4.16-stable patches

added patches:
	netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch
	netfilter-nf_tables-free-set-name-in-error-path.patch
	netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch
	tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch

diff --git a/queue-4.16/netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch b/queue-4.16/netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch
new file mode 100644 (file)
index 0000000..e7bf42b
--- /dev/null
+++ b/queue-4.16/netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch
@@ -0,0 +1,110 @@
+From 569ccae68b38654f04b6842b034aa33857f605fe Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 10 Apr 2018 09:30:27 +0200
+Subject: netfilter: nf_tables: can't fail after linking rule into active rule list
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 569ccae68b38654f04b6842b034aa33857f605fe upstream.
+
+rules in nftables a free'd using kfree, but protected by rcu, i.e. we
+must wait for a grace period to elapse.
+
+Normal removal patch does this, but nf_tables_newrule() doesn't obey
+this rule during error handling.
+
+It calls nft_trans_rule_add() *after* linking rule, and, if that
+fails to allocate memory, it unlinks the rule and then kfree() it --
+this is unsafe.
+
+Switch order -- first add rule to transaction list, THEN link it
+to public list.
+
+Note: nft_trans_rule_add() uses GFP_KERNEL; it will not fail so this
+is not a problem in practice (spotted only during code review).
+
+Fixes: 0628b123c96d12 ("netfilter: nfnetlink: add batch support and use it from nf_tables")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c |   59 ++++++++++++++++++++++--------------------
+ 1 file changed, 32 insertions(+), 27 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -2357,41 +2357,46 @@ static int nf_tables_newrule(struct net
+       }
+ 
+       if (nlh->nlmsg_flags & NLM_F_REPLACE) {
+-              if (nft_is_active_next(net, old_rule)) {
+-                      trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
+-                                                 old_rule);
+-                      if (trans == NULL) {
+-                              err = -ENOMEM;
+-                              goto err2;
+-                      }
+-                      nft_deactivate_next(net, old_rule);
+-                      chain->use--;
+-                      list_add_tail_rcu(&rule->list, &old_rule->list);
+-              } else {
++              if (!nft_is_active_next(net, old_rule)) {
+                       err = -ENOENT;
+                       goto err2;
+               }
+-      } else if (nlh->nlmsg_flags & NLM_F_APPEND)
+-              if (old_rule)
+-                      list_add_rcu(&rule->list, &old_rule->list);
+-              else
+-                      list_add_tail_rcu(&rule->list, &chain->rules);
+-      else {
+-              if (old_rule)
+-                      list_add_tail_rcu(&rule->list, &old_rule->list);
+-              else
+-                      list_add_rcu(&rule->list, &chain->rules);
+-      }
++              trans = nft_trans_rule_add(&ctx, NFT_MSG_DELRULE,
++                                         old_rule);
++              if (trans == NULL) {
++                      err = -ENOMEM;
++                      goto err2;
++              }
++              nft_deactivate_next(net, old_rule);
++              chain->use--;
++
++              if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
++                      err = -ENOMEM;
++                      goto err2;
++              }
+ 
+-      if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
+-              err = -ENOMEM;
+-              goto err3;
++              list_add_tail_rcu(&rule->list, &old_rule->list);
++      } else {
++              if (nft_trans_rule_add(&ctx, NFT_MSG_NEWRULE, rule) == NULL) {
++                      err = -ENOMEM;
++                      goto err2;
++              }
++
++              if (nlh->nlmsg_flags & NLM_F_APPEND) {
++                      if (old_rule)
++                              list_add_rcu(&rule->list, &old_rule->list);
++                      else
++                              list_add_tail_rcu(&rule->list, &chain->rules);
++               } else {
++                      if (old_rule)
++                              list_add_tail_rcu(&rule->list, &old_rule->list);
++                      else
++                              list_add_rcu(&rule->list, &chain->rules);
++              }
+       }
+       chain->use++;
+       return 0;
+ 
+-err3:
+-      list_del_rcu(&rule->list);
+ err2:
+       nf_tables_rule_destroy(&ctx, rule);
+ err1:

diff --git a/queue-4.16/netfilter-nf_tables-free-set-name-in-error-path.patch b/queue-4.16/netfilter-nf_tables-free-set-name-in-error-path.patch
new file mode 100644 (file)
index 0000000..da38d69
--- /dev/null
+++ b/queue-4.16/netfilter-nf_tables-free-set-name-in-error-path.patch
@@ -0,0 +1,46 @@
+From 2f6adf481527c8ab8033c601f55bfb5b3712b2ac Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 10 Apr 2018 09:00:24 +0200
+Subject: netfilter: nf_tables: free set name in error path
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 2f6adf481527c8ab8033c601f55bfb5b3712b2ac upstream.
+
+set->name must be free'd here in case ops->init fails.
+
+Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c |    8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3203,18 +3203,20 @@ static int nf_tables_newset(struct net *
+ 
+       err = ops->init(set, &desc, nla);
+       if (err < 0)
+-              goto err2;
++              goto err3;
+ 
+       err = nft_trans_set_add(&ctx, NFT_MSG_NEWSET, set);
+       if (err < 0)
+-              goto err3;
++              goto err4;
+ 
+       list_add_tail_rcu(&set->list, &table->sets);
+       table->use++;
+       return 0;
+ 
+-err3:
++err4:
+       ops->destroy(set);
++err3:
++      kfree(set->name);
+ err2:
+       kvfree(set);
+ err1:

diff --git a/queue-4.16/netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch b/queue-4.16/netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch
new file mode 100644 (file)
index 0000000..7929810
--- /dev/null
+++ b/queue-4.16/netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch
@@ -0,0 +1,42 @@
+From ae0662f84b105776734cb089703a7bf834bac195 Mon Sep 17 00:00:00 2001
+From: kbuild test robot <fengguang.wu@intel.com>
+Date: Sat, 20 Jan 2018 04:27:58 +0800
+Subject: netfilter: nf_tables: nf_tables_obj_lookup_byhandle() can be static
+
+From: kbuild test robot <fengguang.wu@intel.com>
+
+commit ae0662f84b105776734cb089703a7bf834bac195 upstream.
+
+Fixes: 3ecbfd65f50e ("netfilter: nf_tables: allocate handle and delete objects via handle")
+Signed-off-by: Fengguang Wu <fengguang.wu@intel.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -4399,9 +4399,9 @@ struct nft_object *nf_tables_obj_lookup(
+ }
+ EXPORT_SYMBOL_GPL(nf_tables_obj_lookup);
+ 
+-struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
+-                                               const struct nlattr *nla,
+-                                               u32 objtype, u8 genmask)
++static struct nft_object *nf_tables_obj_lookup_byhandle(const struct nft_table *table,
++                                                      const struct nlattr *nla,
++                                                      u32 objtype, u8 genmask)
+ {
+       struct nft_object *obj;
+ 
+@@ -4921,7 +4921,7 @@ struct nft_flowtable *nf_tables_flowtabl
+ }
+ EXPORT_SYMBOL_GPL(nf_tables_flowtable_lookup);
+ 
+-struct nft_flowtable *
++static struct nft_flowtable *
+ nf_tables_flowtable_lookup_byhandle(const struct nft_table *table,
+                                   const struct nlattr *nla, u8 genmask)
+ {

diff --git a/queue-4.16/series b/queue-4.16/series
index 0bb9cdda67af3547b618497b9e5defca5b72a885..5f9c332b7ed01c854abbb0c135db9500d952eecd 100644 (file)
--- a/queue-4.16/series
+++ b/queue-4.16/series
@@ -22,3 +22,7 @@ vfio-ccw-fix-cleanup-if-cp_prefetch-fails.patch
 tracing-x86-xen-remove-zero-data-size-trace-events-trace_xen_mmu_flush_tlb-_all.patch
 vsprintf-replace-memory-barrier-with-static_key-for-random_ptr_key-update.patch
 x86-amd_nb-add-support-for-raven-ridge-cpus.patch
+tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch
+netfilter-nf_tables-free-set-name-in-error-path.patch
+netfilter-nf_tables-can-t-fail-after-linking-rule-into-active-rule-list.patch
+netfilter-nf_tables-nf_tables_obj_lookup_byhandle-can-be-static.patch

diff --git a/queue-4.16/tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch b/queue-4.16/tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch
new file mode 100644 (file)
index 0000000..9d6ef95
--- /dev/null
+++ b/queue-4.16/tee-shm-fix-use-after-free-via-temporarily-dropped-reference.patch
@@ -0,0 +1,39 @@
+From bb765d1c331f62b59049d35607ed2e365802bef9 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Wed, 4 Apr 2018 21:03:21 +0200
+Subject: tee: shm: fix use-after-free via temporarily dropped reference
+
+From: Jann Horn <jannh@google.com>
+
+commit bb765d1c331f62b59049d35607ed2e365802bef9 upstream.
+
+Bump the file's refcount before moving the reference into the fd table,
+not afterwards. The old code could drop the file's refcount to zero for a
+short moment before calling get_file() via get_dma_buf().
+
+This code can only be triggered on ARM systems that use Linaro's OP-TEE.
+
+Fixes: 967c9cca2cc5 ("tee: generic TEE subsystem")
+Signed-off-by: Jann Horn <jannh@google.com>
+Signed-off-by: Jens Wiklander <jens.wiklander@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tee/tee_shm.c |    5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/drivers/tee/tee_shm.c
++++ b/drivers/tee/tee_shm.c
+@@ -360,9 +360,10 @@ int tee_shm_get_fd(struct tee_shm *shm)
+       if (!(shm->flags & TEE_SHM_DMA_BUF))
+               return -EINVAL;
+ 
++      get_dma_buf(shm->dmabuf);
+       fd = dma_buf_fd(shm->dmabuf, O_CLOEXEC);
+-      if (fd >= 0)
+-              get_dma_buf(shm->dmabuf);
++      if (fd < 0)
++              dma_buf_put(shm->dmabuf);
+       return fd;
+ }
+