From patchwork Thu Nov  1 14:29:33 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Frank Heimes <frank.heimes@canonical.com>
X-Patchwork-Id: 991955
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42m6zf5cwfzB4Xy;
	Fri,  2 Nov 2018 01:29:50 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gIDyk-0003g4-Q7; Thu, 01 Nov 2018 14:29:46 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <frank.heimes@canonical.com>)
	id 1gIDyk-0003fu-6T
	for kernel-team@lists.ubuntu.com; Thu, 01 Nov 2018 14:29:46 +0000
Received: from mail-lj1-f200.google.com ([209.85.208.200])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <frank.heimes@canonical.com>)
	id 1gIDyj-0006wi-UG
	for kernel-team@lists.ubuntu.com; Thu, 01 Nov 2018 14:29:45 +0000
Received: by mail-lj1-f200.google.com with SMTP id s14-v6so6568228lji.2
	for <kernel-team@lists.ubuntu.com>;
	Thu, 01 Nov 2018 07:29:45 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to;
	bh=hXlr9lQDS8yVKgm18xDA9p3LTvNgQS8Yj39ySeQrZ/E=;
	b=ac2U1P0a6HRSE86pgsGAtt3Y0Ym3ScKDT+u/2z7ZQsy3xq7nNGtSWI5opjLjhjVfu1
	y3zi3hEwvtu0y164Z+ihTwUz3sTMdd/HWF++GFEvJgsimK4hXYT6z3ZG/MTuAJGbcTEc
	uXKMQd4UqJEy2rNSNDYJ5xpUmW8lES4DGSjtgIVIrDQ0JMVpD7ZvHfUqUAtWTLZEmBqV
	iomGmWN+8405fBLtHqod8uLfz7uTJIqdNhYAbopSzZ8Zgk7Ad+RaC/bFWA6X+GgSyKFJ
	DFBPaIadACN777sUYiVi+IngSdrPWRsyAXIwIxE93OUGtjq2lbjlhEnracZ+ksM4BZnA
	XIIQ==
X-Gm-Message-State: AGRZ1gKUswXsPqN1bE5stQeHVNW2cmmKAKL3gIvucbkPvJtwrtG8uxP4
	lZiV08MekrF/Nf+QldOIxvitruHMVmed8O8PbAPGtwhtXKwk82yWU24A6sL3DF5dlNqxbLT2vF1
	i6nkDo7xN9r4kFOgl35smat6Gk0FdF+TaWxw8LG920jvXSFGxA/esF7KnTA==
X-Received: by 2002:a2e:4502:: with SMTP id
	s2-v6mr5160815lja.44.1541082585095;
	Thu, 01 Nov 2018 07:29:45 -0700 (PDT)
X-Google-Smtp-Source: 
 AJdET5f3Fya/YkeWihvLDChZ2+2U6LYaULw3kdqDAbPodZgnbhOsrNBjg1q3lF2x3FyVK0H9eUnTrxom39mURPVohjw=
X-Received: by 2002:a2e:4502:: with SMTP id
	s2-v6mr5160801lja.44.1541082584812;
	Thu, 01 Nov 2018 07:29:44 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CA+jPhpdjC-Sdf_RQnw4EHZHZPVW5okwXd8EvtGB1EGzGZwmryA@mail.gmail.com>
In-Reply-To: 
 <CA+jPhpdjC-Sdf_RQnw4EHZHZPVW5okwXd8EvtGB1EGzGZwmryA@mail.gmail.com>
From: Frank Heimes <frank.heimes@canonical.com>
Date: Thu, 1 Nov 2018 15:29:33 +0100
Message-ID: 
 <CA+jPhpfbJz_QU-WNaWR2gM9uKPA0vFMTRJKrm7WvJ=+326p4tQ@mail.gmail.com>
Subject: [SRU][Cosmic][Bionic][Xenial][PATCH 1/2] net/af_iucv: drop inbound
	packets with invalid flags
To: kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Julian Wiedmann <jwi@linux.ibm.com>

BugLink: http://bugs.launchpad.net/bugs/1800639

    net/af_iucv: drop inbound packets with invalid flags

    Inbound packets may have any combination of flag bits set in their iucv
    header. If we don't know how to handle a specific combination, drop the
    skb instead of leaking it.

    To clarify what error is returned in this case, replace the hard-coded
    0 with the corresponding macro.

    Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
---

                WARN_ONCE(1, "AF_IUCV too short skb, len=%d, min=%d",
@@ -2254,7 +2254,7 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct
net_device *dev,
                err = afiucv_hs_callback_rx(sk, skb);
                break;
        default:
-               ;
+               kfree_skb(skb);
        }

        return err;

diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index a21d8ed..01000c1 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -2155,8 +2155,8 @@ static int afiucv_hs_rcv(struct sk_buff *skb, struct
net_device *dev,
        struct sock *sk;
        struct iucv_sock *iucv;
        struct af_iucv_trans_hdr *trans_hdr;
+       int err = NET_RX_SUCCESS;
        char nullstring[8];
-       int err = 0;

        if (skb->len < (ETH_HLEN + sizeof(struct af_iucv_trans_hdr))) {

From patchwork Thu Nov  1 14:31:52 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Frank Heimes <frank.heimes@canonical.com>
X-Patchwork-Id: 991956
Return-Path: <kernel-team-bounces@lists.ubuntu.com>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=lists.ubuntu.com
	(client-ip=91.189.94.19; helo=huckleberry.canonical.com;
	envelope-from=kernel-team-bounces@lists.ubuntu.com;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from huckleberry.canonical.com (huckleberry.canonical.com
	[91.189.94.19])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256
	bits)) (No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 42m72N3ZTJzB4Y0;
	Fri,  2 Nov 2018 01:32:12 +1100 (AEDT)
Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com)
	by huckleberry.canonical.com with esmtp (Exim 4.86_2)
	(envelope-from <kernel-team-bounces@lists.ubuntu.com>)
	id 1gIE11-0003vV-MM; Thu, 01 Nov 2018 14:32:07 +0000
Received: from youngberry.canonical.com ([91.189.89.112])
	by huckleberry.canonical.com with esmtps
	(TLS1.0:DHE_RSA_AES_128_CBC_SHA1:128)
	(Exim 4.86_2) (envelope-from <frank.heimes@canonical.com>)
	id 1gIE0z-0003vP-OD
	for kernel-team@lists.ubuntu.com; Thu, 01 Nov 2018 14:32:05 +0000
Received: from mail-lj1-f197.google.com ([209.85.208.197])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16)
	(Exim 4.76) (envelope-from <frank.heimes@canonical.com>)
	id 1gIE0z-0007EC-EN
	for kernel-team@lists.ubuntu.com; Thu, 01 Nov 2018 14:32:05 +0000
Received: by mail-lj1-f197.google.com with SMTP id q65-v6so2642469ljq.8
	for <kernel-team@lists.ubuntu.com>;
	Thu, 01 Nov 2018 07:32:05 -0700 (PDT)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:references:in-reply-to:from:date
	:message-id:subject:to;
	bh=36lUtHo34MlvqRUiZxVz3R92d887eA+Z6PiMCNNyANk=;
	b=piX0aRRdilcaq+0k/6xYj7J23TFBLIYzu7YOBszlNVf3KjWOLoSe/bH4qzjcKg7ENC
	2hk+B1JeKbZjNX0xV6jy7twAtDjifUGZmKa1UTkFE2UVYo8s5VYgYC4ijL3MsvyvD8rR
	3L3K86wpkoHSzzYP1kpxbDlvI6E2Y9SkhpJJG40F7xYBeF3taaUs/iY9RK8GJptpdZ1R
	aWUyzrnv0GBaJMidnjXWM0+wprgUq244Q2HWh2upbXQT3KP0gpt71NAVVfPpyYLkbk7I
	2gJckM+qh7bpaayJxEa+6IO00/bgUf9XtLDUAnPGV0y8TSsyMMhwx/5Pl5zWRWDTYoHV
	DM+A==
X-Gm-Message-State: AGRZ1gLxpRxODwDv5rIRBxRI3wjR+B3v0nkPQG0Q+C/Tyb8VmXH5YvGS
	wAdaRKBs8ewZNJQD4myOeo7KTrtvHozZHseR4rCaisuyxmxzb7WvuWZTtRvzn2hRCoJYtw7XRw8
	6OvMZscJSf4jb35ftsixfIUN18n7V9bOstzfypThtuOkCA14cS2L+73BD9A==
X-Received: by 2002:a2e:4502:: with SMTP id
	s2-v6mr5166545lja.44.1541082724238;
	Thu, 01 Nov 2018 07:32:04 -0700 (PDT)
X-Google-Smtp-Source: 
 AJdET5dB5fgmQ7Lqb5/INCmKtwHqjPEhFoSk6Pc+s2bLFJI7+dKhao7luhN24VsPTYOYw2tLQcb7veo+s9zbfkvY6DU=
X-Received: by 2002:a2e:4502:: with SMTP id
	s2-v6mr5166528lja.44.1541082723937;
	Thu, 01 Nov 2018 07:32:03 -0700 (PDT)
MIME-Version: 1.0
References: 
 <CA+jPhpdjC-Sdf_RQnw4EHZHZPVW5okwXd8EvtGB1EGzGZwmryA@mail.gmail.com>
In-Reply-To: 
 <CA+jPhpdjC-Sdf_RQnw4EHZHZPVW5okwXd8EvtGB1EGzGZwmryA@mail.gmail.com>
From: Frank Heimes <frank.heimes@canonical.com>
Date: Thu, 1 Nov 2018 15:31:52 +0100
Message-ID: 
 <CA+jPhpdCu8oRSAkis+TTOhNh2afMGzbc9Gvv7PP0hiOEKdyUeg@mail.gmail.com>
Subject: [SRU][Cosmic][Bionic][Xenial][PATCH 2/2] net/af_iucv: fix skb
	handling on HiperTransport xmit error
To: kernel-team@lists.ubuntu.com
X-BeenThere: kernel-team@lists.ubuntu.com
X-Mailman-Version: 2.1.20
Precedence: list
List-Id: Kernel team discussions <kernel-team.lists.ubuntu.com>
List-Unsubscribe: <https://lists.ubuntu.com/mailman/options/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=unsubscribe>
List-Archive: <https://lists.ubuntu.com/archives/kernel-team>
List-Post: <mailto:kernel-team@lists.ubuntu.com>
List-Help: <mailto:kernel-team-request@lists.ubuntu.com?subject=help>
List-Subscribe: <https://lists.ubuntu.com/mailman/listinfo/kernel-team>,
	<mailto:kernel-team-request@lists.ubuntu.com?subject=subscribe>
Errors-To: kernel-team-bounces@lists.ubuntu.com
Sender: "kernel-team" <kernel-team-bounces@lists.ubuntu.com>

From: Julian Wiedmann <jwi@linux.ibm.com>

BugLink: http://bugs.launchpad.net/bugs/1800639

    net/af_iucv: fix skb handling on HiperTransport xmit error

    When sending an skb, afiucv_hs_send() bails out on various error
    conditions. But currently the caller has no way of telling whether the
    skb was freed or not - resulting in potentially either
    a) leaked skbs from iucv_send_ctrl(), or
    b) double-free's from iucv_sock_sendmsg().

    As dev_queue_xmit() will always consume the skb (even on error), be
    consistent and also free the skb from all other error paths. This way
    callers no longer need to care about managing the skb.

    Signed-off-by: Julian Wiedmann <jwi@linux.ibm.com>
    Reviewed-by: Ursula Braun <ubraun@linux.ibm.com>
    Signed-off-by: David S. Miller <davem@davemloft.net>
---

        err = dev_queue_xmit(skb);
        if (net_xmit_eval(err)) {
@@ -375,6 +383,10 @@ static int afiucv_hs_send(struct iucv_message *imsg,
struct sock *sock,
                WARN_ON(atomic_read(&iucv->msg_recv) < 0);
        }
        return net_xmit_eval(err);
+
+err_free:
+       kfree_skb(skb);
+       return err;
 }

 static struct sock *__iucv_get_sock_by_name(char *nm)
@@ -1167,7 +1179,7 @@ static int iucv_sock_sendmsg(struct socket *sock,
struct msghdr *msg,
                err = afiucv_hs_send(&txmsg, sk, skb, 0);
                if (err) {
                        atomic_dec(&iucv->msg_sent);
-                       goto fail;
+                       goto out;
                }
        } else { /* Classic VM IUCV transport */
                skb_queue_tail(&iucv->send_skb_q, skb);

diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c
index 01000c1..e2f16a0 100644
--- a/net/iucv/af_iucv.c
+++ b/net/iucv/af_iucv.c
@@ -351,20 +351,28 @@ static int afiucv_hs_send(struct iucv_message *imsg,
struct sock *sock,
                memcpy(&phs_hdr->iucv_hdr, imsg, sizeof(struct
iucv_message));

        skb->dev = iucv->hs_dev;
-       if (!skb->dev)
-               return -ENODEV;
-       if (!(skb->dev->flags & IFF_UP) || !netif_carrier_ok(skb->dev))
-               return -ENETDOWN;
+       if (!skb->dev) {
+               err = -ENODEV;
+               goto err_free;
+       }
+       if (!(skb->dev->flags & IFF_UP) || !netif_carrier_ok(skb->dev)) {
+               err = -ENETDOWN;
+               goto err_free;
+       }
        if (skb->len > skb->dev->mtu) {
-               if (sock->sk_type == SOCK_SEQPACKET)
-                       return -EMSGSIZE;
-               else
-                       skb_trim(skb, skb->dev->mtu);
+               if (sock->sk_type == SOCK_SEQPACKET) {
+                       err = -EMSGSIZE;
+                       goto err_free;
+               }
+               skb_trim(skb, skb->dev->mtu);
        }
        skb->protocol = cpu_to_be16(ETH_P_AF_IUCV);
        nskb = skb_clone(skb, GFP_ATOMIC);
-       if (!nskb)
-               return -ENOMEM;
+       if (!nskb) {
+               err = -ENOMEM;
+               goto err_free;
+       }
+
        skb_queue_tail(&iucv->send_skb_q, nskb);