sync some patches from upstream community

2022-04-26 11:13:32 +08:00 · 2022-04-26 11:13:32 +08:00 · ab6495878f
commit ab6495878f
parent be4d6c9479
4 changed files with 258 additions and 2 deletions
--- a/backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
+++ b/backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
@ -0,0 +1,96 @@
+From 4646703f6d8eb46355752ec033945405ca482d4e Mon Sep 17 00:00:00 2001
+From: Ralf Baechle <ralf@linux-mips.org>
+Date: Tue, 7 Feb 2017 22:10:51 +0100
+Subject: [PATCH] arping: Fix ARP protocol field for AX.25 and NETROM
+
+Conflict:NA
+Reference:https://github.com/iputils/iputils/commit/4646703f6d8eb46355752ec033945405ca482d4e.patch
+
+AX.25 and NETROM differ from other, more ethernet-like protocols in that
+they are not using a DIX protocol number but the AX.25 PID.  The arping code
+doesn't handle this special case resulting in invalid ARP packets being sent.
+
+The interface bpq0 is an AX.25-over-ethernet interface.  Without this
+fix:
+
+ # arping -c 1 -I bpq0 172.20.1.3
+ ARPING 172.20.1.3 from 172.20.1.2 bpq0
+ Sent 1 probes (1 broadcast(s))
+ Received 0 response(s)
+
+With this fix:
+
+ # arping -c 1 -I bpq0 172.20.1.3
+ ARPING 172.20.1.3 from 172.20.1.2 bpq0
+ Unicast reply from 172.20.1.3 [88:98:60:A0:92:40:02]  1.402ms
+ Sent 1 probes (1 broadcast(s))
+ Received 1 response(s)
+
+Closes: https://github.com/iputils/iputils/pull/360
+
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+[ pvorel: add new lines for readability ]
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+---
+ arping.c | 32 +++++++++++++++++++++++++++++---
+ 1 file changed, 29 insertions(+), 3 deletions(-)
+
+diff --git a/arping.c b/arping.c
+index 53fdbb48..5df6d9f0 100644
+--- a/arping.c
+++ b/arping.c
+@@ -37,6 +37,14 @@
+ 
+ #include "iputils_common.h"
+ 
+/*
+ * As of July 2021 AX.25 PID values are not currently defined in any
+ * userspace headers.
+ */
+#ifndef AX25_P_IP
+# define AX25_P_IP		0xcc	/* ARPA Internet Protocol     */
+#endif
+
+ #ifdef DEFAULT_DEVICE
+ # define DEFAULT_DEVICE_STR	DEFAULT_DEVICE
+ #else
+@@ -248,7 +256,17 @@ static int send_pack(struct run_state *ctl)
+ 	ah->ar_hrd = htons(ME->sll_hatype);
+ 	if (ah->ar_hrd == htons(ARPHRD_FDDI))
+ 		ah->ar_hrd = htons(ARPHRD_ETHER);
+-	ah->ar_pro = htons(ETH_P_IP);
+
+	/*
+	 * Exceptions everywhere. AX.25 uses the AX.25 PID value not the
+	 * DIX code for the protocol. Make these device structure fields.
+	 */
+	if (ah->ar_hrd == htons(ARPHRD_AX25) ||
+	    ah->ar_hrd == htons(ARPHRD_NETROM))
+		ah->ar_pro = htons(AX25_P_IP);
+	else
+		ah->ar_pro = htons(ETH_P_IP);
+
+ 	ah->ar_hln = ME->sll_halen;
+ 	ah->ar_pln = 4;
+ 	ah->ar_op  = ctl->advert ? htons(ARPOP_REPLY) : htons(ARPOP_REQUEST);
+@@ -341,9 +359,17 @@ static int recv_pack(struct run_state *ctl, unsigned char *buf, ssize_t len,
+ 	    (FROM->sll_hatype != ARPHRD_FDDI || ah->ar_hrd != htons(ARPHRD_ETHER)))
+ 		return 0;
+ 
+-	/* Protocol must be IP. */
+-	if (ah->ar_pro != htons(ETH_P_IP))
+	/*
+	 * Protocol must be IP - but exceptions everywhere. AX.25 and NETROM
+	 * use the AX.25 PID value not the DIX code for the protocol.
+	 */
+	if (ah->ar_hrd == htons(ARPHRD_AX25) ||
+	    ah->ar_hrd == htons(ARPHRD_NETROM)) {
+		if (ah->ar_pro != htons(AX25_P_IP))
+			return 0;
+	} else if (ah->ar_pro != htons(ETH_P_IP))
+ 		return 0;
+
+ 	if (ah->ar_pln != 4)
+ 		return 0;
+ 	if (ah->ar_hln != ((struct sockaddr_ll *)&ctl->me)->sll_halen)
--- a/backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
+++ b/backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
@ -0,0 +1,95 @@
+From 7c65999f98bc4a1984594b7fad1af0eaf0b9d34b Mon Sep 17 00:00:00 2001
+From: Lahav Schlesinger <lschlesinger@drivenets.com>
+Date: Wed, 30 Jun 2021 13:06:13 +0300
+Subject: [PATCH] ping: Fix ping6 binding to VRF and address
+
+Since Linux kernel commit 1893ff20275b ("net/ipv6: Add l3mdev check to
+ipv6_chk_addr_and_flags") from v4.17-rc1 ping fails when trying to
+create IPv6 SOCK_RAW socket (e.g. if net.ipv4.ping_group_range = 1 0)
+and passing both -I <vrf_interface> and -I <local_ipv6_addr>.
+It works for IPv4 SOCK_RAW socket.
+
+    # ip netns add tmp_ns
+    # ip -n tmp_ns link add vrf_1 type vrf table 10001
+    # ip -n tmp_ns link add lo10 type dummy
+    # ip -n tmp_ns link set lo10 master vrf_1
+    # ip -n tmp_ns link set vrf_1 up
+    # ip -n tmp_ns link set lo10 up
+    # ip -n tmp_ns link set lo up
+    # ip -n tmp_ns addr add 1:2::3:4/128 dev lo10
+    # ip -n tmp_ns addr add 1.2.3.4/32 dev lo10
+
+    # ip netns exec tmp_ns ping -6 1:2::3:4 -I vrf_1 -I 1:2::3:4 -c 1 # IPv6 broken
+    ping: bind icmp socket: Cannot assign requested address
+
+    # ping  1.2.3.4 -I vrf_1 -I 1.2.3.4 -c 1 # IPv4 working
+    PING 1.2.3.4 (1.2.3.4) from 1.2.3.4 vrf_1: 56(84) bytes of data.
+    64 bytes from 1.2.3.4: icmp_seq=1 ttl=64 time=0.090 ms
+
+    --- 1.2.3.4 ping statistics ---
+    1 packets transmitted, 1 received, 0% packet loss, time 0ms
+    rtt min/avg/max/mdev = 0.090/0.090/0.090/0.000 ms
+
+ping fails because it doesn't actually bind to the VRF interface, while
+after 1893ff20275b, binding to an IPv6 address searches only on the same
+l3mdev as the device the function receives. If the socket wasn't
+SO_BINDTODEVICE-ed, then the kernel will only search for devices that
+are not ensalved to an l3mdev device (= in the default VRF), which will
+cause the bind() to fail.
+
+Only SOCK_RAW socket is affected. SOCK_DGRAM is not affected because
+Linux kernel doesn't check the device the socket was SO_BINDTODEVICE-ed
+to, but only the device from addr->sin6_scope_id (which if none is
+passed, it will again only search devices in the default VRF).
+
+NOTE: creating network namespace to reproduce the issue is needed just
+on systems with net.ipv4.ping_group_range = 0 2147483647 (e.g. current
+Fedora, openSUSE, Ubuntu), which causes to use SOCK_DGRAM socket.
+Alternatively to force SOCK_RAW to it'd be enough just to properly set
+net.ipv4.ping_group_range:
+
+    # echo "1 0" > /proc/sys/net/ipv4/ping_group_range
+
+Closes: https://github.com/iputils/iputils/pull/344
+
+Reviewed-by: Petr Vorel <pvorel@suse.cz>
+Signed-off-by: Lahav Schlesinger <lschlesinger@drivenets.com>
+[ pvorel: adjusted commit message ]
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+
+Conflict:NA
+Reference: https://github.com/iputils/iputils/commit/7c65999f98bc4a1984594b7fad1af0eaf0b9d34b.patch
+
+---
+ ping/ping6_common.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+diff --git a/ping/ping6_common.c b/ping/ping6_common.c
+index fee11891..f40d279d 100644
+--- a/ping/ping6_common.c
+++ b/ping/ping6_common.c
+@@ -224,6 +224,8 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
+ 	if (rts->device) {
+ 		struct cmsghdr *cmsg;
+ 		struct in6_pktinfo *ipi;
+		int rc;
+		int errno_save;
+ 
+ 		cmsg = (struct cmsghdr *)(rts->cmsgbuf + rts->cmsglen);
+ 		rts->cmsglen += CMSG_SPACE(sizeof(*ipi));
+@@ -234,6 +236,15 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
+ 		ipi = (struct in6_pktinfo *)CMSG_DATA(cmsg);
+ 		memset(ipi, 0, sizeof(*ipi));
+ 		ipi->ipi6_ifindex = if_name2index(rts->device);
+
+		enable_capability_raw();
+		rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
+				rts->device, strlen(rts->device) + 1);
+		errno_save = errno;
+		disable_capability_raw();
+
+		if (rc == -1)
+			error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
+ 	}
+ 
+ 	if (IN6_IS_ADDR_MULTICAST(&rts->whereto6.sin6_addr)) {
--- a/backport-ping6-Avoid-binding-to-non-VRF.patch
+++ b/backport-ping6-Avoid-binding-to-non-VRF.patch
@ -0,0 +1,54 @@
+From f52b582248f1f870e870a9973621805d969906b4 Mon Sep 17 00:00:00 2001
+From: Petr Vorel <pvorel@suse.cz>
+Date: Tue, 9 Nov 2021 02:39:56 +0100
+Subject: [PATCH] ping6: Avoid binding to non-VRF
+
+This fixes permission issue when specifying just address (without VRF)
+unless having CAP_NET_ADMIN (i.e. root) permission:
+
+    $ ./builddir/ping/ping -c1 -I lo ::1
+    ./builddir/ping/ping: SO_BINDTODEVICE lo: Operation not permitted
+
+because setsockopt() SO_BINDTODEVICE (similar to bind()) can be only done on
+opt_strictsource.
+
+Fixes: 7c65999 ("ping: Fix ping6 binding to VRF and address")
+
+Signed-off-by: Petr Vorel <pvorel@suse.cz>
+
+Conflict:NA
+Reference: https://github.com/iputils/iputils/commit/f52b582248f1f870e870a9973621805d969906b4.patch
+
+---
+ ping/ping6_common.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+diff --git a/ping/ping6_common.c b/ping/ping6_common.c
+index f40d279d..7a43ef6a 100644
+--- a/ping/ping6_common.c
+++ b/ping/ping6_common.c
+@@ -237,14 +237,16 @@ int ping6_run(struct ping_rts *rts, int argc, char **argv, struct addrinfo *ai,
+ 		memset(ipi, 0, sizeof(*ipi));
+ 		ipi->ipi6_ifindex = if_name2index(rts->device);
+ 
+-		enable_capability_raw();
+-		rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
+-				rts->device, strlen(rts->device) + 1);
+-		errno_save = errno;
+-		disable_capability_raw();
+-
+-		if (rc == -1)
+-			error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
+		if (rts->opt_strictsource) {
+			enable_capability_raw();
+			rc = setsockopt(sock->fd, SOL_SOCKET, SO_BINDTODEVICE,
+					rts->device, strlen(rts->device) + 1);
+			errno_save = errno;
+			disable_capability_raw();
+
+			if (rc == -1)
+				error(2, errno_save, "SO_BINDTODEVICE %s", rts->device);
+		}
+ 	}
+ 
+ 	if (IN6_IS_ADDR_MULTICAST(&rts->whereto6.sin6_addr)) {
--- a/iputils.spec
+++ b/iputils.spec
@ -1,6 +1,6 @@
 Name:            iputils
 Version:         20210722
-Release:         2
+Release:         3
 Summary:         Network monitoring tools including ping
 License:         BSD and GPLv2+
 URL:             https://github.com/iputils/iputils
@ -16,6 +16,9 @@ Patch0000:       iputils-ifenslave.patch
 Patch0001:       iputils-ifenslave-CWE-170.patch
 Patch0002:       backport-arping-exit-0-if-running-in-deadline-mode-and-we-see-replies.patch
 Patch0003:       backport-arping-fix-typo-in-error-checking.patch
+Patch0004:       backport-fix-ARP-protocol-field-for-AX.25-and-NETROM.patch
+Patch0005:       backport-ping-Fix-ping6-binding-to-VRF-and-address.patch
+Patch0006:       backport-ping6-Avoid-binding-to-non-VRF.patch

 BuildRequires:   gcc meson libidn2-devel openssl-devel libcap-devel libxslt
 BuildRequires:   docbook5-style-xsl systemd iproute glibc-kernheaders gettext
@ -114,6 +117,14 @@ install -cp ifenslave.8 ${RPM_BUILD_ROOT}%{_mandir}/man8/
 %{_unitdir}/ninfod.service

 %changelog
+* Tue Apr 26 2022 zengweifeng <zwfeng@huawei.com> - 20210722-3
+- Type:bugfix
+- ID:NA
+- SUG:NA
+- DESC: fix ping2 bingding to VRF and address
+        Avoid binding to non-VRF
+        Fix ARP protocol field for AX.25 and NETROM
+
 * Fri Feb 18 2021 xinghe <xinghe2@h-partners.com> - 20210722-2
 - Type:bugfix
 - ID:NA