diff options
author | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-24 22:00:25 -0400 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-10-24 22:00:25 -0400 |
commit | eae95d68602e05698003bb823237fb428a57f278 (patch) | |
tree | 3b2159c7aade3962f8ceac3c341de71416c85fb7 | |
parent | 10a6a38dcedbab393ed52621b2b3f2ecb6a1a0bd (diff) | |
download | queue-3.18-eae95d68602e05698003bb823237fb428a57f278.tar.gz |
network patches
-rw-r--r-- | net-avoid-potential-infinite-loop-in-tc_ctl_action.patch | 132 | ||||
-rw-r--r-- | sctp-change-sctp_prot-.no_autobind-with-true.patch | 71 | ||||
-rw-r--r-- | series | 2 |
3 files changed, 205 insertions, 0 deletions
diff --git a/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch b/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch new file mode 100644 index 0000000..229e28d --- /dev/null +++ b/net-avoid-potential-infinite-loop-in-tc_ctl_action.patch @@ -0,0 +1,132 @@ +From foo@baz Thu 24 Oct 2019 09:41:49 PM EDT +From: Eric Dumazet <edumazet@google.com> +Date: Mon, 14 Oct 2019 11:22:30 -0700 +Subject: net: avoid potential infinite loop in tc_ctl_action() + +From: Eric Dumazet <edumazet@google.com> + +[ Upstream commit 39f13ea2f61b439ebe0060393e9c39925c9ee28c ] + +tc_ctl_action() has the ability to loop forever if tcf_action_add() +returns -EAGAIN. + +This special case has been done in case a module needed to be loaded, +but it turns out that tcf_add_notify() could also return -EAGAIN +if the socket sk_rcvbuf limit is hit. + +We need to separate the two cases, and only loop for the module +loading case. + +While we are at it, add a limit of 10 attempts since unbounded +loops are always scary. + +syzbot repro was something like : + +socket(PF_NETLINK, SOCK_RAW|SOCK_NONBLOCK, NETLINK_ROUTE) = 3 +write(3, ..., 38) = 38 +setsockopt(3, SOL_SOCKET, SO_RCVBUF, [0], 4) = 0 +sendmsg(3, {msg_name(0)=NULL, msg_iov(1)=[{..., 388}], msg_controllen=0, msg_flags=0x10}, ...) + +NMI backtrace for cpu 0 +CPU: 0 PID: 1054 Comm: khungtaskd Not tainted 5.4.0-rc1+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +Call Trace: + __dump_stack lib/dump_stack.c:77 [inline] + dump_stack+0x172/0x1f0 lib/dump_stack.c:113 + nmi_cpu_backtrace.cold+0x70/0xb2 lib/nmi_backtrace.c:101 + nmi_trigger_cpumask_backtrace+0x23b/0x28b lib/nmi_backtrace.c:62 + arch_trigger_cpumask_backtrace+0x14/0x20 arch/x86/kernel/apic/hw_nmi.c:38 + trigger_all_cpu_backtrace include/linux/nmi.h:146 [inline] + check_hung_uninterruptible_tasks kernel/hung_task.c:205 [inline] + watchdog+0x9d0/0xef0 kernel/hung_task.c:289 + kthread+0x361/0x430 kernel/kthread.c:255 + ret_from_fork+0x24/0x30 arch/x86/entry/entry_64.S:352 +Sending NMI from CPU 0 to CPUs 1: +NMI backtrace for cpu 1 +CPU: 1 PID: 8859 Comm: syz-executor910 Not tainted 5.4.0-rc1+ #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:arch_local_save_flags arch/x86/include/asm/paravirt.h:751 [inline] +RIP: 0010:lockdep_hardirqs_off+0x1df/0x2e0 kernel/locking/lockdep.c:3453 +Code: 5c 08 00 00 5b 41 5c 41 5d 5d c3 48 c7 c0 58 1d f3 88 48 ba 00 00 00 00 00 fc ff df 48 c1 e8 03 80 3c 10 00 0f 85 d3 00 00 00 <48> 83 3d 21 9e 99 07 00 0f 84 b9 00 00 00 9c 58 0f 1f 44 00 00 f6 +RSP: 0018:ffff8880a6f3f1b8 EFLAGS: 00000046 +RAX: 1ffffffff11e63ab RBX: ffff88808c9c6080 RCX: 0000000000000000 +RDX: dffffc0000000000 RSI: 0000000000000000 RDI: ffff88808c9c6914 +RBP: ffff8880a6f3f1d0 R08: ffff88808c9c6080 R09: fffffbfff16be5d1 +R10: fffffbfff16be5d0 R11: 0000000000000003 R12: ffffffff8746591f +R13: ffff88808c9c6080 R14: ffffffff8746591f R15: 0000000000000003 +FS: 00000000011e4880(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: ffffffffff600400 CR3: 00000000a8920000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + trace_hardirqs_off+0x62/0x240 kernel/trace/trace_preemptirq.c:45 + __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline] + _raw_spin_lock_irqsave+0x6f/0xcd kernel/locking/spinlock.c:159 + __wake_up_common_lock+0xc8/0x150 kernel/sched/wait.c:122 + __wake_up+0xe/0x10 kernel/sched/wait.c:142 + netlink_unlock_table net/netlink/af_netlink.c:466 [inline] + netlink_unlock_table net/netlink/af_netlink.c:463 [inline] + netlink_broadcast_filtered+0x705/0xb80 net/netlink/af_netlink.c:1514 + netlink_broadcast+0x3a/0x50 net/netlink/af_netlink.c:1534 + rtnetlink_send+0xdd/0x110 net/core/rtnetlink.c:714 + tcf_add_notify net/sched/act_api.c:1343 [inline] + tcf_action_add+0x243/0x370 net/sched/act_api.c:1362 + tc_ctl_action+0x3b5/0x4bc net/sched/act_api.c:1410 + rtnetlink_rcv_msg+0x463/0xb00 net/core/rtnetlink.c:5386 + netlink_rcv_skb+0x177/0x450 net/netlink/af_netlink.c:2477 + rtnetlink_rcv+0x1d/0x30 net/core/rtnetlink.c:5404 + netlink_unicast_kernel net/netlink/af_netlink.c:1302 [inline] + netlink_unicast+0x531/0x710 net/netlink/af_netlink.c:1328 + netlink_sendmsg+0x8a5/0xd60 net/netlink/af_netlink.c:1917 + sock_sendmsg_nosec net/socket.c:637 [inline] + sock_sendmsg+0xd7/0x130 net/socket.c:657 + ___sys_sendmsg+0x803/0x920 net/socket.c:2311 + __sys_sendmsg+0x105/0x1d0 net/socket.c:2356 + __do_sys_sendmsg net/socket.c:2365 [inline] + __se_sys_sendmsg net/socket.c:2363 [inline] + __x64_sys_sendmsg+0x78/0xb0 net/socket.c:2363 + do_syscall_64+0xfa/0x760 arch/x86/entry/common.c:290 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x440939 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet <edumazet@google.com> +Reported-by: syzbot+cf0adbb9c28c8866c788@syzkaller.appspotmail.com +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/sched/act_api.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/sched/act_api.c ++++ b/net/sched/act_api.c +@@ -927,10 +927,15 @@ static int + tcf_action_add(struct net *net, struct nlattr *nla, struct nlmsghdr *n, + u32 portid, int ovr) + { +- int ret = 0; ++ int loop, ret; + LIST_HEAD(actions); + +- ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions); ++ for (loop = 0; loop < 10; loop++) { ++ ret = tcf_action_init(net, nla, NULL, NULL, ovr, 0, &actions); ++ if (ret != -EAGAIN) ++ break; ++ } ++ + if (ret) + goto done; + +@@ -973,10 +978,7 @@ static int tc_ctl_action(struct sk_buff + */ + if (n->nlmsg_flags & NLM_F_REPLACE) + ovr = 1; +-replay: + ret = tcf_action_add(net, tca[TCA_ACT_TAB], n, portid, ovr); +- if (ret == -EAGAIN) +- goto replay; + break; + case RTM_DELACTION: + ret = tca_action_gd(net, tca[TCA_ACT_TAB], n, diff --git a/sctp-change-sctp_prot-.no_autobind-with-true.patch b/sctp-change-sctp_prot-.no_autobind-with-true.patch new file mode 100644 index 0000000..2414332 --- /dev/null +++ b/sctp-change-sctp_prot-.no_autobind-with-true.patch @@ -0,0 +1,71 @@ +From foo@baz Thu 24 Oct 2019 09:55:34 PM EDT +From: Xin Long <lucien.xin@gmail.com> +Date: Tue, 15 Oct 2019 15:24:38 +0800 +Subject: sctp: change sctp_prot .no_autobind with true + +From: Xin Long <lucien.xin@gmail.com> + +[ Upstream commit 63dfb7938b13fa2c2fbcb45f34d065769eb09414 ] + +syzbot reported a memory leak: + + BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64): + backtrace: + + [...] slab_alloc mm/slab.c:3319 [inline] + [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483 + [...] sctp_bucket_create net/sctp/socket.c:8523 [inline] + [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270 + [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402 + [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497 + [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022 + [...] sctp_setsockopt net/sctp/socket.c:4641 [inline] + [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611 + [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147 + [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084 + [...] __do_sys_setsockopt net/socket.c:2100 [inline] + +It was caused by when sending msgs without binding a port, in the path: +inet_sendmsg() -> inet_send_prepare() -> inet_autobind() -> +.get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is +not. Later when binding another port by sctp_setsockopt_bindx(), a new +bucket will be created as bp->port is not set. + +sctp's autobind is supposed to call sctp_autobind() where it does all +things including setting bp->port. Since sctp_autobind() is called in +sctp_sendmsg() if the sk is not yet bound, it should have skipped the +auto bind. + +THis patch is to avoid calling inet_autobind() in inet_send_prepare() +by changing sctp_prot .no_autobind with true, also remove the unused +.get_port. + +Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com +Signed-off-by: Xin Long <lucien.xin@gmail.com> +Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> +--- + net/sctp/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -7453,7 +7453,7 @@ struct proto sctp_prot = { + .backlog_rcv = sctp_backlog_rcv, + .hash = sctp_hash, + .unhash = sctp_unhash, +- .get_port = sctp_get_port, ++ .no_autobind = true, + .obj_size = sizeof(struct sctp_sock), + .sysctl_mem = sysctl_sctp_mem, + .sysctl_rmem = sysctl_sctp_rmem, +@@ -7492,7 +7492,7 @@ struct proto sctpv6_prot = { + .backlog_rcv = sctp_backlog_rcv, + .hash = sctp_hash, + .unhash = sctp_unhash, +- .get_port = sctp_get_port, ++ .no_autobind = true, + .obj_size = sizeof(struct sctp6_sock), + .sysctl_mem = sysctl_sctp_mem, + .sysctl_rmem = sysctl_sctp_rmem, @@ -0,0 +1,2 @@ +sctp-change-sctp_prot-.no_autobind-with-true.patch +net-avoid-potential-infinite-loop-in-tc_ctl_action.patch |