--- /dev/null
+From 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 28 Nov 2019 12:25:45 +0100
+Subject: batman-adv: Fix DAT candidate selection on little endian systems
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream.
+
+The distributed arp table is using a DHT to store and retrieve MAC address
+information for an IP address. This is done using unicast messages to
+selected peers. The potential peers are looked up using the IP address and
+the VID.
+
+While the IP address is always stored in big endian byte order, this is not
+the case of the VID. It can (depending on the host system) either be big
+endian or little endian. The host must therefore always convert it to big
+endian to ensure that all devices calculate the same peers for the same
+lookup data.
+
+Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/distributed-arp-table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -285,6 +285,7 @@ static u32 batadv_hash_dat(const void *d
+ u32 hash = 0;
+ const struct batadv_dat_entry *dat = data;
+ const unsigned char *key;
++ __be16 vid;
+ u32 i;
+
+ key = (const unsigned char *)&dat->ip;
+@@ -294,7 +295,8 @@ static u32 batadv_hash_dat(const void *d
+ hash ^= (hash >> 6);
+ }
+
+- key = (const unsigned char *)&dat->vid;
++ vid = htons(dat->vid);
++ key = (__force const unsigned char *)&vid;
+ for (i = 0; i < sizeof(dat->vid); i++) {
+ hash += key[i];
+ hash += (hash << 10);
--- /dev/null
+From e7a5f1f1cd0008e5ad379270a8657e121eedb669 Mon Sep 17 00:00:00 2001
+From: Lingpeng Chen <forrest0579@gmail.com>
+Date: Thu, 9 Jan 2020 09:48:33 +0800
+Subject: bpf/sockmap: Read psock ingress_msg before sk_receive_queue
+
+From: Lingpeng Chen <forrest0579@gmail.com>
+
+commit e7a5f1f1cd0008e5ad379270a8657e121eedb669 upstream.
+
+Right now in tcp_bpf_recvmsg, sock read data first from sk_receive_queue
+if not empty than psock->ingress_msg otherwise. If a FIN packet arrives
+and there's also some data in psock->ingress_msg, the data in
+psock->ingress_msg will be purged. It is always happen when request to a
+HTTP1.0 server like python SimpleHTTPServer since the server send FIN
+packet after data is sent out.
+
+Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
+Reported-by: Arika Chen <eaglesora@gmail.com>
+Suggested-by: Arika Chen <eaglesora@gmail.com>
+Signed-off-by: Lingpeng Chen <forrest0579@gmail.com>
+Signed-off-by: John Fastabend <john.fastabend@gmail.com>
+Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
+Acked-by: Song Liu <songliubraving@fb.com>
+Link: https://lore.kernel.org/bpf/20200109014833.18951-1-forrest0579@gmail.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/tcp_bpf.c | 12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/net/ipv4/tcp_bpf.c
++++ b/net/ipv4/tcp_bpf.c
+@@ -121,14 +121,14 @@ int tcp_bpf_recvmsg(struct sock *sk, str
+ struct sk_psock *psock;
+ int copied, ret;
+
+- if (unlikely(flags & MSG_ERRQUEUE))
+- return inet_recv_error(sk, msg, len, addr_len);
+- if (!skb_queue_empty(&sk->sk_receive_queue))
+- return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
+-
+ psock = sk_psock_get(sk);
+ if (unlikely(!psock))
+ return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
++ if (unlikely(flags & MSG_ERRQUEUE))
++ return inet_recv_error(sk, msg, len, addr_len);
++ if (!skb_queue_empty(&sk->sk_receive_queue) &&
++ sk_psock_queue_empty(psock))
++ return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
+ lock_sock(sk);
+ msg_bytes_ready:
+ copied = __tcp_bpf_recvmsg(sk, psock, msg, len, flags);
+@@ -139,7 +139,7 @@ msg_bytes_ready:
+ timeo = sock_rcvtimeo(sk, nonblock);
+ data = tcp_bpf_wait_data(sk, psock, flags, timeo, &err);
+ if (data) {
+- if (skb_queue_empty(&sk->sk_receive_queue))
++ if (!sk_psock_queue_empty(psock))
+ goto msg_bytes_ready;
+ release_sock(sk);
+ sk_psock_put(sk, psock);
--- /dev/null
+From 555089fdfc37ad65e0ee9b42ca40c238ff546f83 Mon Sep 17 00:00:00 2001
+From: Martin KaFai Lau <kafai@fb.com>
+Date: Fri, 10 Jan 2020 15:16:44 -0800
+Subject: bpftool: Fix printing incorrect pointer in btf_dump_ptr
+
+From: Martin KaFai Lau <kafai@fb.com>
+
+commit 555089fdfc37ad65e0ee9b42ca40c238ff546f83 upstream.
+
+For plain text output, it incorrectly prints the pointer value
+"void *data". The "void *data" is actually pointing to memory that
+contains a bpf-map's value. The intention is to print the content of
+the bpf-map's value instead of printing the pointer pointing to the
+bpf-map's value.
+
+In this case, a member of the bpf-map's value is a pointer type.
+Thus, it should print the "*(void **)data".
+
+Fixes: 22c349e8db89 ("tools: bpftool: fix format strings and arguments for jsonw_printf()")
+Signed-off-by: Martin KaFai Lau <kafai@fb.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Reviewed-by: Quentin Monnet <quentin.monnet@netronome.com>
+Link: https://lore.kernel.org/bpf/20200110231644.3484151-1-kafai@fb.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/bpf/bpftool/btf_dumper.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/tools/bpf/bpftool/btf_dumper.c
++++ b/tools/bpf/bpftool/btf_dumper.c
+@@ -26,7 +26,7 @@ static void btf_dumper_ptr(const void *d
+ bool is_plain_text)
+ {
+ if (is_plain_text)
+- jsonw_printf(jw, "%p", data);
++ jsonw_printf(jw, "%p", *(void **)data);
+ else
+ jsonw_printf(jw, "%lu", *(unsigned long *)data);
+ }
--- /dev/null
+From e64175776d06a8ceebbfd349d7e66a4a46ca39ef Mon Sep 17 00:00:00 2001
+From: Krzysztof Kozlowski <krzk@kernel.org>
+Date: Mon, 13 Jan 2020 18:29:54 +0100
+Subject: i2c: iop3xx: Fix memory leak in probe error path
+
+From: Krzysztof Kozlowski <krzk@kernel.org>
+
+commit e64175776d06a8ceebbfd349d7e66a4a46ca39ef upstream.
+
+When handling devm_gpiod_get_optional() errors, free the memory already
+allocated. This fixes Smatch warnings:
+
+ drivers/i2c/busses/i2c-iop3xx.c:437 iop3xx_i2c_probe() warn: possible memory leak of 'new_adapter'
+ drivers/i2c/busses/i2c-iop3xx.c:442 iop3xx_i2c_probe() warn: possible memory leak of 'new_adapter'
+
+Fixes: fdb7e884ad61 ("i2c: iop: Use GPIO descriptors")
+Reported-by: kbuild test robot <lkp@intel.com>
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Krzysztof Kozlowski <krzk@kernel.org>
+Signed-off-by: Wolfram Sang <wsa@the-dreams.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/i2c/busses/i2c-iop3xx.c | 12 ++++++++----
+ 1 file changed, 8 insertions(+), 4 deletions(-)
+
+--- a/drivers/i2c/busses/i2c-iop3xx.c
++++ b/drivers/i2c/busses/i2c-iop3xx.c
+@@ -433,13 +433,17 @@ iop3xx_i2c_probe(struct platform_device
+ adapter_data->gpio_scl = devm_gpiod_get_optional(&pdev->dev,
+ "scl",
+ GPIOD_ASIS);
+- if (IS_ERR(adapter_data->gpio_scl))
+- return PTR_ERR(adapter_data->gpio_scl);
++ if (IS_ERR(adapter_data->gpio_scl)) {
++ ret = PTR_ERR(adapter_data->gpio_scl);
++ goto free_both;
++ }
+ adapter_data->gpio_sda = devm_gpiod_get_optional(&pdev->dev,
+ "sda",
+ GPIOD_ASIS);
+- if (IS_ERR(adapter_data->gpio_sda))
+- return PTR_ERR(adapter_data->gpio_sda);
++ if (IS_ERR(adapter_data->gpio_sda)) {
++ ret = PTR_ERR(adapter_data->gpio_sda);
++ goto free_both;
++ }
+
+ res = platform_get_resource(pdev, IORESOURCE_MEM, 0);
+ if (!res) {
--- /dev/null
+From 2e012c74823629d9db27963c79caa3f5b2010746 Mon Sep 17 00:00:00 2001
+From: Lorenz Bauer <lmb@cloudflare.com>
+Date: Fri, 10 Jan 2020 13:23:36 +0000
+Subject: net: bpf: Don't leak time wait and request sockets
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Lorenz Bauer <lmb@cloudflare.com>
+
+commit 2e012c74823629d9db27963c79caa3f5b2010746 upstream.
+
+It's possible to leak time wait and request sockets via the following
+BPF pseudo code:
+
+ sk = bpf_skc_lookup_tcp(...)
+ if (sk)
+ bpf_sk_release(sk)
+
+If sk->sk_state is TCP_NEW_SYN_RECV or TCP_TIME_WAIT the refcount taken
+by bpf_skc_lookup_tcp is not undone by bpf_sk_release. This is because
+sk_flags is re-used for other data in both kinds of sockets. The check
+
+ !sock_flag(sk, SOCK_RCU_FREE)
+
+therefore returns a bogus result. Check that sk_flags is valid by calling
+sk_fullsock. Skip checking SOCK_RCU_FREE if we already know that sk is
+not a full socket.
+
+Fixes: edbf8c01de5a ("bpf: add skc_lookup_tcp helper")
+Fixes: f7355a6c0497 ("bpf: Check sk_fullsock() before returning from bpf_sk_lookup()")
+Signed-off-by: Lorenz Bauer <lmb@cloudflare.com>
+Signed-off-by: Alexei Starovoitov <ast@kernel.org>
+Acked-by: Martin KaFai Lau <kafai@fb.com>
+Link: https://lore.kernel.org/bpf/20200110132336.26099-1-lmb@cloudflare.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/filter.c | 9 ++++-----
+ 1 file changed, 4 insertions(+), 5 deletions(-)
+
+--- a/net/core/filter.c
++++ b/net/core/filter.c
+@@ -5306,8 +5306,7 @@ __bpf_sk_lookup(struct sk_buff *skb, str
+ if (sk) {
+ sk = sk_to_full_sk(sk);
+ if (!sk_fullsock(sk)) {
+- if (!sock_flag(sk, SOCK_RCU_FREE))
+- sock_gen_put(sk);
++ sock_gen_put(sk);
+ return NULL;
+ }
+ }
+@@ -5344,8 +5343,7 @@ bpf_sk_lookup(struct sk_buff *skb, struc
+ if (sk) {
+ sk = sk_to_full_sk(sk);
+ if (!sk_fullsock(sk)) {
+- if (!sock_flag(sk, SOCK_RCU_FREE))
+- sock_gen_put(sk);
++ sock_gen_put(sk);
+ return NULL;
+ }
+ }
+@@ -5412,7 +5410,8 @@ static const struct bpf_func_proto bpf_s
+
+ BPF_CALL_1(bpf_sk_release, struct sock *, sk)
+ {
+- if (!sock_flag(sk, SOCK_RCU_FREE))
++ /* Only full sockets have sk->sk_flags. */
++ if (!sk_fullsock(sk) || !sock_flag(sk, SOCK_RCU_FREE))
+ sock_gen_put(sk);
+ return 0;
+ }
--- /dev/null
+From 212e7f56605ef9688d0846db60c6c6ec06544095 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 11 Jan 2020 23:19:53 +0100
+Subject: netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream.
+
+An earlier commit (1b789577f655060d98d20e,
+"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct")
+fixed missing net initialization for arptables, but turns out it was
+incomplete. We can get a very similar struct net NULL deref during
+error unwinding:
+
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77
+ xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175
+ cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline]
+ translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587
+ do_replace net/ipv4/netfilter/arp_tables.c:981 [inline]
+ do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461
+
+Also init the netns pointer in xt_tgdtor_param struct.
+
+Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
+Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -496,12 +496,13 @@ static inline int check_entry_size_and_h
+ return 0;
+ }
+
+-static inline void cleanup_entry(struct arpt_entry *e)
++static void cleanup_entry(struct arpt_entry *e, struct net *net)
+ {
+ struct xt_tgdtor_param par;
+ struct xt_entry_target *t;
+
+ t = arpt_get_target(e);
++ par.net = net;
+ par.target = t->u.kernel.target;
+ par.targinfo = t->data;
+ par.family = NFPROTO_ARP;
+@@ -584,7 +585,7 @@ static int translate_table(struct net *n
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ if (i-- == 0)
+ break;
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+ }
+ return ret;
+ }
+@@ -927,7 +928,7 @@ static int __do_replace(struct net *net,
+ /* Decrease module usage counts and free resource */
+ loc_cpu_old_entry = oldinfo->entries;
+ xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+
+ xt_free_table_info(oldinfo);
+ if (copy_to_user(counters_ptr, counters,
+@@ -990,7 +991,7 @@ static int do_replace(struct net *net, c
+
+ free_newinfo_untrans:
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+ free_newinfo:
+ xt_free_table_info(newinfo);
+ return ret;
+@@ -1287,7 +1288,7 @@ static int compat_do_replace(struct net
+
+ free_newinfo_untrans:
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+ free_newinfo:
+ xt_free_table_info(newinfo);
+ return ret;
+@@ -1514,7 +1515,7 @@ static int do_arpt_get_ctl(struct sock *
+ return ret;
+ }
+
+-static void __arpt_unregister_table(struct xt_table *table)
++static void __arpt_unregister_table(struct net *net, struct xt_table *table)
+ {
+ struct xt_table_info *private;
+ void *loc_cpu_entry;
+@@ -1526,7 +1527,7 @@ static void __arpt_unregister_table(stru
+ /* Decrease module usage counts and free resources */
+ loc_cpu_entry = private->entries;
+ xt_entry_foreach(iter, loc_cpu_entry, private->size)
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+ if (private->number > private->initial_entries)
+ module_put(table_owner);
+ xt_free_table_info(private);
+@@ -1566,7 +1567,7 @@ int arpt_register_table(struct net *net,
+
+ ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
+ if (ret != 0) {
+- __arpt_unregister_table(new_table);
++ __arpt_unregister_table(net, new_table);
+ *res = NULL;
+ }
+
+@@ -1581,7 +1582,7 @@ void arpt_unregister_table(struct net *n
+ const struct nf_hook_ops *ops)
+ {
+ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+- __arpt_unregister_table(table);
++ __arpt_unregister_table(net, table);
+ }
+
+ /* The built-in targets: standard (NULL) and error. */
--- /dev/null
+From c120959387efa51479056fd01dc90adfba7a590c Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 10 Jan 2020 11:53:08 -0800
+Subject: netfilter: fix a use-after-free in mtype_destroy()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit c120959387efa51479056fd01dc90adfba7a590c upstream.
+
+map->members is freed by ip_set_free() right before using it in
+mtype_ext_cleanup() again. So we just have to move it down.
+
+Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com
+Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function")
+Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
+@@ -60,9 +60,9 @@ mtype_destroy(struct ip_set *set)
+ if (SET_WITH_TIMEOUT(set))
+ del_timer_sync(&map->gc);
+
+- ip_set_free(map->members);
+ if (set->dsize && set->extensions & IPSET_EXT_DESTROY)
+ mtype_ext_cleanup(set);
++ ip_set_free(map->members);
+ ip_set_free(map);
+
+ set->data = NULL;
--- /dev/null
+From 61177e911dad660df86a4553eb01c95ece2f6a82 Mon Sep 17 00:00:00 2001
+From: Eyal Birger <eyal.birger@gmail.com>
+Date: Tue, 14 Jan 2020 10:03:50 +0200
+Subject: netfilter: nat: fix ICMP header corruption on ICMP errors
+
+From: Eyal Birger <eyal.birger@gmail.com>
+
+commit 61177e911dad660df86a4553eb01c95ece2f6a82 upstream.
+
+Commit 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts")
+made nf_nat_icmp_reply_translation() use icmp_manip_pkt() as the l4
+manipulation function for the outer packet on ICMP errors.
+
+However, icmp_manip_pkt() assumes the packet has an 'id' field which
+is not correct for all types of ICMP messages.
+
+This is not correct for ICMP error packets, and leads to bogus bytes
+being written the ICMP header, which can be wrongfully regarded as
+'length' bytes by RFC 4884 compliant receivers.
+
+Fix by assigning the 'id' field only for ICMP messages that have this
+semantic.
+
+Reported-by: Shmulik Ladkani <shmulik.ladkani@gmail.com>
+Fixes: 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts")
+Signed-off-by: Eyal Birger <eyal.birger@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_nat_proto.c | 13 +++++++++++++
+ 1 file changed, 13 insertions(+)
+
+--- a/net/netfilter/nf_nat_proto.c
++++ b/net/netfilter/nf_nat_proto.c
+@@ -233,6 +233,19 @@ icmp_manip_pkt(struct sk_buff *skb,
+ return false;
+
+ hdr = (struct icmphdr *)(skb->data + hdroff);
++ switch (hdr->type) {
++ case ICMP_ECHO:
++ case ICMP_ECHOREPLY:
++ case ICMP_TIMESTAMP:
++ case ICMP_TIMESTAMPREPLY:
++ case ICMP_INFO_REQUEST:
++ case ICMP_INFO_REPLY:
++ case ICMP_ADDRESS:
++ case ICMP_ADDRESSREPLY:
++ break;
++ default:
++ return true;
++ }
+ inet_proto_csum_replace2(&hdr->checksum, skb,
+ hdr->un.echo.id, tuple->src.u.icmp.id, false);
+ hdr->un.echo.id = tuple->src.u.icmp.id;
--- /dev/null
+From 335178d5429c4cee61b58f4ac80688f556630818 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 16 Jan 2020 12:03:01 +0100
+Subject: netfilter: nf_tables: fix flowtable list del corruption
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 335178d5429c4cee61b58f4ac80688f556630818 upstream.
+
+syzbot reported following crash:
+
+ list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122)
+ [..]
+ Call Trace:
+ __list_del_entry include/linux/list.h:131 [inline]
+ list_del_rcu include/linux/rculist.h:148 [inline]
+ nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183
+ [..]
+
+The commit transaction list has:
+
+NFT_MSG_NEWTABLE
+NFT_MSG_NEWFLOWTABLE
+NFT_MSG_DELFLOWTABLE
+NFT_MSG_DELTABLE
+
+A missing generation check during DELTABLE processing causes it to queue
+the DELFLOWTABLE operation a second time, so we corrupt the list here:
+
+ case NFT_MSG_DELFLOWTABLE:
+ list_del_rcu(&nft_trans_flowtable(trans)->list);
+ nf_tables_flowtable_notify(&trans->ctx,
+
+because we have two different DELFLOWTABLE transactions for the same
+flowtable. We then call list_del_rcu() twice for the same flowtable->list.
+
+The object handling seems to suffer from the same bug so add a generation
+check too and only queue delete transactions for flowtables/objects that
+are still active in the next generation.
+
+Reported-by: syzbot+37a6804945a3a13b1572@syzkaller.appspotmail.com
+Fixes: 3b49e2e94e6eb ("netfilter: nf_tables: add flow table netlink frontend")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -981,12 +981,18 @@ static int nft_flush_table(struct nft_ct
+ }
+
+ list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
++ if (!nft_is_active_next(ctx->net, flowtable))
++ continue;
++
+ err = nft_delflowtable(ctx, flowtable);
+ if (err < 0)
+ goto out;
+ }
+
+ list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
++ if (!nft_is_active_next(ctx->net, obj))
++ continue;
++
+ err = nft_delobj(ctx, obj);
+ if (err < 0)
+ goto out;
--- /dev/null
+From 9332d27d7918182add34e8043f6a754530fdd022 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 16 Jan 2020 09:06:50 +0100
+Subject: netfilter: nf_tables: remove WARN and add NLA_STRING upper limits
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 9332d27d7918182add34e8043f6a754530fdd022 upstream.
+
+This WARN can trigger because some of the names fed to the module
+autoload function can be of arbitrary length.
+
+Remove the WARN and add limits for all NLA_STRING attributes.
+
+Reported-by: syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com
+Fixes: 452238e8d5ffd8 ("netfilter: nf_tables: add and use helper for module autoload")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 13 +++++++++----
+ 1 file changed, 9 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -22,6 +22,8 @@
+ #include <net/net_namespace.h>
+ #include <net/sock.h>
+
++#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-"))
++
+ static LIST_HEAD(nf_tables_expressions);
+ static LIST_HEAD(nf_tables_objects);
+ static LIST_HEAD(nf_tables_flowtables);
+@@ -521,7 +523,7 @@ static void nft_request_module(struct ne
+ va_start(args, fmt);
+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
+ va_end(args);
+- if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret))
++ if (ret >= MODULE_NAME_LEN)
+ return;
+
+ mutex_unlock(&net->nft.commit_mutex);
+@@ -1174,7 +1176,8 @@ static const struct nla_policy nft_chain
+ .len = NFT_CHAIN_MAXNAMELEN - 1 },
+ [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED },
+ [NFTA_CHAIN_POLICY] = { .type = NLA_U32 },
+- [NFTA_CHAIN_TYPE] = { .type = NLA_STRING },
++ [NFTA_CHAIN_TYPE] = { .type = NLA_STRING,
++ .len = NFT_MODULE_AUTOLOAD_LIMIT },
+ [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED },
+ [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 },
+ };
+@@ -2088,7 +2091,8 @@ static const struct nft_expr_type *nft_e
+ }
+
+ static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = {
+- [NFTA_EXPR_NAME] = { .type = NLA_STRING },
++ [NFTA_EXPR_NAME] = { .type = NLA_STRING,
++ .len = NFT_MODULE_AUTOLOAD_LIMIT },
+ [NFTA_EXPR_DATA] = { .type = NLA_NESTED },
+ };
+
+@@ -3931,7 +3935,8 @@ static const struct nla_policy nft_set_e
+ [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY,
+ .len = NFT_USERDATA_MAXLEN },
+ [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED },
+- [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING },
++ [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING,
++ .len = NFT_OBJ_MAXNAMELEN - 1 },
+ };
+
+ static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = {
--- /dev/null
+From ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 13 Jan 2020 18:09:58 +0100
+Subject: netfilter: nf_tables: store transaction list locally while requesting module
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 upstream.
+
+This patch fixes a WARN_ON in nft_set_destroy() due to missing
+set reference count drop from the preparation phase. This is triggered
+by the module autoload path. Do not exercise the abort path from
+nft_request_module() while preparation phase cleaning up is still
+pending.
+
+ WARNING: CPU: 3 PID: 3456 at net/netfilter/nf_tables_api.c:3740 nft_set_destroy+0x45/0x50 [nf_tables]
+ [...]
+ CPU: 3 PID: 3456 Comm: nft Not tainted 5.4.6-arch3-1 #1
+ RIP: 0010:nft_set_destroy+0x45/0x50 [nf_tables]
+ Code: e8 30 eb 83 c6 48 8b 85 80 00 00 00 48 8b b8 90 00 00 00 e8 dd 6b d7 c5 48 8b 7d 30 e8 24 dd eb c5 48 89 ef 5d e9 6b c6 e5 c5 <0f> 0b c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 7f 10 e9 52
+ RSP: 0018:ffffac4f43e53700 EFLAGS: 00010202
+ RAX: 0000000000000001 RBX: ffff99d63a154d80 RCX: 0000000001f88e03
+ RDX: 0000000001f88c03 RSI: ffff99d6560ef0c0 RDI: ffff99d63a101200
+ RBP: ffff99d617721de0 R08: 0000000000000000 R09: 0000000000000318
+ R10: 00000000f0000000 R11: 0000000000000001 R12: ffffffff880fabf0
+ R13: dead000000000122 R14: dead000000000100 R15: ffff99d63a154d80
+ FS: 00007ff3dbd5b740(0000) GS:ffff99d6560c0000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+ CR2: 00001cb5de6a9000 CR3: 000000016eb6a004 CR4: 00000000001606e0
+ Call Trace:
+ __nf_tables_abort+0x3e3/0x6d0 [nf_tables]
+ nft_request_module+0x6f/0x110 [nf_tables]
+ nft_expr_type_request_module+0x28/0x50 [nf_tables]
+ nf_tables_expr_parse+0x198/0x1f0 [nf_tables]
+ nft_expr_init+0x3b/0xf0 [nf_tables]
+ nft_dynset_init+0x1e2/0x410 [nf_tables]
+ nf_tables_newrule+0x30a/0x930 [nf_tables]
+ nfnetlink_rcv_batch+0x2a0/0x640 [nfnetlink]
+ nfnetlink_rcv+0x125/0x171 [nfnetlink]
+ netlink_unicast+0x179/0x210
+ netlink_sendmsg+0x208/0x3d0
+ sock_sendmsg+0x5e/0x60
+ ____sys_sendmsg+0x21b/0x290
+
+Update comment on the code to describe the new behaviour.
+
+Reported-by: Marco Oliverio <marco.oliverio@tanaza.com>
+Fixes: 452238e8d5ff ("netfilter: nf_tables: add and use helper for module autoload")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -502,23 +502,21 @@ __nf_tables_chain_type_lookup(const stru
+ }
+
+ /*
+- * Loading a module requires dropping mutex that guards the
+- * transaction.
+- * We first need to abort any pending transactions as once
+- * mutex is unlocked a different client could start a new
+- * transaction. It must not see any 'future generation'
+- * changes * as these changes will never happen.
++ * Loading a module requires dropping mutex that guards the transaction.
++ * A different client might race to start a new transaction meanwhile. Zap the
++ * list of pending transaction and then restore it once the mutex is grabbed
++ * again. Users of this function return EAGAIN which implicitly triggers the
++ * transaction abort path to clean up the list of pending transactions.
+ */
+ #ifdef CONFIG_MODULES
+-static int __nf_tables_abort(struct net *net);
+-
+ static void nft_request_module(struct net *net, const char *fmt, ...)
+ {
+ char module_name[MODULE_NAME_LEN];
++ LIST_HEAD(commit_list);
+ va_list args;
+ int ret;
+
+- __nf_tables_abort(net);
++ list_splice_init(&net->nft.commit_list, &commit_list);
+
+ va_start(args, fmt);
+ ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
+@@ -529,6 +527,9 @@ static void nft_request_module(struct ne
+ mutex_unlock(&net->nft.commit_mutex);
+ request_module("%s", module_name);
+ mutex_lock(&net->nft.commit_mutex);
++
++ WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
++ list_splice(&commit_list, &net->nft.commit_list);
+ }
+ #endif
+
--- /dev/null
+From 9ec22d7c6c69146180577f3ad5fdf504beeaee62 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 16 Jan 2020 08:58:05 +0100
+Subject: netfilter: nft_tunnel: ERSPAN_VERSION must not be null
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 9ec22d7c6c69146180577f3ad5fdf504beeaee62 upstream.
+
+Fixes: af308b94a2a4a5 ("netfilter: nf_tables: add tunnel support")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_tunnel.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -266,6 +266,9 @@ static int nft_tunnel_obj_erspan_init(co
+ if (err < 0)
+ return err;
+
++ if (!tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])
++ return -EINVAL;
++
+ version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]));
+ switch (version) {
+ case ERSPAN_VERSION:
--- /dev/null
+From 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 16 Jan 2020 08:44:11 +0100
+Subject: netfilter: nft_tunnel: fix null-attribute check
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed upstream.
+
+else we get null deref when one of the attributes is missing, both
+must be non-null.
+
+Reported-by: syzbot+76d0b80493ac881ff77b@syzkaller.appspotmail.com
+Fixes: aaecfdb5c5dd8ba ("netfilter: nf_tables: match on tunnel metadata")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_tunnel.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_tunnel.c
++++ b/net/netfilter/nft_tunnel.c
+@@ -76,7 +76,7 @@ static int nft_tunnel_get_init(const str
+ struct nft_tunnel *priv = nft_expr_priv(expr);
+ u32 len;
+
+- if (!tb[NFTA_TUNNEL_KEY] &&
++ if (!tb[NFTA_TUNNEL_KEY] ||
+ !tb[NFTA_TUNNEL_DREG])
+ return -EINVAL;
+
--- /dev/null
+From a112adafcb47760feff959ee1ecd10b74d2c5467 Mon Sep 17 00:00:00 2001
+From: Johan Hovold <johan@kernel.org>
+Date: Mon, 13 Jan 2020 18:23:58 +0100
+Subject: NFC: pn533: fix bulk-message timeout
+
+From: Johan Hovold <johan@kernel.org>
+
+commit a112adafcb47760feff959ee1ecd10b74d2c5467 upstream.
+
+The driver was doing a synchronous uninterruptible bulk-transfer without
+using a timeout. This could lead to the driver hanging on probe due to a
+malfunctioning (or malicious) device until the device is physically
+disconnected. While sleeping in probe the driver prevents other devices
+connected to the same hub from being added to (or removed from) the bus.
+
+An arbitrary limit of five seconds should be more than enough.
+
+Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack")
+Signed-off-by: Johan Hovold <johan@kernel.org>
+Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/nfc/pn533/usb.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/nfc/pn533/usb.c
++++ b/drivers/nfc/pn533/usb.c
+@@ -391,7 +391,7 @@ static int pn533_acr122_poweron_rdr(stru
+ cmd, sizeof(cmd), false);
+
+ rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd),
+- &transferred, 0);
++ &transferred, 5000);
+ kfree(buffer);
+ if (rc || (transferred != sizeof(cmd))) {
+ nfc_err(&phy->udev->dev,
cfg80211-fix-memory-leak-in-nl80211_probe_mesh_link.patch
cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch
cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch
+bpf-sockmap-read-psock-ingress_msg-before-sk_receive_queue.patch
+i2c-iop3xx-fix-memory-leak-in-probe-error-path.patch
+netfilter-fix-a-use-after-free-in-mtype_destroy.patch
+netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch
+netfilter-nat-fix-icmp-header-corruption-on-icmp-errors.patch
+netfilter-nft_tunnel-fix-null-attribute-check.patch
+netfilter-nft_tunnel-erspan_version-must-not-be-null.patch
+netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch
+netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch
+netfilter-nf_tables-fix-flowtable-list-del-corruption.patch
+nfc-pn533-fix-bulk-message-timeout.patch
+net-bpf-don-t-leak-time-wait-and-request-sockets.patch
+bpftool-fix-printing-incorrect-pointer-in-btf_dump_ptr.patch
+batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
