--- /dev/null
+From 96fffb4f23f124f297d51dedc9cf51d19eb88ee1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sun, 9 Aug 2015 13:14:15 +0200
+Subject: netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
+
+From: Phil Sutter <phil@nwl.cc>
+
+commit 96fffb4f23f124f297d51dedc9cf51d19eb88ee1 upstream.
+
+This happens when networking namespaces are enabled.
+
+Suggested-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/netfilter/ip6t_SYNPROXY.c | 18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
++++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
+@@ -37,12 +37,13 @@ synproxy_build_ip(struct sk_buff *skb, c
+ }
+
+ static void
+-synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb,
++synproxy_send_tcp(const struct synproxy_net *snet,
++ const struct sk_buff *skb, struct sk_buff *nskb,
+ struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
+ struct ipv6hdr *niph, struct tcphdr *nth,
+ unsigned int tcp_hdr_size)
+ {
+- struct net *net = nf_ct_net((struct nf_conn *)nfct);
++ struct net *net = nf_ct_net(snet->tmpl);
+ struct dst_entry *dst;
+ struct flowi6 fl6;
+
+@@ -83,7 +84,8 @@ free_nskb:
+ }
+
+ static void
+-synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
++synproxy_send_client_synack(const struct synproxy_net *snet,
++ const struct sk_buff *skb, const struct tcphdr *th,
+ const struct synproxy_options *opts)
+ {
+ struct sk_buff *nskb;
+@@ -119,7 +121,7 @@ synproxy_send_client_synack(const struct
+
+ synproxy_build_options(nth, opts);
+
+- synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
++ synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+ niph, nth, tcp_hdr_size);
+ }
+
+@@ -163,7 +165,7 @@ synproxy_send_server_syn(const struct sy
+
+ synproxy_build_options(nth, opts);
+
+- synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
++ synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
+ niph, nth, tcp_hdr_size);
+ }
+
+@@ -203,7 +205,7 @@ synproxy_send_server_ack(const struct sy
+
+ synproxy_build_options(nth, opts);
+
+- synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
++ synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+ }
+
+ static void
+@@ -241,7 +243,7 @@ synproxy_send_client_ack(const struct sy
+
+ synproxy_build_options(nth, opts);
+
+- synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
++ synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+ }
+
+ static bool
+@@ -301,7 +303,7 @@ synproxy_tg6(struct sk_buff *skb, const
+ XT_SYNPROXY_OPT_SACK_PERM |
+ XT_SYNPROXY_OPT_ECN);
+
+- synproxy_send_client_synack(skb, th, &opts);
++ synproxy_send_client_synack(snet, skb, th, &opts);
+ return NF_DROP;
+
+ } else if (th->ack && !(th->fin || th->rst || th->syn)) {
--- /dev/null
+From cc4998febd567d1c671684abce5595344bd4e8b2 Mon Sep 17 00:00:00 2001
+From: lucien <lucien.xin@gmail.com>
+Date: Tue, 6 Oct 2015 21:03:07 +0800
+Subject: netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse
+
+From: lucien <lucien.xin@gmail.com>
+
+commit cc4998febd567d1c671684abce5595344bd4e8b2 upstream.
+
+--accept-local option works for res.type == RTN_LOCAL, which should be
+from the local table, but there, the fib_info's nh->nh_scope =
+RT_SCOPE_NOWHERE ( > RT_SCOPE_HOST). in fib_create_info().
+
+ if (cfg->fc_scope == RT_SCOPE_HOST) {
+ struct fib_nh *nh = fi->fib_nh;
+
+ /* Local address is added. */
+ if (nhs != 1 || nh->nh_gw)
+ goto err_inval;
+ nh->nh_scope = RT_SCOPE_NOWHERE; <===
+ nh->nh_dev = dev_get_by_index(net, fi->fib_nh->nh_oif);
+ err = -ENODEV;
+ if (!nh->nh_dev)
+ goto failure;
+
+but in our rpfilter_lookup_reverse():
+
+ if (dev_match || flags & XT_RPFILTER_LOOSE)
+ return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
+
+if nh->nh_scope > RT_SCOPE_HOST, it will fail. --accept-local option
+will never be passed.
+
+it seems the test is bogus and can be removed to fix this issue.
+
+ if (dev_match || flags & XT_RPFILTER_LOOSE)
+ return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
+
+ipv6 does not have this issue.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/ipt_rpfilter.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter/ipt_rpfilter.c
++++ b/net/ipv4/netfilter/ipt_rpfilter.c
+@@ -61,9 +61,7 @@ static bool rpfilter_lookup_reverse(stru
+ if (FIB_RES_DEV(res) == dev)
+ dev_match = true;
+ #endif
+- if (dev_match || flags & XT_RPFILTER_LOOSE)
+- return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
+- return dev_match;
++ return dev_match || flags & XT_RPFILTER_LOOSE;
+ }
+
+ static bool rpfilter_is_local(const struct sk_buff *skb)
--- /dev/null
+From 960bd2c26421d321e890f1936938196ead41976f Mon Sep 17 00:00:00 2001
+From: Mirek Kratochvil <exa.exa@gmail.com>
+Date: Fri, 15 May 2015 21:15:29 +0200
+Subject: netfilter: nf_tables: fix bogus warning in nft_data_uninit()
+
+From: Mirek Kratochvil <exa.exa@gmail.com>
+
+commit 960bd2c26421d321e890f1936938196ead41976f upstream.
+
+The values 0x00000000-0xfffffeff are reserved for userspace datatype. When,
+deleting set elements with maps, a bogus warning is triggered.
+
+WARNING: CPU: 0 PID: 11133 at net/netfilter/nf_tables_api.c:4481 nft_data_uninit+0x35/0x40 [nf_tables]()
+
+This fixes the check accordingly to enum definition in
+include/linux/netfilter/nf_tables.h
+
+Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1013
+Signed-off-by: Mirek Kratochvil <exa.exa@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3316,9 +3316,9 @@ EXPORT_SYMBOL_GPL(nft_data_init);
+ */
+ void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
+ {
+- switch (type) {
+- case NFT_DATA_VALUE:
++ if (type < NFT_DATA_VERDICT)
+ return;
++ switch (type) {
+ case NFT_DATA_VERDICT:
+ return nft_verdict_uninit(data);
+ default:
projects / thirdparty / kernel / stable-queue.git / commitdiff
