diff --git a/backport-libnetlink-Fix-memory-leak-in-__rtnl_talk_iov.patch b/backport-libnetlink-Fix-memory-leak-in-__rtnl_talk_iov.patch new file mode 100644 index 0000000..9108f13 --- /dev/null +++ b/backport-libnetlink-Fix-memory-leak-in-__rtnl_talk_iov.patch @@ -0,0 +1,86 @@ +From 0faec4d050b607f7544b6cf9a4c2d57e191f981f Mon Sep 17 00:00:00 2001 +From: Lahav Schlesinger +Date: Mon, 5 Dec 2022 10:47:41 +0200 +Subject: [PATCH] libnetlink: Fix memory leak in __rtnl_talk_iov() + +If `__rtnl_talk_iov` fails then callers are not expected to free `answer`. + +Currently if `NLMSG_ERROR` was received with an error then the netlink +buffer was stored in `answer`, while still returning an error + +This leak can be observed by running this snippet over time. +This triggers an `NLMSG_ERROR` because for each neighbour update, `ip` +will try to query for the name of interface 9999 in the wrong netns. +(which in itself is a separate bug) + + set -e + + ip netns del test-a || true + ip netns add test-a + ip netns del test-b || true + ip netns add test-b + + ip -n test-a netns set test-b auto + ip -n test-a link add veth_a index 9999 type veth \ + peer name veth_b netns test-b + ip -n test-b link set veth_b up + + ip -n test-a monitor link address prefix neigh nsid label all-nsid \ + > /dev/null & + monitor_pid=$! + clean() { + kill $monitor_pid + ip netns del test-a + ip netns del test-b + } + trap clean EXIT + + while true; do + ip -n test-b neigh add dev veth_b 1.2.3.4 lladdr AA:AA:AA:AA:AA:AA + ip -n test-b neigh del dev veth_b 1.2.3.4 + done + + +Conflict:NA +Reference:https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=0faec4d050b607f7544b6cf9a4c2d57e191f981f + +Fixes: 55870dfe7f8b ("Improve batch and dump times by caching link lookups") +Signed-off-by: Lahav Schlesinger +Signed-off-by: Gilad Naaman +Signed-off-by: Stephen Hemminger +--- + lib/libnetlink.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/lib/libnetlink.c b/lib/libnetlink.c +index 9af06232..001efc1d 100644 +--- a/lib/libnetlink.c ++++ b/lib/libnetlink.c +@@ -1092,14 +1092,19 @@ next: + rtnl_talk_error(h, err, errfn); + } + +- if (answer) +- *answer = (struct nlmsghdr *)buf; +- else ++ if (i < iovlen) { + free(buf); +- +- if (i < iovlen) + goto next; +- return error ? -i : 0; ++ } ++ ++ if (error) { ++ free(buf); ++ return -i; ++ } ++ ++ if (answer) ++ *answer = (struct nlmsghdr *)buf; ++ return 0; + } + + if (answer) { +-- +2.23.0 diff --git a/backport-tc-ct-Fix-invalid-pointer-dereference.patch b/backport-tc-ct-Fix-invalid-pointer-dereference.patch new file mode 100644 index 0000000..818d741 --- /dev/null +++ b/backport-tc-ct-Fix-invalid-pointer-dereference.patch @@ -0,0 +1,35 @@ +From 4de59102f49ff9128378568cf967d6c7aabea6f2 Mon Sep 17 00:00:00 2001 +From: Roi Dayan +Date: Wed, 7 Dec 2022 10:22:13 +0200 +Subject: [PATCH] tc: ct: Fix invalid pointer dereference + +Using macro NEXT_ARG_FWD does not validate argc. +Use macro NEXT_ARG which validates argc while parsing args +in the same loop iteration. + +Conflict:NA +Reference:https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=4de59102f49ff9128378568cf967d6c7aabea6f2 + +Fixes: c8a494314c40 ("tc: Introduce tc ct action") +Signed-off-by: Roi Dayan +Reviewed-by: Paul Blakey +Signed-off-by: Stephen Hemminger +--- + tc/m_ct.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tc/m_ct.c b/tc/m_ct.c +index a02bf0cc..54d64867 100644 +--- a/tc/m_ct.c ++++ b/tc/m_ct.c +@@ -243,7 +243,7 @@ parse_ct(struct action_util *a, int *argc_p, char ***argv_p, int tca_id, + return -1; + } + +- NEXT_ARG_FWD(); ++ NEXT_ARG(); + if (matches(*argv, "port") != 0) + continue; + +-- +2.23.0 diff --git a/backport-tc_util-Change-datatype-for-maj-to-avoid-overflow-issue.patch b/backport-tc_util-Change-datatype-for-maj-to-avoid-overflow-issue.patch new file mode 100644 index 0000000..dc41e63 --- /dev/null +++ b/backport-tc_util-Change-datatype-for-maj-to-avoid-overflow-issue.patch @@ -0,0 +1,33 @@ +From 455fa8295298a68a2dedabf9dd4c1dbf847b128b Mon Sep 17 00:00:00 2001 +From: Lai Peter Jun Ann +Date: Mon, 21 Nov 2022 10:29:09 +0800 +Subject: [PATCH] tc_util: Change datatype for maj to avoid overflow issue + +The return value by stroul() is unsigned long int. Hence the datatype +for maj should defined as unsigned long to avoid overflow issue. + +Conflict:NA +Reference:https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=455fa8295298a68a2dedabf9dd4c1dbf847b128b + +Signed-off-by: Muhammad Husaini Zulkifli +Signed-off-by: Lai Peter Jun Ann +Signed-off-by: Stephen Hemminger +--- + tc/tc_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tc/tc_util.c b/tc/tc_util.c +index 334334db..8cd3c035 100644 +--- a/tc/tc_util.c ++++ b/tc/tc_util.c +@@ -74,7 +74,7 @@ const char *get_tc_lib(void) + + int get_qdisc_handle(__u32 *h, const char *str) + { +- __u32 maj; ++ unsigned long maj; + char *p; + + maj = TC_H_UNSPEC; +-- +2.23.0 diff --git a/backport-tc_util-Fix-no-error-return-when-large-parent-id-used.patch b/backport-tc_util-Fix-no-error-return-when-large-parent-id-used.patch new file mode 100644 index 0000000..cd95f83 --- /dev/null +++ b/backport-tc_util-Fix-no-error-return-when-large-parent-id-used.patch @@ -0,0 +1,35 @@ +From e0ecee3a33af57e01fe5d15f1a436216412f2d96 Mon Sep 17 00:00:00 2001 +From: Lai Peter Jun Ann +Date: Thu, 17 Nov 2022 13:33:17 +0800 +Subject: [PATCH] tc_util: Fix no error return when large parent id used + +This patch is to fix the issue where there is no error return +when large value of parent ID is being used. The return value by +stroul() is unsigned long int. Hence the datatype for maj and min +should defined as unsigned long to avoid overflow issue. + +Conflict:NA +Reference:https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=e0ecee3a33af57e01fe5d15f1a436216412f2d96 + +Signed-off-by: Muhammad Husaini Zulkifli +Signed-off-by: Lai Peter Jun Ann +Signed-off-by: Stephen Hemminger +--- + tc/tc_util.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/tc/tc_util.c b/tc/tc_util.c +index 44137adb..334334db 100644 +--- a/tc/tc_util.c ++++ b/tc/tc_util.c +@@ -93,7 +93,7 @@ ok: + + int get_tc_classid(__u32 *h, const char *str) + { +- __u32 maj, min; ++ unsigned long maj, min; + char *p; + + maj = TC_H_ROOT; +-- +2.23.0 diff --git a/backport-xfrm-prepare-state-offload-logic-to-set-mode.patch b/backport-xfrm-prepare-state-offload-logic-to-set-mode.patch new file mode 100644 index 0000000..08143f6 --- /dev/null +++ b/backport-xfrm-prepare-state-offload-logic-to-set-mode.patch @@ -0,0 +1,117 @@ +From bdd19b1edec44c00c968950301074734cee54cab Mon Sep 17 00:00:00 2001 +From: Leon Romanovsky +Date: Mon, 12 Dec 2022 09:54:04 +0200 +Subject: [PATCH] xfrm: prepare state offload logic to set mode + +The offload in xfrm state requires to provide device and direction +in order to activate it. However, in the help section, device and +direction were displayed as an optional. + +As a preparation to addition of packet offload, let's fix the help +section and refactor the code to be more clear. + +Conflict:NA +Reference:https://git.kernel.org/pub/scm/network/iproute2/iproute2.git/commit?id=bdd19b1edec44c00c968950301074734cee54cab + +Signed-off-by: Leon Romanovsky +Signed-off-by: David Ahern +--- + ip/xfrm_state.c | 35 +++++++++++++++++++---------------- + man/man8/ip-xfrm.8 | 5 +++++ + 2 files changed, 24 insertions(+), 16 deletions(-) + +diff --git a/ip/xfrm_state.c b/ip/xfrm_state.c +index b2294d9f..6de2d28d 100644 +--- a/ip/xfrm_state.c ++++ b/ip/xfrm_state.c +@@ -61,7 +61,7 @@ static void usage(void) + " [ replay-seq-hi SEQ ] [ replay-oseq-hi SEQ ]\n" + " [ flag FLAG-LIST ] [ sel SELECTOR ] [ LIMIT-LIST ] [ encap ENCAP ]\n" + " [ coa ADDR[/PLEN] ] [ ctx CTX ] [ extra-flag EXTRA-FLAG-LIST ]\n" +- " [ offload [dev DEV] dir DIR ]\n" ++ " [ offload dev DEV dir DIR ]\n" + " [ output-mark OUTPUT-MARK [ mask MASK ] ]\n" + " [ if_id IF_ID ] [ tfcpad LENGTH ]\n" + "Usage: ip xfrm state allocspi ID [ mode MODE ] [ mark MARK [ mask MASK ] ]\n" +@@ -267,7 +267,7 @@ static int xfrm_state_extra_flag_parse(__u32 *extra_flags, int *argcp, char ***a + return 0; + } + +-static int xfrm_offload_dir_parse(__u8 *dir, int *argcp, char ***argvp) ++static bool xfrm_offload_dir_parse(__u8 *dir, int *argcp, char ***argvp) + { + int argc = *argcp; + char **argv = *argvp; +@@ -277,12 +277,12 @@ static int xfrm_offload_dir_parse(__u8 *dir, int *argcp, char ***argvp) + else if (strcmp(*argv, "out") == 0) + *dir = 0; + else +- invarg("DIR value is invalid", *argv); ++ return false; + + *argcp = argc; + *argvp = argv; + +- return 0; ++ return true; + } + + static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv) +@@ -424,24 +424,27 @@ static int xfrm_state_modify(int cmd, unsigned int flags, int argc, char **argv) + addattr_l(&req.n, sizeof(req.buf), XFRMA_SEC_CTX, + (void *)&ctx, ctx.sctx.len); + } else if (strcmp(*argv, "offload") == 0) { +- is_offload = true; + NEXT_ARG(); + if (strcmp(*argv, "dev") == 0) { + NEXT_ARG(); + ifindex = ll_name_to_index(*argv); +- if (!ifindex) { +- invarg("value after \"offload dev\" is invalid", *argv); +- is_offload = false; +- } +- NEXT_ARG(); +- } ++ if (!ifindex) ++ invarg("Invalid device name", *argv); ++ } else ++ invarg("Missing dev keyword", *argv); ++ ++ NEXT_ARG(); + if (strcmp(*argv, "dir") == 0) { ++ bool is_dir; ++ + NEXT_ARG(); +- xfrm_offload_dir_parse(&dir, &argc, &argv); +- } else { +- invarg("value after \"offload dir\" is invalid", *argv); +- is_offload = false; +- } ++ is_dir = xfrm_offload_dir_parse(&dir, &argc, ++ &argv); ++ if (!is_dir) ++ invarg("DIR value is invalid", *argv); ++ } else ++ invarg("Missing DIR keyword", *argv); ++ is_offload = true; + } else if (strcmp(*argv, "output-mark") == 0) { + NEXT_ARG(); + if (get_u32(&output_mark.v, *argv, 0)) +diff --git a/man/man8/ip-xfrm.8 b/man/man8/ip-xfrm.8 +index bf725cab..4243a023 100644 +--- a/man/man8/ip-xfrm.8 ++++ b/man/man8/ip-xfrm.8 +@@ -65,6 +65,11 @@ ip-xfrm \- transform configuration + .IR MASK " ] ]" + .RB "[ " if_id + .IR IF-ID " ]" ++.RB "[ " offload ++.RB dev ++.IR DEV " ++.RB dir ++.IR DIR " ]" + .RB "[ " tfcpad + .IR LENGTH " ]" + +-- +2.23.0 diff --git a/iproute.spec b/iproute.spec index b5571a5..148553f 100644 --- a/iproute.spec +++ b/iproute.spec @@ -2,7 +2,7 @@ Name: iproute Version: 5.15.0 Epoch: 1 -Release: 16 +Release: 17 Summary: Linux network configuration utilities License: GPLv2+ and Public Domain URL: https://kernel.org/pub/linux/utils/net/iproute2/ @@ -43,7 +43,11 @@ Patch6027: backport-rdma-utils-fix-some-analyzer-warnings.patch Patch6028: backport-tc-prio-handle-possible-truncated-kernel-response.patch Patch6029: backport-iproute_lwtunnel-fix-array-boundary-check.patch Patch6030: backport-rt_names-check-for-malloc-failure.patch - +Patch6031: backport-tc_util-Fix-no-error-return-when-large-parent-id-used.patch +Patch6032: backport-tc_util-Change-datatype-for-maj-to-avoid-overflow-issue.patch +Patch6033: backport-tc-ct-Fix-invalid-pointer-dereference.patch +Patch6034: backport-libnetlink-Fix-memory-leak-in-__rtnl_talk_iov.patch +Patch6035: backport-xfrm-prepare-state-offload-logic-to-set-mode.patch Patch9000: feature-iproute-add-support-for-ipvlan-l2e-mode.patch Patch9001: bugfix-iproute2-cancel-some-test-cases.patch @@ -124,6 +128,16 @@ install -m 0644 lib/libnetlink.a %{buildroot}%{_libdir}/libnetlink.a %{_mandir}/* %changelog +* Mon Nov 27 2023 liubo - 1:5.15.0-17 +- Type:bugfix +- ID:NA +- SUG:NA +- DESC:libnetlink: Fix memory leak in __rtnl_talk_iov() + tc: ct: Fix invalid pointer dereference + tc_util: Change datatype for maj to avoid overflow issue + tc_util: Fix no error return when large parent id used + xfrm: prepare state offload logic to set mode + * Mon Nov 27 2023 liubo - 1:5.15.0-16 - Type:bugfix - ID:NA