4.9-stable patches

added patches:
	ipv6-fix-ipv6_addrform-operation-logic.patch
	vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch

diff --git a/queue-4.9/ipv6-fix-ipv6_addrform-operation-logic.patch b/queue-4.9/ipv6-fix-ipv6_addrform-operation-logic.patch
new file mode 100644 (file)
index 0000000..7de8c31
--- /dev/null
+++ b/queue-4.9/ipv6-fix-ipv6_addrform-operation-logic.patch
@@ -0,0 +1,77 @@
+From foo@baz Thu 11 Jun 2020 12:45:47 PM CEST
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 1 Jun 2020 11:55:03 +0800
+Subject: ipv6: fix IPV6_ADDRFORM operation logic
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 79a1f0ccdbb4ad700590f61b00525b390cb53905 ]
+
+Socket option IPV6_ADDRFORM supports UDP/UDPLITE and TCP at present.
+Previously the checking logic looks like:
+if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
+       do_some_check;
+else if (sk->sk_protocol != IPPROTO_TCP)
+       break;
+
+After commit b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation"), TCP
+was blocked as the logic changed to:
+if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
+       do_some_check;
+else if (sk->sk_protocol == IPPROTO_TCP)
+       do_some_check;
+       break;
+else
+       break;
+
+Then after commit 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation")
+UDP/UDPLITE were blocked as the logic changed to:
+if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
+       do_some_check;
+if (sk->sk_protocol == IPPROTO_TCP)
+       do_some_check;
+
+if (sk->sk_protocol != IPPROTO_TCP)
+       break;
+
+Fix it by using Eric's code and simply remove the break in TCP check, which
+looks like:
+if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
+       do_some_check;
+else if (sk->sk_protocol == IPPROTO_TCP)
+       do_some_check;
+else
+       break;
+
+Fixes: 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ipv6_sockglue.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -184,14 +184,15 @@ static int do_ipv6_setsockopt(struct soc
+                                       retv = -EBUSY;
+                                       break;
+                               }
+-                      }
+-                      if (sk->sk_protocol == IPPROTO_TCP &&
+-                          sk->sk_prot != &tcpv6_prot) {
+-                              retv = -EBUSY;
++                      } else if (sk->sk_protocol == IPPROTO_TCP) {
++                              if (sk->sk_prot != &tcpv6_prot) {
++                                      retv = -EBUSY;
++                                      break;
++                              }
++                      } else {
+                               break;
+                       }
+-                      if (sk->sk_protocol != IPPROTO_TCP)
+-                              break;
++
+                       if (sk->sk_state != TCP_ESTABLISHED) {
+                               retv = -ENOTCONN;
+                               break;

diff --git a/queue-4.9/vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch b/queue-4.9/vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
new file mode 100644 (file)
index 0000000..f9dc663
--- /dev/null
+++ b/queue-4.9/vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
@@ -0,0 +1,48 @@
+From foo@baz Thu 11 Jun 2020 12:45:47 PM CEST
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 1 Jun 2020 15:58:55 +0300
+Subject: vxlan: Avoid infinite loop when suppressing NS messages with invalid options
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 8066e6b449e050675df48e7c4b16c29f00507ff0 ]
+
+When proxy mode is enabled the vxlan device might reply to Neighbor
+Solicitation (NS) messages on behalf of remote hosts.
+
+In case the NS message includes the "Source link-layer address" option
+[1], the vxlan device will use the specified address as the link-layer
+destination address in its reply.
+
+To avoid an infinite loop, break out of the options parsing loop when
+encountering an option with length zero and disregard the NS message.
+
+This is consistent with the IPv6 ndisc code and RFC 4886 which states
+that "Nodes MUST silently discard an ND packet that contains an option
+with length zero" [2].
+
+[1] https://tools.ietf.org/html/rfc4861#section-4.3
+[2] https://tools.ietf.org/html/rfc4861#section-4.6
+
+Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1521,6 +1521,10 @@ static struct sk_buff *vxlan_na_create(s
+       daddr = eth_hdr(request)->h_source;
+       ns_olen = request->len - skb_transport_offset(request) - sizeof(*ns);
+       for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
++              if (!ns->opt[i + 1]) {
++                      kfree_skb(reply);
++                      return NULL;
++              }
+               if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
+                       daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
+                       break;