--- /dev/null
+From 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 28 Nov 2019 12:25:45 +0100
+Subject: batman-adv: Fix DAT candidate selection on little endian systems
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream.
+
+The distributed arp table is using a DHT to store and retrieve MAC address
+information for an IP address. This is done using unicast messages to
+selected peers. The potential peers are looked up using the IP address and
+the VID.
+
+While the IP address is always stored in big endian byte order, this is not
+the case of the VID. It can (depending on the host system) either be big
+endian or little endian. The host must therefore always convert it to big
+endian to ensure that all devices calculate the same peers for the same
+lookup data.
+
+Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/distributed-arp-table.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -242,6 +242,7 @@ static u32 batadv_hash_dat(const void *d
+ u32 hash = 0;
+ const struct batadv_dat_entry *dat = data;
+ const unsigned char *key;
++ __be16 vid;
+ u32 i;
+
+ key = (const unsigned char *)&dat->ip;
+@@ -251,7 +252,8 @@ static u32 batadv_hash_dat(const void *d
+ hash ^= (hash >> 6);
+ }
+
+- key = (const unsigned char *)&dat->vid;
++ vid = htons(dat->vid);
++ key = (__force const unsigned char *)&vid;
+ for (i = 0; i < sizeof(dat->vid); i++) {
+ hash += key[i];
+ hash += (hash << 10);
--- /dev/null
+From 212e7f56605ef9688d0846db60c6c6ec06544095 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Sat, 11 Jan 2020 23:19:53 +0100
+Subject: netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream.
+
+An earlier commit (1b789577f655060d98d20e,
+"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct")
+fixed missing net initialization for arptables, but turns out it was
+incomplete. We can get a very similar struct net NULL deref during
+error unwinding:
+
+general protection fault: 0000 [#1] PREEMPT SMP KASAN
+RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77
+ xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175
+ cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline]
+ translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587
+ do_replace net/ipv4/netfilter/arp_tables.c:981 [inline]
+ do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461
+
+Also init the netns pointer in xt_tgdtor_param struct.
+
+Fixes: add67461240c1d ("netfilter: add struct net * to target parameters")
+Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/arp_tables.c | 19 ++++++++++---------
+ 1 file changed, 10 insertions(+), 9 deletions(-)
+
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -515,12 +515,13 @@ static inline int check_entry_size_and_h
+ return 0;
+ }
+
+-static inline void cleanup_entry(struct arpt_entry *e)
++static void cleanup_entry(struct arpt_entry *e, struct net *net)
+ {
+ struct xt_tgdtor_param par;
+ struct xt_entry_target *t;
+
+ t = arpt_get_target(e);
++ par.net = net;
+ par.target = t->u.kernel.target;
+ par.targinfo = t->data;
+ par.family = NFPROTO_ARP;
+@@ -612,7 +613,7 @@ static int translate_table(struct net *n
+ xt_entry_foreach(iter, entry0, newinfo->size) {
+ if (i-- == 0)
+ break;
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+ }
+ return ret;
+ }
+@@ -939,7 +940,7 @@ static int __do_replace(struct net *net,
+ /* Decrease module usage counts and free resource */
+ loc_cpu_old_entry = oldinfo->entries;
+ xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size)
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+
+ xt_free_table_info(oldinfo);
+ if (copy_to_user(counters_ptr, counters,
+@@ -1003,7 +1004,7 @@ static int do_replace(struct net *net, c
+
+ free_newinfo_untrans:
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+ free_newinfo:
+ xt_free_table_info(newinfo);
+ return ret;
+@@ -1300,7 +1301,7 @@ static int compat_do_replace(struct net
+
+ free_newinfo_untrans:
+ xt_entry_foreach(iter, loc_cpu_entry, newinfo->size)
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+ free_newinfo:
+ xt_free_table_info(newinfo);
+ return ret;
+@@ -1527,7 +1528,7 @@ static int do_arpt_get_ctl(struct sock *
+ return ret;
+ }
+
+-static void __arpt_unregister_table(struct xt_table *table)
++static void __arpt_unregister_table(struct net *net, struct xt_table *table)
+ {
+ struct xt_table_info *private;
+ void *loc_cpu_entry;
+@@ -1539,7 +1540,7 @@ static void __arpt_unregister_table(stru
+ /* Decrease module usage counts and free resources */
+ loc_cpu_entry = private->entries;
+ xt_entry_foreach(iter, loc_cpu_entry, private->size)
+- cleanup_entry(iter);
++ cleanup_entry(iter, net);
+ if (private->number > private->initial_entries)
+ module_put(table_owner);
+ xt_free_table_info(private);
+@@ -1579,7 +1580,7 @@ int arpt_register_table(struct net *net,
+
+ ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks));
+ if (ret != 0) {
+- __arpt_unregister_table(new_table);
++ __arpt_unregister_table(net, new_table);
+ *res = NULL;
+ }
+
+@@ -1594,7 +1595,7 @@ void arpt_unregister_table(struct net *n
+ const struct nf_hook_ops *ops)
+ {
+ nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
+- __arpt_unregister_table(table);
++ __arpt_unregister_table(net, table);
+ }
+
+ /* The built-in targets: standard (NULL) and error. */
--- /dev/null
+From c120959387efa51479056fd01dc90adfba7a590c Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 10 Jan 2020 11:53:08 -0800
+Subject: netfilter: fix a use-after-free in mtype_destroy()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit c120959387efa51479056fd01dc90adfba7a590c upstream.
+
+map->members is freed by ip_set_free() right before using it in
+mtype_ext_cleanup() again. So we just have to move it down.
+
+Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com
+Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function")
+Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
+@@ -66,9 +66,9 @@ mtype_destroy(struct ip_set *set)
+ if (SET_WITH_TIMEOUT(set))
+ del_timer_sync(&map->gc);
+
+- ip_set_free(map->members);
+ if (set->dsize && set->extensions & IPSET_EXT_DESTROY)
+ mtype_ext_cleanup(set);
++ ip_set_free(map->members);
+ ip_set_free(map);
+
+ set->data = NULL;
projects / thirdparty / kernel / stable-queue.git / commitdiff
