diff options
author | Ben Hutchings <ben@decadent.org.uk> | 2019-06-20 18:13:35 +0100 |
---|---|---|
committer | Ben Hutchings <ben@decadent.org.uk> | 2019-06-20 18:13:35 +0100 |
commit | 8108ceed01aa5e6c5320662bab882a5ce5f2646f (patch) | |
tree | 01bdabbf2be8af1ec60b3c4d44f3157d0e821533 /queue-3.16 | |
parent | 5cb139a10c8ff8c3e3d2b003b97d30981e27612c (diff) | |
download | linux-stable-queue-8108ceed01aa5e6c5320662bab882a5ce5f2646f.tar.gz |
Release 3.16.69
Diffstat (limited to 'queue-3.16')
11 files changed, 0 insertions, 791 deletions
diff --git a/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch b/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch deleted file mode 100644 index e1fb3792..00000000 --- a/queue-3.16/bluetooth-hidp-fix-buffer-overflow.patch +++ /dev/null @@ -1,29 +0,0 @@ -From: Young Xiao <YangX92@hotmail.com> -Date: Fri, 12 Apr 2019 15:24:30 +0800 -Subject: Bluetooth: hidp: fix buffer overflow - -commit a1616a5ac99ede5d605047a9012481ce7ff18b16 upstream. - -Struct ca is copied from userspace. It is not checked whether the "name" -field is NULL terminated, which allows local users to obtain potentially -sensitive information from kernel stack memory, via a HIDPCONNADD command. - -This vulnerability is similar to CVE-2011-1079. - -Signed-off-by: Young Xiao <YangX92@hotmail.com> -Signed-off-by: Marcel Holtmann <marcel@holtmann.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/bluetooth/hidp/sock.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/net/bluetooth/hidp/sock.c -+++ b/net/bluetooth/hidp/sock.c -@@ -76,6 +76,7 @@ static int hidp_sock_ioctl(struct socket - sockfd_put(csock); - return err; - } -+ ca.name[sizeof(ca.name)-1] = 0; - - err = hidp_connection_add(&ca, csock, isock); - if (!err && copy_to_user(argp, &ca, sizeof(ca))) diff --git a/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch b/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch deleted file mode 100644 index e844b6ea..00000000 --- a/queue-3.16/drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch +++ /dev/null @@ -1,41 +0,0 @@ -From: Dan Carpenter <dan.carpenter@oracle.com> -Date: Tue, 14 May 2019 15:47:03 -0700 -Subject: drivers/virt/fsl_hypervisor.c: prevent integer overflow in ioctl - -commit 6a024330650e24556b8a18cc654ad00cfecf6c6c upstream. - -The "param.count" value is a u64 thatcomes from the user. The code -later in the function assumes that param.count is at least one and if -it's not then it leads to an Oops when we dereference the ZERO_SIZE_PTR. - -Also the addition can have an integer overflow which would lead us to -allocate a smaller "pages" array than required. I can't immediately -tell what the possible run times implications are, but it's safest to -prevent the overflow. - -Link: http://lkml.kernel.org/r/20181218082129.GE32567@kadam -Fixes: 6db7199407ca ("drivers/virt: introduce Freescale hypervisor management driver") -Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com> -Reviewed-by: Andrew Morton <akpm@linux-foundation.org> -Cc: Timur Tabi <timur@freescale.com> -Cc: Mihai Caraman <mihai.caraman@freescale.com> -Cc: Kumar Gala <galak@kernel.crashing.org> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/virt/fsl_hypervisor.c | 3 +++ - 1 file changed, 3 insertions(+) - ---- a/drivers/virt/fsl_hypervisor.c -+++ b/drivers/virt/fsl_hypervisor.c -@@ -215,6 +215,9 @@ static long ioctl_memcpy(struct fsl_hv_i - * hypervisor. - */ - lb_offset = param.local_vaddr & (PAGE_SIZE - 1); -+ if (param.count == 0 || -+ param.count > U64_MAX - lb_offset - PAGE_SIZE + 1) -+ return -EINVAL; - num_pages = (param.count + lb_offset + PAGE_SIZE - 1) >> PAGE_SHIFT; - - /* Allocate the buffers we need */ diff --git a/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch b/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch deleted file mode 100644 index 0c0e0cdd..00000000 --- a/queue-3.16/ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch +++ /dev/null @@ -1,77 +0,0 @@ -From: Sriram Rajagopalan <sriramr@arista.com> -Date: Fri, 10 May 2019 19:28:06 -0400 -Subject: ext4: zero out the unused memory region in the extent tree block - -commit 592acbf16821288ecdc4192c47e3774a4c48bb64 upstream. - -This commit zeroes out the unused memory region in the buffer_head -corresponding to the extent metablock after writing the extent header -and the corresponding extent node entries. - -This is done to prevent random uninitialized data from getting into -the filesystem when the extent block is synced. - -This fixes CVE-2019-11833. - -Signed-off-by: Sriram Rajagopalan <sriramr@arista.com> -Signed-off-by: Theodore Ts'o <tytso@mit.edu> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - fs/ext4/extents.c | 17 +++++++++++++++-- - 1 file changed, 15 insertions(+), 2 deletions(-) - ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -1016,6 +1016,7 @@ static int ext4_ext_split(handle_t *hand - __le32 border; - ext4_fsblk_t *ablocks = NULL; /* array of allocated blocks */ - int err = 0; -+ size_t ext_size = 0; - - /* make decision: where to split? */ - /* FIXME: now decision is simplest: at current extent */ -@@ -1107,6 +1108,10 @@ static int ext4_ext_split(handle_t *hand - le16_add_cpu(&neh->eh_entries, m); - } - -+ /* zero out unused area in the extent block */ -+ ext_size = sizeof(struct ext4_extent_header) + -+ sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries); -+ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); - ext4_extent_block_csum_set(inode, neh); - set_buffer_uptodate(bh); - unlock_buffer(bh); -@@ -1186,6 +1191,11 @@ static int ext4_ext_split(handle_t *hand - sizeof(struct ext4_extent_idx) * m); - le16_add_cpu(&neh->eh_entries, m); - } -+ /* zero out unused area in the extent block */ -+ ext_size = sizeof(struct ext4_extent_header) + -+ (sizeof(struct ext4_extent) * le16_to_cpu(neh->eh_entries)); -+ memset(bh->b_data + ext_size, 0, -+ inode->i_sb->s_blocksize - ext_size); - ext4_extent_block_csum_set(inode, neh); - set_buffer_uptodate(bh); - unlock_buffer(bh); -@@ -1251,6 +1261,7 @@ static int ext4_ext_grow_indepth(handle_ - struct buffer_head *bh; - ext4_fsblk_t newblock; - int err = 0; -+ size_t ext_size = 0; - - newblock = ext4_ext_new_meta_block(handle, inode, NULL, - newext, &err, flags); -@@ -1268,9 +1279,11 @@ static int ext4_ext_grow_indepth(handle_ - goto out; - } - -+ ext_size = sizeof(EXT4_I(inode)->i_data); - /* move top-level index/leaf into new block */ -- memmove(bh->b_data, EXT4_I(inode)->i_data, -- sizeof(EXT4_I(inode)->i_data)); -+ memmove(bh->b_data, EXT4_I(inode)->i_data, ext_size); -+ /* zero out unused area in the extent block */ -+ memset(bh->b_data + ext_size, 0, inode->i_sb->s_blocksize - ext_size); - - /* set size of new block */ - neh = ext_block_hdr(bh); diff --git a/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch b/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch deleted file mode 100644 index 048a4b4f..00000000 --- a/queue-3.16/mm-introduce-vma_is_anonymous-vma-helper.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Oleg Nesterov <oleg@redhat.com> -Date: Tue, 8 Sep 2015 14:58:28 -0700 -Subject: mm: introduce vma_is_anonymous(vma) helper - -commit b5330628546616af14ff23075fbf8d4ad91f6e25 upstream. - -special_mapping_fault() is absolutely broken. It seems it was always -wrong, but this didn't matter until vdso/vvar started to use more than -one page. - -And after this change vma_is_anonymous() becomes really trivial, it -simply checks vm_ops == NULL. However, I do think the helper makes -sense. There are a lot of ->vm_ops != NULL checks, the helper makes the -caller's code more understandable (self-documented) and this is more -grep-friendly. - -This patch (of 3): - -Preparation. Add the new simple helper, vma_is_anonymous(vma), and change -handle_pte_fault() to use it. It will have more users. - -The name is not accurate, say a hpet_mmap()'ed vma is not anonymous. -Perhaps it should be named vma_has_fault() instead. But it matches the -logic in mmap.c/memory.c (see next changes). "True" just means that a -page fault will use do_anonymous_page(). - -Signed-off-by: Oleg Nesterov <oleg@redhat.com> -Acked-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com> -Cc: Andy Lutomirski <luto@kernel.org> -Cc: Hugh Dickins <hughd@google.com> -Cc: Pavel Emelyanov <xemul@parallels.com> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[bwh: Backported to 3.16 as dependency of "mm/mincore.c: make mincore() more - conservative"; adjusted context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/linux/mm.h | 5 +++++ - mm/memory.c | 8 ++++---- - 2 files changed, 9 insertions(+), 4 deletions(-) - ---- a/include/linux/mm.h -+++ b/include/linux/mm.h -@@ -1241,6 +1241,11 @@ int get_cmdline(struct task_struct *task - - int vma_is_stack_for_task(struct vm_area_struct *vma, struct task_struct *t); - -+static inline bool vma_is_anonymous(struct vm_area_struct *vma) -+{ -+ return !vma->vm_ops; -+} -+ - extern unsigned long move_page_tables(struct vm_area_struct *vma, - unsigned long old_addr, struct vm_area_struct *new_vma, - unsigned long new_addr, unsigned long len, ---- a/mm/memory.c -+++ b/mm/memory.c -@@ -3105,12 +3105,12 @@ static int handle_pte_fault(struct mm_st - entry = *pte; - if (!pte_present(entry)) { - if (pte_none(entry)) { -- if (vma->vm_ops) -+ if (vma_is_anonymous(vma)) -+ return do_anonymous_page(mm, vma, address, -+ pte, pmd, flags); -+ else - return do_fault(mm, vma, address, pte, - pmd, flags, entry); -- -- return do_anonymous_page(mm, vma, address, -- pte, pmd, flags); - } - return do_swap_page(mm, vma, address, - pte, pmd, flags, entry); diff --git a/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch b/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch deleted file mode 100644 index f82b85d8..00000000 --- a/queue-3.16/mm-mincore.c-make-mincore-more-conservative.patch +++ /dev/null @@ -1,86 +0,0 @@ -From: Jiri Kosina <jkosina@suse.cz> -Date: Tue, 14 May 2019 15:41:38 -0700 -Subject: mm/mincore.c: make mincore() more conservative - -commit 134fca9063ad4851de767d1768180e5dede9a881 upstream. - -The semantics of what mincore() considers to be resident is not -completely clear, but Linux has always (since 2.3.52, which is when -mincore() was initially done) treated it as "page is available in page -cache". - -That's potentially a problem, as that [in]directly exposes -meta-information about pagecache / memory mapping state even about -memory not strictly belonging to the process executing the syscall, -opening possibilities for sidechannel attacks. - -Change the semantics of mincore() so that it only reveals pagecache -information for non-anonymous mappings that belog to files that the -calling process could (if it tried to) successfully open for writing; -otherwise we'd be including shared non-exclusive mappings, which - - - is the sidechannel - - - is not the usecase for mincore(), as that's primarily used for data, - not (shared) text - -[jkosina@suse.cz: v2] - Link: http://lkml.kernel.org/r/20190312141708.6652-2-vbabka@suse.cz -[mhocko@suse.com: restructure can_do_mincore() conditions] -Link: http://lkml.kernel.org/r/nycvar.YFH.7.76.1903062342020.19912@cbobk.fhfr.pm -Signed-off-by: Jiri Kosina <jkosina@suse.cz> -Signed-off-by: Vlastimil Babka <vbabka@suse.cz> -Acked-by: Josh Snyder <joshs@netflix.com> -Acked-by: Michal Hocko <mhocko@suse.com> -Originally-by: Linus Torvalds <torvalds@linux-foundation.org> -Originally-by: Dominique Martinet <asmadeus@codewreck.org> -Cc: Andy Lutomirski <luto@amacapital.net> -Cc: Dave Chinner <david@fromorbit.com> -Cc: Kevin Easton <kevin@guarana.org> -Cc: Matthew Wilcox <willy@infradead.org> -Cc: Cyril Hrubis <chrubis@suse.cz> -Cc: Tejun Heo <tj@kernel.org> -Cc: Kirill A. Shutemov <kirill@shutemov.name> -Cc: Daniel Gruss <daniel@gruss.cc> -Signed-off-by: Andrew Morton <akpm@linux-foundation.org> -Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/mm/mincore.c -+++ b/mm/mincore.c -@@ -212,6 +212,22 @@ static void mincore_page_range(struct vm - } while (pgd++, addr = next, addr != end); - } - -+static inline bool can_do_mincore(struct vm_area_struct *vma) -+{ -+ if (vma_is_anonymous(vma)) -+ return true; -+ if (!vma->vm_file) -+ return false; -+ /* -+ * Reveal pagecache information only for non-anonymous mappings that -+ * correspond to the files the calling process could (if tried) open -+ * for writing; otherwise we'd be including shared non-exclusive -+ * mappings, which opens a side channel. -+ */ -+ return inode_owner_or_capable(file_inode(vma->vm_file)) || -+ inode_permission(file_inode(vma->vm_file), MAY_WRITE) == 0; -+} -+ - /* - * Do a chunk of "sys_mincore()". We've already checked - * all the arguments, we hold the mmap semaphore: we should -@@ -227,6 +243,11 @@ static long do_mincore(unsigned long add - return -ENOMEM; - - end = min(vma->vm_end, addr + (pages << PAGE_SHIFT)); -+ if (!can_do_mincore(vma)) { -+ unsigned long pages = DIV_ROUND_UP(end - addr, PAGE_SIZE); -+ memset(vec, 1, pages); -+ return pages; -+ } - - if (is_vm_hugetlb_page(vma)) - mincore_hugetlb_page_range(vma, addr, end, vec); diff --git a/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch b/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch deleted file mode 100644 index bd5e0b24..00000000 --- a/queue-3.16/scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch +++ /dev/null @@ -1,73 +0,0 @@ -From: Jason Yan <yanaijie@huawei.com> -Date: Fri, 15 Feb 2019 19:50:27 +0800 -Subject: scsi: megaraid_sas: return error when create DMA pool failed - -commit bcf3b67d16a4c8ffae0aa79de5853435e683945c upstream. - -when create DMA pool for cmd frames failed, we should return -ENOMEM, -instead of 0. -In some case in: - - megasas_init_adapter_fusion() - - -->megasas_alloc_cmds() - -->megasas_create_frame_pool - create DMA pool failed, - --> megasas_free_cmds() [1] - - -->megasas_alloc_cmds_fusion() - failed, then goto fail_alloc_cmds. - -->megasas_free_cmds() [2] - -we will call megasas_free_cmds twice, [1] will kfree cmd_list, -[2] will use cmd_list.it will cause a problem: - -Unable to handle kernel NULL pointer dereference at virtual address -00000000 -pgd = ffffffc000f70000 -[00000000] *pgd=0000001fbf893003, *pud=0000001fbf893003, -*pmd=0000001fbf894003, *pte=006000006d000707 -Internal error: Oops: 96000005 [#1] SMP - Modules linked in: - CPU: 18 PID: 1 Comm: swapper/0 Not tainted - task: ffffffdfb9290000 ti: ffffffdfb923c000 task.ti: ffffffdfb923c000 - PC is at megasas_free_cmds+0x30/0x70 - LR is at megasas_free_cmds+0x24/0x70 - ... - Call trace: - [<ffffffc0005b779c>] megasas_free_cmds+0x30/0x70 - [<ffffffc0005bca74>] megasas_init_adapter_fusion+0x2f4/0x4d8 - [<ffffffc0005b926c>] megasas_init_fw+0x2dc/0x760 - [<ffffffc0005b9ab0>] megasas_probe_one+0x3c0/0xcd8 - [<ffffffc0004a5abc>] local_pci_probe+0x4c/0xb4 - [<ffffffc0004a5c40>] pci_device_probe+0x11c/0x14c - [<ffffffc00053a5e4>] driver_probe_device+0x1ec/0x430 - [<ffffffc00053a92c>] __driver_attach+0xa8/0xb0 - [<ffffffc000538178>] bus_for_each_dev+0x74/0xc8 - [<ffffffc000539e88>] driver_attach+0x28/0x34 - [<ffffffc000539a18>] bus_add_driver+0x16c/0x248 - [<ffffffc00053b234>] driver_register+0x6c/0x138 - [<ffffffc0004a5350>] __pci_register_driver+0x5c/0x6c - [<ffffffc000ce3868>] megasas_init+0xc0/0x1a8 - [<ffffffc000082a58>] do_one_initcall+0xe8/0x1ec - [<ffffffc000ca7be8>] kernel_init_freeable+0x1c8/0x284 - [<ffffffc0008d90b8>] kernel_init+0x1c/0xe4 - -Signed-off-by: Jason Yan <yanaijie@huawei.com> -Acked-by: Sumit Saxena <sumit.saxena@broadcom.com> -Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - drivers/scsi/megaraid/megaraid_sas_base.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/drivers/scsi/megaraid/megaraid_sas_base.c -+++ b/drivers/scsi/megaraid/megaraid_sas_base.c -@@ -3489,6 +3489,7 @@ int megasas_alloc_cmds(struct megasas_in - if (megasas_create_frame_pool(instance)) { - printk(KERN_DEBUG "megasas: Error creating frame DMA pool\n"); - megasas_free_cmds(instance); -+ return -ENOMEM; - } - - return 0; diff --git a/queue-3.16/series b/queue-3.16/series deleted file mode 100644 index ad9b449a..00000000 --- a/queue-3.16/series +++ /dev/null @@ -1,10 +0,0 @@ -mm-introduce-vma_is_anonymous-vma-helper.patch -mm-mincore.c-make-mincore-more-conservative.patch -drivers-virt-fsl_hypervisor.c-prevent-integer-overflow-in-ioctl.patch -scsi-megaraid_sas-return-error-when-create-dma-pool-failed.patch -ext4-zero-out-the-unused-memory-region-in-the-extent-tree-block.patch -bluetooth-hidp-fix-buffer-overflow.patch -tcp-limit-payload-size-of-sacked-skbs.patch -tcp-tcp_fragment-should-apply-sane-memory-limits.patch -tcp-add-tcp_min_snd_mss-sysctl.patch -tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch diff --git a/queue-3.16/tcp-add-tcp_min_snd_mss-sysctl.patch b/queue-3.16/tcp-add-tcp_min_snd_mss-sysctl.patch deleted file mode 100644 index d4d5f9b2..00000000 --- a/queue-3.16/tcp-add-tcp_min_snd_mss-sysctl.patch +++ /dev/null @@ -1,118 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Thu, 6 Jun 2019 09:15:31 -0700 -Subject: tcp: add tcp_min_snd_mss sysctl - -commit 5f3e2bf008c2221478101ee72f5cb4654b9fc363 upstream. - -Some TCP peers announce a very small MSS option in their SYN and/or -SYN/ACK messages. - -This forces the stack to send packets with a very high network/cpu -overhead. - -Linux has enforced a minimal value of 48. Since this value includes -the size of TCP options, and that the options can consume up to 40 -bytes, this means that each segment can include only 8 bytes of payload. - -In some cases, it can be useful to increase the minimal value -to a saner value. - -We still let the default to 48 (TCP_MIN_SND_MSS), for compatibility -reasons. - -Note that TCP_MAXSEG socket option enforces a minimal value -of (TCP_MIN_MSS). David Miller increased this minimal value -in commit c39508d6f118 ("tcp: Make TCP_MAXSEG minimum more correct.") -from 64 to 88. - -We might in the future merge TCP_MIN_SND_MSS and TCP_MIN_MSS. - -CVE-2019-11479 -- tcp mss hardcoded to 48 - -Signed-off-by: Eric Dumazet <edumazet@google.com> -Suggested-by: Jonathan Looney <jtl@netflix.com> -Acked-by: Neal Cardwell <ncardwell@google.com> -Cc: Yuchung Cheng <ycheng@google.com> -Cc: Tyler Hicks <tyhicks@canonical.com> -Cc: Bruce Curtis <brucec@netflix.com> -Cc: Jonathan Lemon <jonathan.lemon@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[Salvatore Bonaccorso: Backport for context changes in 4.9.168] -[bwh: Backported to 3.16: Make the sysctl global, consistent with - net.ipv4.tcp_base_mss] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- ---- a/Documentation/networking/ip-sysctl.txt -+++ b/Documentation/networking/ip-sysctl.txt -@@ -210,6 +210,14 @@ tcp_base_mss - INTEGER - Path MTU discovery (MTU probing). If MTU probing is enabled, - this is the initial MSS used by the connection. - -+tcp_min_snd_mss - INTEGER -+ TCP SYN and SYNACK messages usually advertise an ADVMSS option, -+ as described in RFC 1122 and RFC 6691. -+ If this ADVMSS option is smaller than tcp_min_snd_mss, -+ it is silently capped to tcp_min_snd_mss. -+ -+ Default : 48 (at least 8 bytes of payload per segment) -+ - tcp_congestion_control - STRING - Set the congestion control algorithm to be used for new - connections. The algorithm "reno" is always available, but ---- a/net/ipv4/sysctl_net_ipv4.c -+++ b/net/ipv4/sysctl_net_ipv4.c -@@ -34,6 +34,8 @@ static int tcp_retr1_max = 255; - static int ip_local_port_range_min[] = { 1, 1 }; - static int ip_local_port_range_max[] = { 65535, 65535 }; - static int tcp_adv_win_scale_min = -31; -+static int tcp_min_snd_mss_min = TCP_MIN_SND_MSS; -+static int tcp_min_snd_mss_max = 65535; - static int tcp_adv_win_scale_max = 31; - static int ip_ttl_min = 1; - static int ip_ttl_max = 255; -@@ -608,6 +610,15 @@ static struct ctl_table ipv4_table[] = { - .proc_handler = proc_dointvec, - }, - { -+ .procname = "tcp_min_snd_mss", -+ .data = &sysctl_tcp_min_snd_mss, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax, -+ .extra1 = &tcp_min_snd_mss_min, -+ .extra2 = &tcp_min_snd_mss_max, -+ }, -+ { - .procname = "tcp_workaround_signed_windows", - .data = &sysctl_tcp_workaround_signed_windows, - .maxlen = sizeof(int), ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -61,6 +61,7 @@ int sysctl_tcp_tso_win_divisor __read_mo - - int sysctl_tcp_mtu_probing __read_mostly = 0; - int sysctl_tcp_base_mss __read_mostly = TCP_BASE_MSS; -+int sysctl_tcp_min_snd_mss __read_mostly = TCP_MIN_SND_MSS; - - /* By default, RFC2861 behavior. */ - int sysctl_tcp_slow_start_after_idle __read_mostly = 1; -@@ -1259,8 +1260,7 @@ static inline int __tcp_mtu_to_mss(struc - mss_now -= icsk->icsk_ext_hdr_len; - - /* Then reserve room for full set of TCP options and 8 bytes of data */ -- if (mss_now < TCP_MIN_SND_MSS) -- mss_now = TCP_MIN_SND_MSS; -+ mss_now = max(mss_now, sysctl_tcp_min_snd_mss); - return mss_now; - } - ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -270,6 +270,7 @@ extern int sysctl_tcp_moderate_rcvbuf; - extern int sysctl_tcp_tso_win_divisor; - extern int sysctl_tcp_mtu_probing; - extern int sysctl_tcp_base_mss; -+extern int sysctl_tcp_min_snd_mss; - extern int sysctl_tcp_workaround_signed_windows; - extern int sysctl_tcp_slow_start_after_idle; - extern int sysctl_tcp_thin_linear_timeouts; diff --git a/queue-3.16/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch b/queue-3.16/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch deleted file mode 100644 index c37bfc74..00000000 --- a/queue-3.16/tcp-enforce-tcp_min_snd_mss-in-tcp_mtu_probing.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Sat, 8 Jun 2019 10:22:49 -0700 -Subject: tcp: enforce tcp_min_snd_mss in tcp_mtu_probing() - -commit 967c05aee439e6e5d7d805e195b3a20ef5c433d6 upstream. - -If mtu probing is enabled tcp_mtu_probing() could very well end up -with a too small MSS. - -Use the new sysctl tcp_min_snd_mss to make sure MSS search -is performed in an acceptable range. - -CVE-2019-11479 -- tcp mss hardcoded to 48 - -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Jonathan Lemon <jonathan.lemon@gmail.com> -Cc: Jonathan Looney <jtl@netflix.com> -Acked-by: Neal Cardwell <ncardwell@google.com> -Cc: Yuchung Cheng <ycheng@google.com> -Cc: Tyler Hicks <tyhicks@canonical.com> -Cc: Bruce Curtis <brucec@netflix.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[Salvatore Bonaccorso: Backport for context changes in 4.9.168] -[bwh: Backported to 3.16: The sysctl is global] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - net/ipv4/tcp_timer.c | 1 + - 1 file changed, 1 insertion(+) - ---- a/net/ipv4/tcp_timer.c -+++ b/net/ipv4/tcp_timer.c -@@ -113,6 +113,7 @@ static void tcp_mtu_probing(struct inet_ - mss = tcp_mtu_to_mss(sk, icsk->icsk_mtup.search_low) >> 1; - mss = min(sysctl_tcp_base_mss, mss); - mss = max(mss, 68 - tp->tcp_header_len); -+ mss = max(mss, sysctl_tcp_min_snd_mss); - icsk->icsk_mtup.search_low = tcp_mss_to_mtu(sk, mss); - tcp_sync_mss(sk, icsk->icsk_pmtu_cookie); - } diff --git a/queue-3.16/tcp-limit-payload-size-of-sacked-skbs.patch b/queue-3.16/tcp-limit-payload-size-of-sacked-skbs.patch deleted file mode 100644 index 8cda90c7..00000000 --- a/queue-3.16/tcp-limit-payload-size-of-sacked-skbs.patch +++ /dev/null @@ -1,170 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Fri, 17 May 2019 17:17:22 -0700 -Subject: tcp: limit payload size of sacked skbs - -commit 3b4929f65b0d8249f19a50245cd88ed1a2f78cff upstream. - -Jonathan Looney reported that TCP can trigger the following crash -in tcp_shifted_skb() : - - BUG_ON(tcp_skb_pcount(skb) < pcount); - -This can happen if the remote peer has advertized the smallest -MSS that linux TCP accepts : 48 - -An skb can hold 17 fragments, and each fragment can hold 32KB -on x86, or 64KB on PowerPC. - -This means that the 16bit witdh of TCP_SKB_CB(skb)->tcp_gso_segs -can overflow. - -Note that tcp_sendmsg() builds skbs with less than 64KB -of payload, so this problem needs SACK to be enabled. -SACK blocks allow TCP to coalesce multiple skbs in the retransmit -queue, thus filling the 17 fragments to maximal capacity. - -CVE-2019-11477 -- u16 overflow of TCP_SKB_CB(skb)->tcp_gso_segs - -Backport notes, provided by Joao Martins <joao.m.martins@oracle.com> - -v4.15 or since commit 737ff314563 ("tcp: use sequence distance to -detect reordering") had switched from the packet-based FACK tracking and -switched to sequence-based. - -v4.14 and older still have the old logic and hence on -tcp_skb_shift_data() needs to retain its original logic and have -@fack_count in sync. In other words, we keep the increment of pcount with -tcp_skb_pcount(skb) to later used that to update fack_count. To make it -more explicit we track the new skb that gets incremented to pcount in -@next_pcount, and we get to avoid the constant invocation of -tcp_skb_pcount(skb) all together. - -Fixes: 832d11c5cd07 ("tcp: Try to restore large SKBs while SACK processing") -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Jonathan Looney <jtl@netflix.com> -Acked-by: Neal Cardwell <ncardwell@google.com> -Reviewed-by: Tyler Hicks <tyhicks@canonical.com> -Cc: Yuchung Cheng <ycheng@google.com> -Cc: Bruce Curtis <brucec@netflix.com> -Cc: Jonathan Lemon <jonathan.lemon@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[Salvatore Bonaccorso: Adjust for context changes to backport to -4.9.168] -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/linux/tcp.h | 4 ++++ - include/net/tcp.h | 2 ++ - net/ipv4/tcp.c | 1 + - net/ipv4/tcp_input.c | 26 ++++++++++++++++++++------ - net/ipv4/tcp_output.c | 6 +++--- - 5 files changed, 30 insertions(+), 9 deletions(-) - ---- a/include/linux/tcp.h -+++ b/include/linux/tcp.h -@@ -394,4 +394,7 @@ static inline int fastopen_init_queue(st - return 0; - } - -+int tcp_skb_shift(struct sk_buff *to, struct sk_buff *from, int pcount, -+ int shiftlen); -+ - #endif /* _LINUX_TCP_H */ ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -55,6 +55,8 @@ void tcp_time_wait(struct sock *sk, int - - #define MAX_TCP_HEADER (128 + MAX_HEADER) - #define MAX_TCP_OPTION_SPACE 40 -+#define TCP_MIN_SND_MSS 48 -+#define TCP_MIN_GSO_SIZE (TCP_MIN_SND_MSS - MAX_TCP_OPTION_SPACE) - - /* - * Never offer a window over 32767 without using window scaling. Some ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -3169,6 +3169,7 @@ void __init tcp_init(void) - int max_rshare, max_wshare, cnt; - unsigned int i; - -+ BUILD_BUG_ON(TCP_MIN_SND_MSS <= MAX_TCP_OPTION_SPACE); - BUILD_BUG_ON(sizeof(struct tcp_skb_cb) > sizeof(skb->cb)); - - percpu_counter_init(&tcp_sockets_allocated, 0); ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -1296,7 +1296,7 @@ static bool tcp_shifted_skb(struct sock - TCP_SKB_CB(skb)->seq += shifted; - - skb_shinfo(prev)->gso_segs += pcount; -- BUG_ON(skb_shinfo(skb)->gso_segs < pcount); -+ WARN_ON_ONCE(tcp_skb_pcount(skb) < pcount); - skb_shinfo(skb)->gso_segs -= pcount; - - /* When we're adding to gso_segs == 1, gso_size will be zero, -@@ -1362,6 +1362,21 @@ static int skb_can_shift(const struct sk - return !skb_headlen(skb) && skb_is_nonlinear(skb); - } - -+int tcp_skb_shift(struct sk_buff *to, struct sk_buff *from, -+ int pcount, int shiftlen) -+{ -+ /* TCP min gso_size is 8 bytes (TCP_MIN_GSO_SIZE) -+ * Since TCP_SKB_CB(skb)->tcp_gso_segs is 16 bits, we need -+ * to make sure not storing more than 65535 * 8 bytes per skb, -+ * even if current MSS is bigger. -+ */ -+ if (unlikely(to->len + shiftlen >= 65535 * TCP_MIN_GSO_SIZE)) -+ return 0; -+ if (unlikely(tcp_skb_pcount(to) + pcount > 65535)) -+ return 0; -+ return skb_shift(to, from, shiftlen); -+} -+ - /* Try collapsing SACK blocks spanning across multiple skbs to a single - * skb. - */ -@@ -1373,6 +1388,7 @@ static struct sk_buff *tcp_shift_skb_dat - struct tcp_sock *tp = tcp_sk(sk); - struct sk_buff *prev; - int mss; -+ int next_pcount; - int pcount = 0; - int len; - int in_sack; -@@ -1467,7 +1483,7 @@ static struct sk_buff *tcp_shift_skb_dat - if (!after(TCP_SKB_CB(skb)->seq + len, tp->snd_una)) - goto fallback; - -- if (!skb_shift(prev, skb, len)) -+ if (!tcp_skb_shift(prev, skb, pcount, len)) - goto fallback; - if (!tcp_shifted_skb(sk, skb, state, pcount, len, mss, dup_sack)) - goto out; -@@ -1486,9 +1502,10 @@ static struct sk_buff *tcp_shift_skb_dat - goto out; - - len = skb->len; -- if (skb_shift(prev, skb, len)) { -- pcount += tcp_skb_pcount(skb); -- tcp_shifted_skb(sk, skb, state, tcp_skb_pcount(skb), len, mss, 0); -+ next_pcount = tcp_skb_pcount(skb); -+ if (tcp_skb_shift(prev, skb, next_pcount, len)) { -+ pcount += next_pcount; -+ tcp_shifted_skb(sk, skb, state, next_pcount, len, mss, 0); - } - - out: ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1254,8 +1254,8 @@ static inline int __tcp_mtu_to_mss(struc - mss_now -= icsk->icsk_ext_hdr_len; - - /* Then reserve room for full set of TCP options and 8 bytes of data */ -- if (mss_now < 48) -- mss_now = 48; -+ if (mss_now < TCP_MIN_SND_MSS) -+ mss_now = TCP_MIN_SND_MSS; - return mss_now; - } - diff --git a/queue-3.16/tcp-tcp_fragment-should-apply-sane-memory-limits.patch b/queue-3.16/tcp-tcp_fragment-should-apply-sane-memory-limits.patch deleted file mode 100644 index ac75fd49..00000000 --- a/queue-3.16/tcp-tcp_fragment-should-apply-sane-memory-limits.patch +++ /dev/null @@ -1,74 +0,0 @@ -From: Eric Dumazet <edumazet@google.com> -Date: Sat, 18 May 2019 05:12:05 -0700 -Subject: tcp: tcp_fragment() should apply sane memory limits - -commit f070ef2ac66716357066b683fb0baf55f8191a2e upstream. - -Jonathan Looney reported that a malicious peer can force a sender -to fragment its retransmit queue into tiny skbs, inflating memory -usage and/or overflow 32bit counters. - -TCP allows an application to queue up to sk_sndbuf bytes, -so we need to give some allowance for non malicious splitting -of retransmit queue. - -A new SNMP counter is added to monitor how many times TCP -did not allow to split an skb if the allowance was exceeded. - -Note that this counter might increase in the case applications -use SO_SNDBUF socket option to lower sk_sndbuf. - -CVE-2019-11478 : tcp_fragment, prevent fragmenting a packet when the - socket is already using more than half the allowed space - -Signed-off-by: Eric Dumazet <edumazet@google.com> -Reported-by: Jonathan Looney <jtl@netflix.com> -Acked-by: Neal Cardwell <ncardwell@google.com> -Acked-by: Yuchung Cheng <ycheng@google.com> -Reviewed-by: Tyler Hicks <tyhicks@canonical.com> -Cc: Bruce Curtis <brucec@netflix.com> -Cc: Jonathan Lemon <jonathan.lemon@gmail.com> -Signed-off-by: David S. Miller <davem@davemloft.net> -[Salvatore Bonaccorso: Adjust context for backport to 4.9.168] -[bwh: Backported to 3.16: adjust context] -Signed-off-by: Ben Hutchings <ben@decadent.org.uk> ---- - include/uapi/linux/snmp.h | 1 + - net/ipv4/proc.c | 1 + - net/ipv4/tcp_output.c | 5 +++++ - 3 files changed, 7 insertions(+) - ---- a/include/uapi/linux/snmp.h -+++ b/include/uapi/linux/snmp.h -@@ -265,6 +265,7 @@ enum - LINUX_MIB_TCPWANTZEROWINDOWADV, /* TCPWantZeroWindowAdv */ - LINUX_MIB_TCPSYNRETRANS, /* TCPSynRetrans */ - LINUX_MIB_TCPORIGDATASENT, /* TCPOrigDataSent */ -+ LINUX_MIB_TCPWQUEUETOOBIG, /* TCPWqueueTooBig */ - __LINUX_MIB_MAX - }; - ---- a/net/ipv4/proc.c -+++ b/net/ipv4/proc.c -@@ -286,6 +286,7 @@ static const struct snmp_mib snmp4_net_l - SNMP_MIB_ITEM("TCPWantZeroWindowAdv", LINUX_MIB_TCPWANTZEROWINDOWADV), - SNMP_MIB_ITEM("TCPSynRetrans", LINUX_MIB_TCPSYNRETRANS), - SNMP_MIB_ITEM("TCPOrigDataSent", LINUX_MIB_TCPORIGDATASENT), -+ SNMP_MIB_ITEM("TCPWqueueTooBig", LINUX_MIB_TCPWQUEUETOOBIG), - SNMP_MIB_SENTINEL - }; - ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1090,6 +1090,11 @@ int tcp_fragment(struct sock *sk, struct - if (nsize < 0) - nsize = 0; - -+ if (unlikely((sk->sk_wmem_queued >> 1) > sk->sk_sndbuf)) { -+ NET_INC_STATS(sock_net(sk), LINUX_MIB_TCPWQUEUETOOBIG); -+ return -ENOMEM; -+ } -+ - if (skb_unclone(skb, gfp)) - return -ENOMEM; - |