list is NULL.

&gt;From the source code, rds_mr_flushd calls rds_ib_mr_pool_flush_worker.
Then rds_ib_mr_pool_flush_worker calls
"
 rds_ib_flush_mr_pool(pool, 0, NULL);
"
Then in function
"
int rds_ib_flush_mr_pool(struct rds_ib_mr_pool *pool,
                         int free_all, struct rds_ib_mr **ibmr_ret)
"
ibmr_ret is NULL.

In the source code,
"
...
list_to_llist_nodes(pool, &amp;unmap_list, &amp;clean_nodes, &amp;clean_tail);
if (ibmr_ret)
        *ibmr_ret = llist_entry(clean_nodes, struct rds_ib_mr, llnode);

/* more than one entry in llist nodes */
if (clean_nodes-&gt;next)
        llist_add_batch(clean_nodes-&gt;next, clean_tail, &amp;pool-&gt;clean_list);
...
"
When ibmr_ret is NULL, llist_entry is not executed. clean_nodes-&gt;next
instead of clean_nodes is added in clean_list.
So clean_nodes is discarded. It can not be used again.
The workqueue is executed periodically. So more and more clean_nodes are
discarded. Finally the clean_list is NULL.
Then this problem will occur.

Fixes: 1bc144b62524 ("net, rds, Replace xlist in net/rds/xlist.h with llist")
Signed-off-by: Zhu Yanjun &lt;yanjun.zhu@oracle.com&gt;
Acked-by: Santosh Shilimkar &lt;santosh.shilimkar@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>neighbor: Call __ipv4_neigh_lookup_noref in neigh_xmit</title>
<updated>2019-06-11T10:24:12+00:00</updated>
<author>
<name>David Ahern</name>
<email>dsahern@gmail.com</email>
</author>
<published>2019-05-02T01:18:42+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cc475966e5f704f36ccc74575640e743fec248ad'/>
<id>cc475966e5f704f36ccc74575640e743fec248ad</id>
<content type='text'>
[ Upstream commit 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60 ]

Commit cd9ff4de0107 changed the key for IFF_POINTOPOINT devices to
INADDR_ANY but neigh_xmit which is used for MPLS encapsulations was not
updated to use the altered key. The result is that every packet Tx does
a lookup on the gateway address which does not find an entry, a new one
is created only to find the existing one in the table right before the
insert since arp_constructor was updated to reset the primary key. This
is seen in the allocs and destroys counters:
    ip -s -4 ntable show | head -10 | grep alloc

which increase for each packet showing the unnecessary overhread.

Fix by having neigh_xmit use __ipv4_neigh_lookup_noref for NEIGH_ARP_TABLE.

Fixes: cd9ff4de0107 ("ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY")
Reported-by: Alan Maguire &lt;alan.maguire@oracle.com&gt;
Signed-off-by: David Ahern &lt;dsahern@gmail.com&gt;
Tested-by: Alan Maguire &lt;alan.maguire@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 4b2a2bfeb3f056461a90bd621e8bd7d03fa47f60 ]

Commit cd9ff4de0107 changed the key for IFF_POINTOPOINT devices to
INADDR_ANY but neigh_xmit which is used for MPLS encapsulations was not
updated to use the altered key. The result is that every packet Tx does
a lookup on the gateway address which does not find an entry, a new one
is created only to find the existing one in the table right before the
insert since arp_constructor was updated to reset the primary key. This
is seen in the allocs and destroys counters:
    ip -s -4 ntable show | head -10 | grep alloc

which increase for each packet showing the unnecessary overhread.

Fix by having neigh_xmit use __ipv4_neigh_lookup_noref for NEIGH_ARP_TABLE.

Fixes: cd9ff4de0107 ("ipv4: Make neigh lookup keys for loopback/point-to-point devices be INADDR_ANY")
Reported-by: Alan Maguire &lt;alan.maguire@oracle.com&gt;
Signed-off-by: David Ahern &lt;dsahern@gmail.com&gt;
Tested-by: Alan Maguire &lt;alan.maguire@oracle.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>ethtool: fix potential userspace buffer overflow</title>
<updated>2019-06-11T10:24:12+00:00</updated>
<author>
<name>Vivien Didelot</name>
<email>vivien.didelot@gmail.com</email>
</author>
<published>2019-06-03T20:57:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=e5c6de6694ed690ffa64f996b7488eb3776b12a6'/>
<id>e5c6de6694ed690ffa64f996b7488eb3776b12a6</id>
<content type='text'>
[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ]

ethtool_get_regs() allocates a buffer of size ops-&gt;get_regs_len(),
and pass it to the kernel driver via ops-&gt;get_regs() for filling.

There is no restriction about what the kernel drivers can or cannot do
with the open ethtool_regs structure. They usually set regs-&gt;version
and ignore regs-&gt;len or set it to the same size as ops-&gt;get_regs_len().

But if userspace allocates a smaller buffer for the registers dump,
we would cause a userspace buffer overflow in the final copy_to_user()
call, which uses the regs.len value potentially reset by the driver.

To fix this, make this case obvious and store regs.len before calling
ops-&gt;get_regs(), to only copy as much data as requested by userspace,
up to the value returned by ops-&gt;get_regs_len().

While at it, remove the redundant check for non-null regbuf.

Signed-off-by: Vivien Didelot &lt;vivien.didelot@gmail.com&gt;
Reviewed-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 0ee4e76937d69128a6a66861ba393ebdc2ffc8a2 ]

ethtool_get_regs() allocates a buffer of size ops-&gt;get_regs_len(),
and pass it to the kernel driver via ops-&gt;get_regs() for filling.

There is no restriction about what the kernel drivers can or cannot do
with the open ethtool_regs structure. They usually set regs-&gt;version
and ignore regs-&gt;len or set it to the same size as ops-&gt;get_regs_len().

But if userspace allocates a smaller buffer for the registers dump,
we would cause a userspace buffer overflow in the final copy_to_user()
call, which uses the regs.len value potentially reset by the driver.

To fix this, make this case obvious and store regs.len before calling
ops-&gt;get_regs(), to only copy as much data as requested by userspace,
up to the value returned by ops-&gt;get_regs_len().

While at it, remove the redundant check for non-null regbuf.

Signed-off-by: Vivien Didelot &lt;vivien.didelot@gmail.com&gt;
Reviewed-by: Michal Kubecek &lt;mkubecek@suse.cz&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: create skb_gso_validate_mac_len()</title>
<updated>2019-06-11T10:24:10+00:00</updated>
<author>
<name>Daniel Axtens</name>
<email>dja@axtens.net</email>
</author>
<published>2018-01-31T03:15:33+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=a33b6d4c8bc7ba93f9d1dc77826724e4df8da662'/>
<id>a33b6d4c8bc7ba93f9d1dc77826724e4df8da662</id>
<content type='text'>
commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90 upstream.

If you take a GSO skb, and split it into packets, will the MAC
length (L2 + L3 + L4 headers + payload) of those packets be small
enough to fit within a given length?

Move skb_gso_mac_seglen() to skbuff.h with other related functions
like skb_gso_network_seglen() so we can use it, and then create
skb_gso_validate_mac_len to do the full calculation.

Signed-off-by: Daniel Axtens &lt;dja@axtens.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 4.4: There is no GSO_BY_FRAGS case to handle, so
 skb_gso_validate_mac_len() becomes a trivial comparison. Put it inline in
 &lt;linux/skbuff.h&gt;.]
Signed-off-by: Ben Hutchings &lt;ben.hutchings@codethink.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 2b16f048729bf35e6c28a40cbfad07239f9dcd90 upstream.

If you take a GSO skb, and split it into packets, will the MAC
length (L2 + L3 + L4 headers + payload) of those packets be small
enough to fit within a given length?

Move skb_gso_mac_seglen() to skbuff.h with other related functions
like skb_gso_network_seglen() so we can use it, and then create
skb_gso_validate_mac_len to do the full calculation.

Signed-off-by: Daniel Axtens &lt;dja@axtens.net&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
[bwh: Backported to 4.4: There is no GSO_BY_FRAGS case to handle, so
 skb_gso_validate_mac_len() becomes a trivial comparison. Put it inline in
 &lt;linux/skbuff.h&gt;.]
Signed-off-by: Ben Hutchings &lt;ben.hutchings@codethink.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>tipc: fix modprobe tipc failed after switch order of device registration -v2</title>
<updated>2019-06-11T10:24:07+00:00</updated>
<author>
<name>Junwei Hu</name>
<email>hujunwei4@huawei.com</email>
</author>
<published>2019-05-20T06:43:59+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5bce46edeb723f7e731aa57ca18a723f2adf63f5'/>
<id>5bce46edeb723f7e731aa57ca18a723f2adf63f5</id>
<content type='text'>
commit 526f5b851a96566803ee4bee60d0a34df56c77f8 upstream.

Error message printed:
modprobe: ERROR: could not insert 'tipc': Address family not
supported by protocol.
when modprobe tipc after the following patch: switch order of
device registration, commit 7e27e8d6130c
("tipc: switch order of device registration to fix a crash")

Because sock_create_kern(net, AF_TIPC, ...) called by
tipc_topsrv_create_listener() in the initialization process
of tipc_init_net(), so tipc_socket_init() must be execute before that.
Meanwhile, tipc_net_id need to be initialized when sock_create()
called, and tipc_socket_init() is no need to be called for each namespace.

I add a variable tipc_topsrv_net_ops, and split the
register_pernet_subsys() of tipc into two parts, and split
tipc_socket_init() with initialization of pernet params.

By the way, I fixed resources rollback error when tipc_bcast_init()
failed in tipc_init_net().

Fixes: 7e27e8d6130c ("tipc: switch order of device registration to fix a crash")
Signed-off-by: Junwei Hu &lt;hujunwei4@huawei.com&gt;
Reported-by: Wang Wang &lt;wangwang2@huawei.com&gt;
Reported-by: syzbot+1e8114b61079bfe9cbc5@syzkaller.appspotmail.com
Reviewed-by: Kang Zhou &lt;zhoukang7@huawei.com&gt;
Reviewed-by: Suanming Mou &lt;mousuanming@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 526f5b851a96566803ee4bee60d0a34df56c77f8 upstream.

Error message printed:
modprobe: ERROR: could not insert 'tipc': Address family not
supported by protocol.
when modprobe tipc after the following patch: switch order of
device registration, commit 7e27e8d6130c
("tipc: switch order of device registration to fix a crash")

Because sock_create_kern(net, AF_TIPC, ...) called by
tipc_topsrv_create_listener() in the initialization process
of tipc_init_net(), so tipc_socket_init() must be execute before that.
Meanwhile, tipc_net_id need to be initialized when sock_create()
called, and tipc_socket_init() is no need to be called for each namespace.

I add a variable tipc_topsrv_net_ops, and split the
register_pernet_subsys() of tipc into two parts, and split
tipc_socket_init() with initialization of pernet params.

By the way, I fixed resources rollback error when tipc_bcast_init()
failed in tipc_init_net().

Fixes: 7e27e8d6130c ("tipc: switch order of device registration to fix a crash")
Signed-off-by: Junwei Hu &lt;hujunwei4@huawei.com&gt;
Reported-by: Wang Wang &lt;wangwang2@huawei.com&gt;
Reported-by: syzbot+1e8114b61079bfe9cbc5@syzkaller.appspotmail.com
Reviewed-by: Kang Zhou &lt;zhoukang7@huawei.com&gt;
Reviewed-by: Suanming Mou &lt;mousuanming@huawei.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>Revert "tipc: fix modprobe tipc failed after switch order of device registration"</title>
<updated>2019-06-11T10:24:07+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2019-05-17T19:15:05+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=416d252ba926e6d4691d90402cd8cf5043236809'/>
<id>416d252ba926e6d4691d90402cd8cf5043236809</id>
<content type='text'>
commit 5593530e56943182ebb6d81eca8a3be6db6dbba4 upstream.

This reverts commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e.

More revisions coming up.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 5593530e56943182ebb6d81eca8a3be6db6dbba4 upstream.

This reverts commit 532b0f7ece4cb2ffd24dc723ddf55242d1188e5e.

More revisions coming up.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>net-gro: fix use-after-free read in napi_gro_frags()</title>
<updated>2019-06-11T10:24:06+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-05-29T22:36:10+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=4f9c73aa293051359ef1f2f6d816895ab50c9f3e'/>
<id>4f9c73aa293051359ef1f2f6d816895ab50c9f3e</id>
<content type='text'>
[ Upstream commit a4270d6795b0580287453ea55974d948393e66ef ]

If a network driver provides to napi_gro_frags() an
skb with a page fragment of exactly 14 bytes, the call
to gro_pull_from_frag0() will 'consume' the fragment
by calling skb_frag_unref(skb, 0), and the page might
be freed and reused.

Reading eth-&gt;h_proto at the end of napi_frags_skb() might
read mangled data, or crash under specific debugging features.

BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
Read of size 2 at addr ffff88809366840c by task syz-executor599/8957

CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
 napi_frags_skb net/core/dev.c:5833 [inline]
 napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
 tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
 call_write_iter include/linux/fs.h:1872 [inline]
 do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
 do_iter_write fs/read_write.c:970 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:951
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
 do_writev+0x15b/0x330 fs/read_write.c:1058

Fixes: a50e233c50db ("net-gro: restore frag0 optimization")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a4270d6795b0580287453ea55974d948393e66ef ]

If a network driver provides to napi_gro_frags() an
skb with a page fragment of exactly 14 bytes, the call
to gro_pull_from_frag0() will 'consume' the fragment
by calling skb_frag_unref(skb, 0), and the page might
be freed and reused.

Reading eth-&gt;h_proto at the end of napi_frags_skb() might
read mangled data, or crash under specific debugging features.

BUG: KASAN: use-after-free in napi_frags_skb net/core/dev.c:5833 [inline]
BUG: KASAN: use-after-free in napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
Read of size 2 at addr ffff88809366840c by task syz-executor599/8957

CPU: 1 PID: 8957 Comm: syz-executor599 Not tainted 5.2.0-rc1+ #32
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
 __dump_stack lib/dump_stack.c:77 [inline]
 dump_stack+0x172/0x1f0 lib/dump_stack.c:113
 print_address_description.cold+0x7c/0x20d mm/kasan/report.c:188
 __kasan_report.cold+0x1b/0x40 mm/kasan/report.c:317
 kasan_report+0x12/0x20 mm/kasan/common.c:614
 __asan_report_load_n_noabort+0xf/0x20 mm/kasan/generic_report.c:142
 napi_frags_skb net/core/dev.c:5833 [inline]
 napi_gro_frags+0xc6f/0xd10 net/core/dev.c:5841
 tun_get_user+0x2f3c/0x3ff0 drivers/net/tun.c:1991
 tun_chr_write_iter+0xbd/0x156 drivers/net/tun.c:2037
 call_write_iter include/linux/fs.h:1872 [inline]
 do_iter_readv_writev+0x5f8/0x8f0 fs/read_write.c:693
 do_iter_write fs/read_write.c:970 [inline]
 do_iter_write+0x184/0x610 fs/read_write.c:951
 vfs_writev+0x1b3/0x2f0 fs/read_write.c:1015
 do_writev+0x15b/0x330 fs/read_write.c:1058

Fixes: a50e233c50db ("net-gro: restore frag0 optimization")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>llc: fix skb leak in llc_build_and_send_ui_pkt()</title>
<updated>2019-06-11T10:24:06+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2019-05-28T00:35:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5cbaa135a0e129aee7080f476fffbea9164d9188'/>
<id>5cbaa135a0e129aee7080f476fffbea9164d9188</id>
<content type='text'>
[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]

If llc_mac_hdr_init() returns an error, we must drop the skb
since no llc_build_and_send_ui_pkt() caller will take care of this.

BUG: memory leak
unreferenced object 0xffff8881202b6800 (size 2048):
  comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
  backtrace:
    [&lt;00000000e25b5abe&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
    [&lt;00000000e25b5abe&gt;] slab_post_alloc_hook mm/slab.h:439 [inline]
    [&lt;00000000e25b5abe&gt;] slab_alloc mm/slab.c:3326 [inline]
    [&lt;00000000e25b5abe&gt;] __do_kmalloc mm/slab.c:3658 [inline]
    [&lt;00000000e25b5abe&gt;] __kmalloc+0x161/0x2c0 mm/slab.c:3669
    [&lt;00000000a1ae188a&gt;] kmalloc include/linux/slab.h:552 [inline]
    [&lt;00000000a1ae188a&gt;] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
    [&lt;00000000ded25bbe&gt;] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
    [&lt;000000002ecae075&gt;] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
    [&lt;00000000551f7c47&gt;] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
    [&lt;0000000029027f0e&gt;] __sock_create+0x164/0x250 net/socket.c:1430
    [&lt;000000008bdec225&gt;] sock_create net/socket.c:1481 [inline]
    [&lt;000000008bdec225&gt;] __sys_socket+0x69/0x110 net/socket.c:1523
    [&lt;00000000b6439228&gt;] __do_sys_socket net/socket.c:1532 [inline]
    [&lt;00000000b6439228&gt;] __se_sys_socket net/socket.c:1530 [inline]
    [&lt;00000000b6439228&gt;] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
    [&lt;00000000cec820c1&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [&lt;000000000c32554f&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811d750d00 (size 224):
  comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff  ...$.....h+ ....
  backtrace:
    [&lt;0000000053026172&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
    [&lt;0000000053026172&gt;] slab_post_alloc_hook mm/slab.h:439 [inline]
    [&lt;0000000053026172&gt;] slab_alloc_node mm/slab.c:3269 [inline]
    [&lt;0000000053026172&gt;] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
    [&lt;00000000fa8f3c30&gt;] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
    [&lt;00000000d96fdafb&gt;] alloc_skb include/linux/skbuff.h:1058 [inline]
    [&lt;00000000d96fdafb&gt;] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
    [&lt;000000000a34a2e7&gt;] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
    [&lt;00000000ee39999b&gt;] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
    [&lt;00000000e034d810&gt;] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
    [&lt;00000000c0bc8445&gt;] sock_sendmsg_nosec net/socket.c:652 [inline]
    [&lt;00000000c0bc8445&gt;] sock_sendmsg+0x54/0x70 net/socket.c:671
    [&lt;000000003b687167&gt;] __sys_sendto+0x148/0x1f0 net/socket.c:1964
    [&lt;00000000922d78d9&gt;] __do_sys_sendto net/socket.c:1976 [inline]
    [&lt;00000000922d78d9&gt;] __se_sys_sendto net/socket.c:1972 [inline]
    [&lt;00000000922d78d9&gt;] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
    [&lt;00000000cec820c1&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [&lt;000000000c32554f&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8fb44d60d4142cd2a440620cd291d346e23c131e ]

If llc_mac_hdr_init() returns an error, we must drop the skb
since no llc_build_and_send_ui_pkt() caller will take care of this.

BUG: memory leak
unreferenced object 0xffff8881202b6800 (size 2048):
  comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.590s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    1a 00 07 40 00 00 00 00 00 00 00 00 00 00 00 00  ...@............
  backtrace:
    [&lt;00000000e25b5abe&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
    [&lt;00000000e25b5abe&gt;] slab_post_alloc_hook mm/slab.h:439 [inline]
    [&lt;00000000e25b5abe&gt;] slab_alloc mm/slab.c:3326 [inline]
    [&lt;00000000e25b5abe&gt;] __do_kmalloc mm/slab.c:3658 [inline]
    [&lt;00000000e25b5abe&gt;] __kmalloc+0x161/0x2c0 mm/slab.c:3669
    [&lt;00000000a1ae188a&gt;] kmalloc include/linux/slab.h:552 [inline]
    [&lt;00000000a1ae188a&gt;] sk_prot_alloc+0xd6/0x170 net/core/sock.c:1608
    [&lt;00000000ded25bbe&gt;] sk_alloc+0x35/0x2f0 net/core/sock.c:1662
    [&lt;000000002ecae075&gt;] llc_sk_alloc+0x35/0x170 net/llc/llc_conn.c:950
    [&lt;00000000551f7c47&gt;] llc_ui_create+0x7b/0x140 net/llc/af_llc.c:173
    [&lt;0000000029027f0e&gt;] __sock_create+0x164/0x250 net/socket.c:1430
    [&lt;000000008bdec225&gt;] sock_create net/socket.c:1481 [inline]
    [&lt;000000008bdec225&gt;] __sys_socket+0x69/0x110 net/socket.c:1523
    [&lt;00000000b6439228&gt;] __do_sys_socket net/socket.c:1532 [inline]
    [&lt;00000000b6439228&gt;] __se_sys_socket net/socket.c:1530 [inline]
    [&lt;00000000b6439228&gt;] __x64_sys_socket+0x1e/0x30 net/socket.c:1530
    [&lt;00000000cec820c1&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [&lt;000000000c32554f&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

BUG: memory leak
unreferenced object 0xffff88811d750d00 (size 224):
  comm "syz-executor907", pid 7074, jiffies 4294943781 (age 8.600s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    00 f0 0c 24 81 88 ff ff 00 68 2b 20 81 88 ff ff  ...$.....h+ ....
  backtrace:
    [&lt;0000000053026172&gt;] kmemleak_alloc_recursive include/linux/kmemleak.h:55 [inline]
    [&lt;0000000053026172&gt;] slab_post_alloc_hook mm/slab.h:439 [inline]
    [&lt;0000000053026172&gt;] slab_alloc_node mm/slab.c:3269 [inline]
    [&lt;0000000053026172&gt;] kmem_cache_alloc_node+0x153/0x2a0 mm/slab.c:3579
    [&lt;00000000fa8f3c30&gt;] __alloc_skb+0x6e/0x210 net/core/skbuff.c:198
    [&lt;00000000d96fdafb&gt;] alloc_skb include/linux/skbuff.h:1058 [inline]
    [&lt;00000000d96fdafb&gt;] alloc_skb_with_frags+0x5f/0x250 net/core/skbuff.c:5327
    [&lt;000000000a34a2e7&gt;] sock_alloc_send_pskb+0x269/0x2a0 net/core/sock.c:2225
    [&lt;00000000ee39999b&gt;] sock_alloc_send_skb+0x32/0x40 net/core/sock.c:2242
    [&lt;00000000e034d810&gt;] llc_ui_sendmsg+0x10a/0x540 net/llc/af_llc.c:933
    [&lt;00000000c0bc8445&gt;] sock_sendmsg_nosec net/socket.c:652 [inline]
    [&lt;00000000c0bc8445&gt;] sock_sendmsg+0x54/0x70 net/socket.c:671
    [&lt;000000003b687167&gt;] __sys_sendto+0x148/0x1f0 net/socket.c:1964
    [&lt;00000000922d78d9&gt;] __do_sys_sendto net/socket.c:1976 [inline]
    [&lt;00000000922d78d9&gt;] __se_sys_sendto net/socket.c:1972 [inline]
    [&lt;00000000922d78d9&gt;] __x64_sys_sendto+0x2a/0x30 net/socket.c:1972
    [&lt;00000000cec820c1&gt;] do_syscall_64+0x76/0x1a0 arch/x86/entry/common.c:301
    [&lt;000000000c32554f&gt;] entry_SYSCALL_64_after_hwframe+0x44/0xa9

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Reported-by: syzbot &lt;syzkaller@googlegroups.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
