5.4-stable patches

added patches:
	dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch
	net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
	net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch
	net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch
	net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch
	net-fddi-fix-uaf-in-fza_probe.patch
	net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
	net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
	net-moxa-fix-uaf-in-moxart_mac_probe.patch
	net-qcom-emac-fix-uaf-in-emac_remove.patch
	net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch
	net-send-synack-packet-with-accepted-fwmark.patch
	net-ti-fix-uaf-in-tlan_remove_one.patch
	net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
	netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch

diff --git a/queue-5.4/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch b/queue-5.4/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch
new file mode 100644 (file)
index 0000000..bdfa8ac
--- /dev/null
+++ b/queue-5.4/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch
@@ -0,0 +1,73 @@
+From ffe000217c5068c5da07ccb1c0f8cce7ad767435 Mon Sep 17 00:00:00 2001
+From: Jason Ekstrand <jason@jlekstrand.net>
+Date: Thu, 24 Jun 2021 12:47:32 -0500
+Subject: dma-buf/sync_file: Don't leak fences on merge failure
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Jason Ekstrand <jason@jlekstrand.net>
+
+commit ffe000217c5068c5da07ccb1c0f8cce7ad767435 upstream.
+
+Each add_fence() call does a dma_fence_get() on the relevant fence.  In
+the error path, we weren't calling dma_fence_put() so all those fences
+got leaked.  Also, in the krealloc_array failure case, we weren't
+freeing the fences array.  Instead, ensure that i and fences are always
+zero-initialized and dma_fence_put() all the fences and kfree(fences) on
+every error path.
+
+Signed-off-by: Jason Ekstrand <jason@jlekstrand.net>
+Reviewed-by: Christian König <christian.koenig@amd.com>
+Fixes: a02b9dc90d84 ("dma-buf/sync_file: refactor fence storage in struct sync_file")
+Cc: Gustavo Padovan <gustavo.padovan@collabora.co.uk>
+Cc: Christian König <christian.koenig@amd.com>
+Link: https://patchwork.freedesktop.org/patch/msgid/20210624174732.1754546-1-jason@jlekstrand.net
+Signed-off-by: Christian König <christian.koenig@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/dma-buf/sync_file.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/drivers/dma-buf/sync_file.c
++++ b/drivers/dma-buf/sync_file.c
+@@ -211,8 +211,8 @@ static struct sync_file *sync_file_merge
+                                        struct sync_file *b)
+ {
+       struct sync_file *sync_file;
+-      struct dma_fence **fences, **nfences, **a_fences, **b_fences;
+-      int i, i_a, i_b, num_fences, a_num_fences, b_num_fences;
++      struct dma_fence **fences = NULL, **nfences, **a_fences, **b_fences;
++      int i = 0, i_a, i_b, num_fences, a_num_fences, b_num_fences;
+ 
+       sync_file = sync_file_alloc();
+       if (!sync_file)
+@@ -236,7 +236,7 @@ static struct sync_file *sync_file_merge
+        * If a sync_file can only be created with sync_file_merge
+        * and sync_file_create, this is a reasonable assumption.
+        */
+-      for (i = i_a = i_b = 0; i_a < a_num_fences && i_b < b_num_fences; ) {
++      for (i_a = i_b = 0; i_a < a_num_fences && i_b < b_num_fences; ) {
+               struct dma_fence *pt_a = a_fences[i_a];
+               struct dma_fence *pt_b = b_fences[i_b];
+ 
+@@ -278,15 +278,16 @@ static struct sync_file *sync_file_merge
+               fences = nfences;
+       }
+ 
+-      if (sync_file_set_fence(sync_file, fences, i) < 0) {
+-              kfree(fences);
++      if (sync_file_set_fence(sync_file, fences, i) < 0)
+               goto err;
+-      }
+ 
+       strlcpy(sync_file->user_name, name, sizeof(sync_file->user_name));
+       return sync_file;
+ 
+ err:
++      while (i)
++              dma_fence_put(fences[--i]);
++      kfree(fences);
+       fput(sync_file->file);
+       return NULL;
+ 

diff --git a/queue-5.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch b/queue-5.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
new file mode 100644 (file)
index 0000000..9996283
--- /dev/null
+++ b/queue-5.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
@@ -0,0 +1,46 @@
+From 2b452550a203d88112eaf0ba9fc4b750a000b496 Mon Sep 17 00:00:00 2001
+From: Florian Fainelli <f.fainelli@gmail.com>
+Date: Thu, 8 Jul 2021 18:55:32 -0700
+Subject: net: bcmgenet: Ensure all TX/RX queues DMAs are disabled
+
+From: Florian Fainelli <f.fainelli@gmail.com>
+
+commit 2b452550a203d88112eaf0ba9fc4b750a000b496 upstream.
+
+Make sure that we disable each of the TX and RX queues in the TDMA and
+RDMA control registers. This is a correctness change to be symmetrical
+with the code that enables the TX and RX queues.
+
+Tested-by: Maxime Ripard <maxime@cerno.tech>
+Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file")
+Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/broadcom/genet/bcmgenet.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+@@ -2783,15 +2783,21 @@ static void bcmgenet_set_hw_addr(struct
+ /* Returns a reusable dma control register value */
+ static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv)
+ {
++      unsigned int i;
+       u32 reg;
+       u32 dma_ctrl;
+ 
+       /* disable DMA */
+       dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
++      for (i = 0; i < priv->hw_params->tx_queues; i++)
++              dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
+       reg = bcmgenet_tdma_readl(priv, DMA_CTRL);
+       reg &= ~dma_ctrl;
+       bcmgenet_tdma_writel(priv, reg, DMA_CTRL);
+ 
++      dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN;
++      for (i = 0; i < priv->hw_params->rx_queues; i++)
++              dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT));
+       reg = bcmgenet_rdma_readl(priv, DMA_CTRL);
+       reg &= ~dma_ctrl;
+       bcmgenet_rdma_writel(priv, reg, DMA_CTRL);

diff --git a/queue-5.4/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch b/queue-5.4/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch
new file mode 100644 (file)
index 0000000..3097527
--- /dev/null
+++ b/queue-5.4/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch
@@ -0,0 +1,73 @@
+From a019abd8022061b917da767cd1a66ed823724eab Mon Sep 17 00:00:00 2001
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Date: Fri, 2 Jul 2021 14:07:36 +0200
+Subject: net: bridge: sync fdb to new unicast-filtering ports
+
+From: Wolfgang Bumiller <w.bumiller@proxmox.com>
+
+commit a019abd8022061b917da767cd1a66ed823724eab upstream.
+
+Since commit 2796d0c648c9 ("bridge: Automatically manage
+port promiscuous mode.")
+bridges with `vlan_filtering 1` and only 1 auto-port don't
+set IFF_PROMISC for unicast-filtering-capable ports.
+
+Normally on port changes `br_manage_promisc` is called to
+update the promisc flags and unicast filters if necessary,
+but it cannot distinguish between *new* ports and ones
+losing their promisc flag, and new ports end up not
+receiving the MAC address list.
+
+Fix this by calling `br_fdb_sync_static` in `br_add_if`
+after the port promisc flags are updated and the unicast
+filter was supposed to have been filled.
+
+Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.")
+Signed-off-by: Wolfgang Bumiller <w.bumiller@proxmox.com>
+Acked-by: Nikolay Aleksandrov <nikolay@nvidia.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/bridge/br_if.c |   17 ++++++++++++++++-
+ 1 file changed, 16 insertions(+), 1 deletion(-)
+
+--- a/net/bridge/br_if.c
++++ b/net/bridge/br_if.c
+@@ -559,7 +559,7 @@ int br_add_if(struct net_bridge *br, str
+       struct net_bridge_port *p;
+       int err = 0;
+       unsigned br_hr, dev_hr;
+-      bool changed_addr;
++      bool changed_addr, fdb_synced = false;
+ 
+       /* Don't allow bridging non-ethernet like devices, or DSA-enabled
+        * master network devices since the bridge layer rx_handler prevents
+@@ -635,6 +635,19 @@ int br_add_if(struct net_bridge *br, str
+       list_add_rcu(&p->list, &br->port_list);
+ 
+       nbp_update_port_count(br);
++      if (!br_promisc_port(p) && (p->dev->priv_flags & IFF_UNICAST_FLT)) {
++              /* When updating the port count we also update all ports'
++               * promiscuous mode.
++               * A port leaving promiscuous mode normally gets the bridge's
++               * fdb synced to the unicast filter (if supported), however,
++               * `br_port_clear_promisc` does not distinguish between
++               * non-promiscuous ports and *new* ports, so we need to
++               * sync explicitly here.
++               */
++              fdb_synced = br_fdb_sync_static(br, p) == 0;
++              if (!fdb_synced)
++                      netdev_err(dev, "failed to sync bridge static fdb addresses to this port\n");
++      }
+ 
+       netdev_update_features(br->dev);
+ 
+@@ -684,6 +697,8 @@ int br_add_if(struct net_bridge *br, str
+       return 0;
+ 
+ err7:
++      if (fdb_synced)
++              br_fdb_unsync_static(br, p);
+       list_del_rcu(&p->list);
+       br_fdb_delete_by_port(br, p, 0, 1);
+       nbp_update_port_count(br);

diff --git a/queue-5.4/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch b/queue-5.4/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch
new file mode 100644 (file)
index 0000000..6bb226a
--- /dev/null
+++ b/queue-5.4/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch
@@ -0,0 +1,45 @@
+From 7da467d82d1ed4fb317aff836f99709169e73f10 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 1 Jul 2021 00:22:26 +0200
+Subject: net: dsa: mv88e6xxx: enable .port_set_policy() on Topaz
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 7da467d82d1ed4fb317aff836f99709169e73f10 upstream.
+
+Commit f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy")
+introduced .port_set_policy() method with implementation for several
+models, but forgot to add Topaz, which can use the 6352 implementation.
+
+Use the 6352 implementation of .port_set_policy() on Topaz.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3715,6 +3715,7 @@ static const struct mv88e6xxx_ops mv88e6
+       .port_set_rgmii_delay = mv88e6352_port_set_rgmii_delay,
+       .port_set_speed = mv88e6250_port_set_speed,
+       .port_tag_remap = mv88e6095_port_tag_remap,
++      .port_set_policy = mv88e6352_port_set_policy,
+       .port_set_frame_mode = mv88e6351_port_set_frame_mode,
+       .port_set_egress_floods = mv88e6352_port_set_egress_floods,
+       .port_set_ether_type = mv88e6351_port_set_ether_type,
+@@ -3982,6 +3983,7 @@ static const struct mv88e6xxx_ops mv88e6
+       .port_set_rgmii_delay = mv88e6352_port_set_rgmii_delay,
+       .port_set_speed = mv88e6185_port_set_speed,
+       .port_tag_remap = mv88e6095_port_tag_remap,
++      .port_set_policy = mv88e6352_port_set_policy,
+       .port_set_frame_mode = mv88e6351_port_set_frame_mode,
+       .port_set_egress_floods = mv88e6352_port_set_egress_floods,
+       .port_set_ether_type = mv88e6351_port_set_ether_type,

diff --git a/queue-5.4/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch b/queue-5.4/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch
new file mode 100644 (file)
index 0000000..4149439
--- /dev/null
+++ b/queue-5.4/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch
@@ -0,0 +1,45 @@
+From 3709488790022c85720f991bff50d48ed5a36e6a Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Marek=20Beh=C3=BAn?= <kabel@kernel.org>
+Date: Thu, 1 Jul 2021 00:22:28 +0200
+Subject: net: dsa: mv88e6xxx: enable .rmu_disable() on Topaz
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Marek Behún <kabel@kernel.org>
+
+commit 3709488790022c85720f991bff50d48ed5a36e6a upstream.
+
+Commit 9e5baf9b36367 ("net: dsa: mv88e6xxx: add RMU disable op")
+introduced .rmu_disable() method with implementation for several models,
+but forgot to add Topaz, which can use the Peridot implementation.
+
+Use the Peridot implementation of .rmu_disable() on Topaz.
+
+Signed-off-by: Marek Behún <kabel@kernel.org>
+Fixes: 9e5baf9b36367 ("net: dsa: mv88e6xxx: add RMU disable op")
+Reviewed-by: Andrew Lunn <andrew@lunn.ch>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/dsa/mv88e6xxx/chip.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/net/dsa/mv88e6xxx/chip.c
++++ b/drivers/net/dsa/mv88e6xxx/chip.c
+@@ -3917,6 +3917,7 @@ static const struct mv88e6xxx_ops mv88e6
+       .mgmt_rsvd2cpu =  mv88e6390_g1_mgmt_rsvd2cpu,
+       .pot_clear = mv88e6xxx_g2_pot_clear,
+       .reset = mv88e6352_g1_reset,
++      .rmu_disable = mv88e6390_g1_rmu_disable,
+       .vtu_getnext = mv88e6352_g1_vtu_getnext,
+       .vtu_loadpurge = mv88e6352_g1_vtu_loadpurge,
+       .serdes_power = mv88e6390_serdes_power,
+@@ -4006,6 +4007,7 @@ static const struct mv88e6xxx_ops mv88e6
+       .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu,
+       .pot_clear = mv88e6xxx_g2_pot_clear,
+       .reset = mv88e6352_g1_reset,
++      .rmu_disable = mv88e6390_g1_rmu_disable,
+       .vtu_getnext = mv88e6352_g1_vtu_getnext,
+       .vtu_loadpurge = mv88e6352_g1_vtu_loadpurge,
+       .avb_ops = &mv88e6352_avb_ops,

diff --git a/queue-5.4/net-fddi-fix-uaf-in-fza_probe.patch b/queue-5.4/net-fddi-fix-uaf-in-fza_probe.patch
new file mode 100644 (file)
index 0000000..5371fa4
--- /dev/null
+++ b/queue-5.4/net-fddi-fix-uaf-in-fza_probe.patch
@@ -0,0 +1,35 @@
+From deb7178eb940e2c5caca1b1db084a69b2e59b4c9 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Tue, 13 Jul 2021 13:58:53 +0300
+Subject: net: fddi: fix UAF in fza_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit deb7178eb940e2c5caca1b1db084a69b2e59b4c9 upstream.
+
+fp is netdev private data and it cannot be
+used after free_netdev() call. Using fp after free_netdev()
+can cause UAF bug. Fix it by moving free_netdev() after error message.
+
+Fixes: 61414f5ec983 ("FDDI: defza: Add support for DEC FDDIcontroller 700
+TURBOchannel adapter")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/fddi/defza.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/fddi/defza.c
++++ b/drivers/net/fddi/defza.c
+@@ -1504,9 +1504,8 @@ err_out_resource:
+       release_mem_region(start, len);
+ 
+ err_out_kfree:
+-      free_netdev(dev);
+-
+       pr_err("%s: initialization failure, aborting!\n", fp->name);
++      free_netdev(dev);
+       return ret;
+ }
+ 

diff --git a/queue-5.4/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch b/queue-5.4/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
new file mode 100644 (file)
index 0000000..8317c53
--- /dev/null
+++ b/queue-5.4/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
@@ -0,0 +1,86 @@
+From 9992a078b1771da354ac1f9737e1e639b687caa2 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 9 Jul 2021 11:45:02 +0800
+Subject: net: ip_tunnel: fix mtu calculation for ETHER tunnel devices
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+commit 9992a078b1771da354ac1f9737e1e639b687caa2 upstream.
+
+Commit 28e104d00281 ("net: ip_tunnel: fix mtu calculation") removed
+dev->hard_header_len subtraction when calculate MTU for tunnel devices
+as there is an overhead for device that has header_ops.
+
+But there are ETHER tunnel devices, like gre_tap or erspan, which don't
+have header_ops but set dev->hard_header_len during setup. This makes
+pkts greater than (MTU - ETH_HLEN) could not be xmited. Fix it by
+subtracting the ETHER tunnel devices' dev->hard_header_len for MTU
+calculation.
+
+Fixes: 28e104d00281 ("net: ip_tunnel: fix mtu calculation")
+Reported-by: Jianlin Shi <jishi@redhat.com>
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/ip_tunnel.c |   18 +++++++++++++++---
+ 1 file changed, 15 insertions(+), 3 deletions(-)
+
+--- a/net/ipv4/ip_tunnel.c
++++ b/net/ipv4/ip_tunnel.c
+@@ -317,7 +317,7 @@ static int ip_tunnel_bind_dev(struct net
+       }
+ 
+       dev->needed_headroom = t_hlen + hlen;
+-      mtu -= t_hlen;
++      mtu -= t_hlen + (dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0);
+ 
+       if (mtu < IPV4_MIN_MTU)
+               mtu = IPV4_MIN_MTU;
+@@ -348,6 +348,9 @@ static struct ip_tunnel *ip_tunnel_creat
+       t_hlen = nt->hlen + sizeof(struct iphdr);
+       dev->min_mtu = ETH_MIN_MTU;
+       dev->max_mtu = IP_MAX_MTU - t_hlen;
++      if (dev->type == ARPHRD_ETHER)
++              dev->max_mtu -= dev->hard_header_len;
++
+       ip_tunnel_add(itn, nt);
+       return nt;
+ 
+@@ -495,11 +498,14 @@ static int tnl_update_pmtu(struct net_de
+ 
+       tunnel_hlen = md ? tunnel_hlen : tunnel->hlen;
+       pkt_size = skb->len - tunnel_hlen;
++      pkt_size -= dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0;
+ 
+-      if (df)
++      if (df) {
+               mtu = dst_mtu(&rt->dst) - (sizeof(struct iphdr) + tunnel_hlen);
+-      else
++              mtu -= dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0;
++      } else {
+               mtu = skb_valid_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu;
++      }
+ 
+       if (skb_valid_dst(skb))
+               skb_dst_update_pmtu_no_confirm(skb, mtu);
+@@ -965,6 +971,9 @@ int __ip_tunnel_change_mtu(struct net_de
+       int t_hlen = tunnel->hlen + sizeof(struct iphdr);
+       int max_mtu = IP_MAX_MTU - t_hlen;
+ 
++      if (dev->type == ARPHRD_ETHER)
++              max_mtu -= dev->hard_header_len;
++
+       if (new_mtu < ETH_MIN_MTU)
+               return -EINVAL;
+ 
+@@ -1142,6 +1151,9 @@ int ip_tunnel_newlink(struct net_device
+       if (tb[IFLA_MTU]) {
+               unsigned int max = IP_MAX_MTU - (nt->hlen + sizeof(struct iphdr));
+ 
++              if (dev->type == ARPHRD_ETHER)
++                      max -= dev->hard_header_len;
++
+               mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU, max);
+       }
+ 

diff --git a/queue-5.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch b/queue-5.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
new file mode 100644 (file)
index 0000000..fec6047
--- /dev/null
+++ b/queue-5.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
@@ -0,0 +1,49 @@
+From 40fc3054b45820c28ea3c65e2c86d041dc244a8a Mon Sep 17 00:00:00 2001
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+Date: Fri, 2 Jul 2021 02:47:00 +0300
+Subject: net: ipv6: fix return value of ip6_skb_dst_mtu
+
+From: Vadim Fedorenko <vfedorenko@novek.ru>
+
+commit 40fc3054b45820c28ea3c65e2c86d041dc244a8a upstream.
+
+Commit 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE") introduced
+ip6_skb_dst_mtu with return value of signed int which is inconsistent
+with actually returned values. Also 2 users of this function actually
+assign its value to unsigned int variable and only __xfrm6_output
+assigns result of this function to signed variable but actually uses
+as unsigned in further comparisons and calls. Change this function
+to return unsigned int value.
+
+Fixes: 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE")
+Reviewed-by: David Ahern <dsahern@kernel.org>
+Signed-off-by: Vadim Fedorenko <vfedorenko@novek.ru>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/ip6_route.h |    2 +-
+ net/ipv6/xfrm6_output.c |    2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/net/ip6_route.h
++++ b/include/net/ip6_route.h
+@@ -261,7 +261,7 @@ static inline bool ipv6_anycast_destinat
+ int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb,
+                int (*output)(struct net *, struct sock *, struct sk_buff *));
+ 
+-static inline int ip6_skb_dst_mtu(struct sk_buff *skb)
++static inline unsigned int ip6_skb_dst_mtu(struct sk_buff *skb)
+ {
+       int mtu;
+ 
+--- a/net/ipv6/xfrm6_output.c
++++ b/net/ipv6/xfrm6_output.c
+@@ -144,7 +144,7 @@ static int __xfrm6_output(struct net *ne
+ {
+       struct dst_entry *dst = skb_dst(skb);
+       struct xfrm_state *x = dst->xfrm;
+-      int mtu;
++      unsigned int mtu;
+       bool toobig;
+ 
+ #ifdef CONFIG_NETFILTER

diff --git a/queue-5.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch b/queue-5.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch
new file mode 100644 (file)
index 0000000..f0afa62
--- /dev/null
+++ b/queue-5.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch
@@ -0,0 +1,45 @@
+From c78eaeebe855fd93f2e77142ffd0404a54070d84 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 9 Jul 2021 17:09:53 +0300
+Subject: net: moxa: fix UAF in moxart_mac_probe
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit c78eaeebe855fd93f2e77142ffd0404a54070d84 upstream.
+
+In case of netdev registration failure the code path will
+jump to init_fail label:
+
+init_fail:
+       netdev_err(ndev, "init failed\n");
+       moxart_mac_free_memory(ndev);
+irq_map_fail:
+       free_netdev(ndev);
+       return ret;
+
+So, there is no need to call free_netdev() before jumping
+to error handling path, since it can cause UAF or double-free
+bug.
+
+Fixes: 6c821bd9edc9 ("net: Add MOXA ART SoCs ethernet driver")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/moxa/moxart_ether.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/net/ethernet/moxa/moxart_ether.c
++++ b/drivers/net/ethernet/moxa/moxart_ether.c
+@@ -545,10 +545,8 @@ static int moxart_mac_probe(struct platf
+       SET_NETDEV_DEV(ndev, &pdev->dev);
+ 
+       ret = register_netdev(ndev);
+-      if (ret) {
+-              free_netdev(ndev);
++      if (ret)
+               goto init_fail;
+-      }
+ 
+       netdev_dbg(ndev, "%s: IRQ=%d address=%pM\n",
+                  __func__, ndev->irq, ndev->dev_addr);

diff --git a/queue-5.4/net-qcom-emac-fix-uaf-in-emac_remove.patch b/queue-5.4/net-qcom-emac-fix-uaf-in-emac_remove.patch
new file mode 100644 (file)
index 0000000..bc9c139
--- /dev/null
+++ b/queue-5.4/net-qcom-emac-fix-uaf-in-emac_remove.patch
@@ -0,0 +1,39 @@
+From ad297cd2db8953e2202970e9504cab247b6c7cb4 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 9 Jul 2021 17:24:18 +0300
+Subject: net: qcom/emac: fix UAF in emac_remove
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit ad297cd2db8953e2202970e9504cab247b6c7cb4 upstream.
+
+adpt is netdev private data and it cannot be
+used after free_netdev() call. Using adpt after free_netdev()
+can cause UAF bug. Fix it by moving free_netdev() at the end of the
+function.
+
+Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/qualcomm/emac/emac.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qualcomm/emac/emac.c
++++ b/drivers/net/ethernet/qualcomm/emac/emac.c
+@@ -745,12 +745,13 @@ static int emac_remove(struct platform_d
+ 
+       put_device(&adpt->phydev->mdio.dev);
+       mdiobus_unregister(adpt->mii_bus);
+-      free_netdev(netdev);
+ 
+       if (adpt->phy.digital)
+               iounmap(adpt->phy.digital);
+       iounmap(adpt->phy.base);
+ 
++      free_netdev(netdev);
++
+       return 0;
+ }
+ 

diff --git a/queue-5.4/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch b/queue-5.4/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch
new file mode 100644 (file)
index 0000000..5e1869b
--- /dev/null
+++ b/queue-5.4/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch
@@ -0,0 +1,32 @@
+From 8955b90c3cdad199137809aac8ccbbb585355913 Mon Sep 17 00:00:00 2001
+From: wenxu <wenxu@ucloud.cn>
+Date: Fri, 2 Jul 2021 11:34:31 +0800
+Subject: net/sched: act_ct: fix err check for nf_conntrack_confirm
+
+From: wenxu <wenxu@ucloud.cn>
+
+commit 8955b90c3cdad199137809aac8ccbbb585355913 upstream.
+
+The confirm operation should be checked. If there are any failed,
+the packet should be dropped like in ovs and netfilter.
+
+Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct")
+Signed-off-by: wenxu <wenxu@ucloud.cn>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/sched/act_ct.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/sched/act_ct.c
++++ b/net/sched/act_ct.c
+@@ -474,7 +474,8 @@ static int tcf_ct_act(struct sk_buff *sk
+               /* This will take care of sending queued events
+                * even if the connection is already confirmed.
+                */
+-              nf_conntrack_confirm(skb);
++              if (nf_conntrack_confirm(skb) != NF_ACCEPT)
++                      goto drop;
+       }
+ 
+ out_push:

diff --git a/queue-5.4/net-send-synack-packet-with-accepted-fwmark.patch b/queue-5.4/net-send-synack-packet-with-accepted-fwmark.patch
new file mode 100644 (file)
index 0000000..dda999d
--- /dev/null
+++ b/queue-5.4/net-send-synack-packet-with-accepted-fwmark.patch
@@ -0,0 +1,37 @@
+From 43b90bfad34bcb81b8a5bc7dc650800f4be1787e Mon Sep 17 00:00:00 2001
+From: Alexander Ovechkin <ovov@yandex-team.ru>
+Date: Fri, 9 Jul 2021 18:28:23 +0300
+Subject: net: send SYNACK packet with accepted fwmark
+
+From: Alexander Ovechkin <ovov@yandex-team.ru>
+
+commit 43b90bfad34bcb81b8a5bc7dc650800f4be1787e upstream.
+
+commit e05a90ec9e16 ("net: reflect mark on tcp syn ack packets")
+fixed IPv4 only.
+
+This part is for the IPv6 side.
+
+Fixes: e05a90ec9e16 ("net: reflect mark on tcp syn ack packets")
+Signed-off-by: Alexander Ovechkin <ovov@yandex-team.ru>
+Acked-by: Dmitry Yakunin <zeil@yandex-team.ru>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/tcp_ipv6.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/tcp_ipv6.c
++++ b/net/ipv6/tcp_ipv6.c
+@@ -513,8 +513,8 @@ static int tcp_v6_send_synack(const stru
+               opt = ireq->ipv6_opt;
+               if (!opt)
+                       opt = rcu_dereference(np->opt);
+-              err = ip6_xmit(sk, skb, fl6, sk->sk_mark, opt, np->tclass,
+-                             sk->sk_priority);
++              err = ip6_xmit(sk, skb, fl6, skb->mark ? : sk->sk_mark, opt,
++                             np->tclass, sk->sk_priority);
+               rcu_read_unlock();
+               err = net_xmit_eval(err);
+       }

diff --git a/queue-5.4/net-ti-fix-uaf-in-tlan_remove_one.patch b/queue-5.4/net-ti-fix-uaf-in-tlan_remove_one.patch
new file mode 100644 (file)
index 0000000..d8cda38
--- /dev/null
+++ b/queue-5.4/net-ti-fix-uaf-in-tlan_remove_one.patch
@@ -0,0 +1,35 @@
+From 0336f8ffece62f882ab3012820965a786a983f70 Mon Sep 17 00:00:00 2001
+From: Pavel Skripkin <paskripkin@gmail.com>
+Date: Fri, 9 Jul 2021 17:58:29 +0300
+Subject: net: ti: fix UAF in tlan_remove_one
+
+From: Pavel Skripkin <paskripkin@gmail.com>
+
+commit 0336f8ffece62f882ab3012820965a786a983f70 upstream.
+
+priv is netdev private data and it cannot be
+used after free_netdev() call. Using priv after free_netdev()
+can cause UAF bug. Fix it by moving free_netdev() at the end of the
+function.
+
+Fixes: 1e0a8b13d355 ("tlan: cancel work at remove path")
+Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/ethernet/ti/tlan.c |    3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/drivers/net/ethernet/ti/tlan.c
++++ b/drivers/net/ethernet/ti/tlan.c
+@@ -314,9 +314,8 @@ static void tlan_remove_one(struct pci_d
+       pci_release_regions(pdev);
+ #endif
+ 
+-      free_netdev(dev);
+-
+       cancel_work_sync(&priv->tlan_tqueue);
++      free_netdev(dev);
+ }
+ 
+ static void tlan_start(struct net_device *dev)

diff --git a/queue-5.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch b/queue-5.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
new file mode 100644 (file)
index 0000000..d26ab7e
--- /dev/null
+++ b/queue-5.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
@@ -0,0 +1,62 @@
+From 67a9c94317402b826fc3db32afc8f39336803d97 Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Fri, 9 Jul 2021 17:35:18 +0000
+Subject: net: validate lwtstate->data before returning from skb_tunnel_info()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+commit 67a9c94317402b826fc3db32afc8f39336803d97 upstream.
+
+skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info
+type without validation. lwtstate->data can have various types such as
+mpls_iptunnel_encap, etc and these are not compatible.
+So skb_tunnel_info() should validate before returning that pointer.
+
+Splat looks like:
+BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan]
+Read of size 2 at addr ffff888106ec2698 by task ping/811
+
+CPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195
+Call Trace:
+ dump_stack_lvl+0x56/0x7b
+ print_address_description.constprop.8.cold.13+0x13/0x2ee
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ kasan_report.cold.14+0x83/0xdf
+ ? vxlan_get_route+0x418/0x4b0 [vxlan]
+ vxlan_get_route+0x418/0x4b0 [vxlan]
+ [ ... ]
+ vxlan_xmit_one+0x148b/0x32b0 [vxlan]
+ [ ... ]
+ vxlan_xmit+0x25c5/0x4780 [vxlan]
+ [ ... ]
+ dev_hard_start_xmit+0x1ae/0x6e0
+ __dev_queue_xmit+0x1f39/0x31a0
+ [ ... ]
+ neigh_xmit+0x2f9/0x940
+ mpls_xmit+0x911/0x1600 [mpls_iptunnel]
+ lwtunnel_xmit+0x18f/0x450
+ ip_finish_output2+0x867/0x2040
+ [ ... ]
+
+Fixes: 61adedf3e3f1 ("route: move lwtunnel state to dst_entry")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/dst_metadata.h |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/include/net/dst_metadata.h
++++ b/include/net/dst_metadata.h
+@@ -45,7 +45,9 @@ skb_tunnel_info(const struct sk_buff *sk
+               return &md_dst->u.tun_info;
+ 
+       dst = skb_dst(skb);
+-      if (dst && dst->lwtstate)
++      if (dst && dst->lwtstate &&
++          (dst->lwtstate->type == LWTUNNEL_ENCAP_IP ||
++           dst->lwtstate->type == LWTUNNEL_ENCAP_IP6))
+               return lwt_tun_info(dst->lwtstate);
+ 
+       return NULL;

diff --git a/queue-5.4/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch b/queue-5.4/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch
new file mode 100644 (file)
index 0000000..313c08f
--- /dev/null
+++ b/queue-5.4/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch
@@ -0,0 +1,72 @@
+From c23a9fd209bc6f8c1fa6ee303fdf037d784a1627 Mon Sep 17 00:00:00 2001
+From: Vasily Averin <vvs@virtuozzo.com>
+Date: Thu, 1 Jul 2021 08:02:49 +0300
+Subject: netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo
+
+From: Vasily Averin <vvs@virtuozzo.com>
+
+commit c23a9fd209bc6f8c1fa6ee303fdf037d784a1627 upstream.
+
+Two patches listed below removed ctnetlink_dump_helpinfo call from under
+rcu_read_lock. Now its rcu_dereference generates following warning:
+=============================
+WARNING: suspicious RCU usage
+5.13.0+ #5 Not tainted
+-----------------------------
+net/netfilter/nf_conntrack_netlink.c:221 suspicious rcu_dereference_check() usage!
+
+other info that might help us debug this:
+rcu_scheduler_active = 2, debug_locks = 1
+stack backtrace:
+CPU: 1 PID: 2251 Comm: conntrack Not tainted 5.13.0+ #5
+Call Trace:
+ dump_stack+0x7f/0xa1
+ ctnetlink_dump_helpinfo+0x134/0x150 [nf_conntrack_netlink]
+ ctnetlink_fill_info+0x2c2/0x390 [nf_conntrack_netlink]
+ ctnetlink_dump_table+0x13f/0x370 [nf_conntrack_netlink]
+ netlink_dump+0x10c/0x370
+ __netlink_dump_start+0x1a7/0x260
+ ctnetlink_get_conntrack+0x1e5/0x250 [nf_conntrack_netlink]
+ nfnetlink_rcv_msg+0x613/0x993 [nfnetlink]
+ netlink_rcv_skb+0x50/0x100
+ nfnetlink_rcv+0x55/0x120 [nfnetlink]
+ netlink_unicast+0x181/0x260
+ netlink_sendmsg+0x23f/0x460
+ sock_sendmsg+0x5b/0x60
+ __sys_sendto+0xf1/0x160
+ __x64_sys_sendto+0x24/0x30
+ do_syscall_64+0x36/0x70
+ entry_SYSCALL_64_after_hwframe+0x44/0xae
+
+Fixes: 49ca022bccc5 ("netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks")
+Fixes: 0b35f6031a00 ("netfilter: Remove duplicated rcu_read_lock.")
+Signed-off-by: Vasily Averin <vvs@virtuozzo.com>
+Reviewed-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_conntrack_netlink.c |    3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -211,6 +211,7 @@ static int ctnetlink_dump_helpinfo(struc
+       if (!help)
+               return 0;
+ 
++      rcu_read_lock();
+       helper = rcu_dereference(help->helper);
+       if (!helper)
+               goto out;
+@@ -226,9 +227,11 @@ static int ctnetlink_dump_helpinfo(struc
+ 
+       nla_nest_end(skb, nest_helper);
+ out:
++      rcu_read_unlock();
+       return 0;
+ 
+ nla_put_failure:
++      rcu_read_unlock();
+       return -1;
+ }
+ 

diff --git a/queue-5.4/series b/queue-5.4/series
index 1775bc94f8a76ccba8b889c2c2bc78193b9a65fa..3738db37988b3a8c3aa9822b425f6522518f955b 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -49,3 +49,18 @@ f2fs-show-casefolding-support-only-when-supported.patch
 usb-cdns3-enable-tdl_chk-only-for-out-ep.patch
 mm-slab-fix-kmem_cache_create-failed-when-sysfs-node-not-destroyed.patch
 dm-writecache-return-the-exact-table-values-that-were-set.patch
+net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch
+net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch
+net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch
+netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch
+net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch
+net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch
+net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch
+net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch
+net-moxa-fix-uaf-in-moxart_mac_probe.patch
+net-qcom-emac-fix-uaf-in-emac_remove.patch
+net-ti-fix-uaf-in-tlan_remove_one.patch
+net-send-synack-packet-with-accepted-fwmark.patch
+net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch
+net-fddi-fix-uaf-in-fza_probe.patch
+dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch