--- /dev/null
+From 9a9e77495958c7382b2438bc19746dd3aaaabb8e Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Mon, 5 Oct 2020 02:25:36 +0530
+Subject: net: team: fix memory leak in __team_options_register
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 9a9e77495958c7382b2438bc19746dd3aaaabb8e upstream.
+
+The variable "i" isn't initialized back correctly after the first loop
+under the label inst_rollback gets executed.
+
+The value of "i" is assigned to be option_count - 1, and the ensuing
+loop (under alloc_rollback) begins by initializing i--.
+Thus, the value of i when the loop begins execution will now become
+i = option_count - 2.
+
+Thus, when kfree(dst_opts[i]) is called in the second loop in this
+order, (i.e., inst_rollback followed by alloc_rollback),
+dst_optsp[option_count - 2] is the first element freed, and
+dst_opts[option_count - 1] does not get freed, and thus, a memory
+leak is caused.
+
+This memory leak can be fixed, by assigning i = option_count (instead of
+option_count - 1).
+
+Fixes: 80f7c6683fe0 ("team: add support for per-port options")
+Reported-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
+Tested-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -299,7 +299,7 @@ inst_rollback:
+ for (i--; i >= 0; i--)
+ __team_option_inst_del_option(team, dst_opts[i]);
+
+- i = option_count - 1;
++ i = option_count;
+ alloc_rollback:
+ for (i--; i >= 0; i--)
+ kfree(dst_opts[i]);
--- /dev/null
+From 8aa7b526dc0b5dbf40c1b834d76a667ad672a410 Mon Sep 17 00:00:00 2001
+From: Dumitru Ceara <dceara@redhat.com>
+Date: Wed, 7 Oct 2020 17:48:03 +0200
+Subject: openvswitch: handle DNAT tuple collision
+
+From: Dumitru Ceara <dceara@redhat.com>
+
+commit 8aa7b526dc0b5dbf40c1b834d76a667ad672a410 upstream.
+
+With multiple DNAT rules it's possible that after destination
+translation the resulting tuples collide.
+
+For example, two openvswitch flows:
+nw_dst=10.0.0.10,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
+nw_dst=10.0.0.20,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
+
+Assuming two TCP clients initiating the following connections:
+10.0.0.10:5000->10.0.0.10:10
+10.0.0.10:5000->10.0.0.20:10
+
+Both tuples would translate to 10.0.0.10:5000->20.0.0.1:20 causing
+nf_conntrack_confirm() to fail because of tuple collision.
+
+Netfilter handles this case by allocating a null binding for SNAT at
+egress by default. Perform the same operation in openvswitch for DNAT
+if no explicit SNAT is requested by the user and allocate a null binding
+for SNAT for packets in the "original" direction.
+
+Reported-at: https://bugzilla.redhat.com/1877128
+Suggested-by: Florian Westphal <fw@strlen.de>
+Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
+Signed-off-by: Dumitru Ceara <dceara@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/openvswitch/conntrack.c | 20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -709,15 +709,19 @@ static int ovs_ct_nat(struct net *net, s
+ }
+ err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype);
+
+- if (err == NF_ACCEPT &&
+- ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
+- if (maniptype == NF_NAT_MANIP_SRC)
+- maniptype = NF_NAT_MANIP_DST;
+- else
+- maniptype = NF_NAT_MANIP_SRC;
++ if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) {
++ if (ct->status & IPS_SRC_NAT) {
++ if (maniptype == NF_NAT_MANIP_SRC)
++ maniptype = NF_NAT_MANIP_DST;
++ else
++ maniptype = NF_NAT_MANIP_SRC;
+
+- err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range,
+- maniptype);
++ err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range,
++ maniptype);
++ } else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) {
++ err = ovs_ct_nat_execute(skb, ct, ctinfo, NULL,
++ NF_NAT_MANIP_SRC);
++ }
+ }
+
+ /* Mark NAT done if successful and update the flow key. */
macsec-avoid-use-after-free-in-macsec_handle_frame.patch
mm-khugepaged-fix-filemap-page_to_pgoff-page-offset.patch
sctp-fix-sctp_auth_init_hmacs-error-path.patch
+team-set-dev-needed_headroom-in-team_setup_by_port.patch
+net-team-fix-memory-leak-in-__team_options_register.patch
+openvswitch-handle-dnat-tuple-collision.patch
--- /dev/null
+From 89d01748b2354e210b5d4ea47bc25a42a1b42c82 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 25 Sep 2020 06:38:08 -0700
+Subject: team: set dev->needed_headroom in team_setup_by_port()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 89d01748b2354e210b5d4ea47bc25a42a1b42c82 upstream.
+
+Some devices set needed_headroom. If we ignore it, we might
+end up crashing in various skb_push() for example in ipgre_header()
+since some layers assume enough headroom has been reserved.
+
+Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2085,6 +2085,7 @@ static void team_setup_by_port(struct ne
+ dev->header_ops = port_dev->header_ops;
+ dev->type = port_dev->type;
+ dev->hard_header_len = port_dev->hard_header_len;
++ dev->needed_headroom = port_dev->needed_headroom;
+ dev->addr_len = port_dev->addr_len;
+ dev->mtu = port_dev->mtu;
+ memcpy(dev->broadcast, port_dev->broadcast, port_dev->addr_len);
projects / thirdparty / kernel / stable-queue.git / commitdiff
