--- /dev/null
+From 7ce64c79c4decdeb1afe0bf2f6ef834b382871d1 Mon Sep 17 00:00:00 2001
+From: "Alexander Y. Fomichev" <git.user@gmail.com>
+Date: Mon, 15 Sep 2014 14:22:35 +0400
+Subject: net: fix creation adjacent device symlinks
+
+From: "Alexander Y. Fomichev" <git.user@gmail.com>
+
+commit 7ce64c79c4decdeb1afe0bf2f6ef834b382871d1 upstream.
+
+__netdev_adjacent_dev_insert may add adjust device of different net
+namespace, without proper check it leads to emergence of broken
+sysfs links from/to devices in another namespace.
+Fix: rewrite netdev_adjacent_is_neigh_list macro as a function,
+ move net_eq check into netdev_adjacent_is_neigh_list.
+ (thanks David)
+ related to: 4c75431ac3520631f1d9e74aa88407e6374dbbc4
+
+Signed-off-by: Alexander Fomichev <git.user@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Miquel van Smoorenburg <mikevs@xs4all.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/dev.c | 18 +++++++++++-------
+ 1 file changed, 11 insertions(+), 7 deletions(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4705,9 +4705,14 @@ static void netdev_adjacent_sysfs_del(st
+ sysfs_remove_link(&(dev->dev.kobj), linkname);
+ }
+
+-#define netdev_adjacent_is_neigh_list(dev, dev_list) \
+- (dev_list == &dev->adj_list.upper || \
+- dev_list == &dev->adj_list.lower)
++static inline bool netdev_adjacent_is_neigh_list(struct net_device *dev,
++ struct net_device *adj_dev,
++ struct list_head *dev_list)
++{
++ return (dev_list == &dev->adj_list.upper ||
++ dev_list == &dev->adj_list.lower) &&
++ net_eq(dev_net(dev), dev_net(adj_dev));
++}
+
+ static int __netdev_adjacent_dev_insert(struct net_device *dev,
+ struct net_device *adj_dev,
+@@ -4737,7 +4742,7 @@ static int __netdev_adjacent_dev_insert(
+ pr_debug("dev_hold for %s, because of link added from %s to %s\n",
+ adj_dev->name, dev->name, adj_dev->name);
+
+- if (netdev_adjacent_is_neigh_list(dev, dev_list)) {
++ if (netdev_adjacent_is_neigh_list(dev, adj_dev, dev_list)) {
+ ret = netdev_adjacent_sysfs_add(dev, adj_dev, dev_list);
+ if (ret)
+ goto free_adj;
+@@ -4758,7 +4763,7 @@ static int __netdev_adjacent_dev_insert(
+ return 0;
+
+ remove_symlinks:
+- if (netdev_adjacent_is_neigh_list(dev, dev_list))
++ if (netdev_adjacent_is_neigh_list(dev, adj_dev, dev_list))
+ netdev_adjacent_sysfs_del(dev, adj_dev->name, dev_list);
+ free_adj:
+ kfree(adj);
+@@ -4791,8 +4796,7 @@ static void __netdev_adjacent_dev_remove
+ if (adj->master)
+ sysfs_remove_link(&(dev->dev.kobj), "master");
+
+- if (netdev_adjacent_is_neigh_list(dev, dev_list) &&
+- net_eq(dev_net(dev),dev_net(adj_dev)))
++ if (netdev_adjacent_is_neigh_list(dev, adj_dev, dev_list))
+ netdev_adjacent_sysfs_del(dev, adj_dev->name, dev_list);
+
+ list_del_rcu(&adj->list);
--- /dev/null
+From 4c75431ac3520631f1d9e74aa88407e6374dbbc4 Mon Sep 17 00:00:00 2001
+From: "Alexander Y. Fomichev" <git.user@gmail.com>
+Date: Mon, 25 Aug 2014 16:26:45 +0400
+Subject: net: prevent of emerging cross-namespace symlinks
+
+From: "Alexander Y. Fomichev" <git.user@gmail.com>
+
+commit 4c75431ac3520631f1d9e74aa88407e6374dbbc4 upstream.
+
+Code manipulating sysfs symlinks on adjacent net_devices(s)
+currently doesn't take into account that devices potentially
+belong to different namespaces.
+
+This patch trying to fix an issue as follows:
+- check for net_ns before creating / deleting symlink.
+ for now only netdev_adjacent_rename_links and
+ __netdev_adjacent_dev_remove are affected, afaics
+ __netdev_adjacent_dev_insert implies both net_devs
+ belong to the same namespace.
+- Drop all existing symlinks to / from all adj_devs before
+ switching namespace and recreate them just after.
+
+Signed-off-by: Alexander Y. Fomichev <git.user@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Miquel van Smoorenburg <mikevs@xs4all.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/core/dev.c | 61 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 60 insertions(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -4791,7 +4791,8 @@ static void __netdev_adjacent_dev_remove
+ if (adj->master)
+ sysfs_remove_link(&(dev->dev.kobj), "master");
+
+- if (netdev_adjacent_is_neigh_list(dev, dev_list))
++ if (netdev_adjacent_is_neigh_list(dev, dev_list) &&
++ net_eq(dev_net(dev),dev_net(adj_dev)))
+ netdev_adjacent_sysfs_del(dev, adj_dev->name, dev_list);
+
+ list_del_rcu(&adj->list);
+@@ -5061,11 +5062,65 @@ void netdev_upper_dev_unlink(struct net_
+ }
+ EXPORT_SYMBOL(netdev_upper_dev_unlink);
+
++void netdev_adjacent_add_links(struct net_device *dev)
++{
++ struct netdev_adjacent *iter;
++
++ struct net *net = dev_net(dev);
++
++ list_for_each_entry(iter, &dev->adj_list.upper, list) {
++ if (!net_eq(net,dev_net(iter->dev)))
++ continue;
++ netdev_adjacent_sysfs_add(iter->dev, dev,
++ &iter->dev->adj_list.lower);
++ netdev_adjacent_sysfs_add(dev, iter->dev,
++ &dev->adj_list.upper);
++ }
++
++ list_for_each_entry(iter, &dev->adj_list.lower, list) {
++ if (!net_eq(net,dev_net(iter->dev)))
++ continue;
++ netdev_adjacent_sysfs_add(iter->dev, dev,
++ &iter->dev->adj_list.upper);
++ netdev_adjacent_sysfs_add(dev, iter->dev,
++ &dev->adj_list.lower);
++ }
++}
++
++void netdev_adjacent_del_links(struct net_device *dev)
++{
++ struct netdev_adjacent *iter;
++
++ struct net *net = dev_net(dev);
++
++ list_for_each_entry(iter, &dev->adj_list.upper, list) {
++ if (!net_eq(net,dev_net(iter->dev)))
++ continue;
++ netdev_adjacent_sysfs_del(iter->dev, dev->name,
++ &iter->dev->adj_list.lower);
++ netdev_adjacent_sysfs_del(dev, iter->dev->name,
++ &dev->adj_list.upper);
++ }
++
++ list_for_each_entry(iter, &dev->adj_list.lower, list) {
++ if (!net_eq(net,dev_net(iter->dev)))
++ continue;
++ netdev_adjacent_sysfs_del(iter->dev, dev->name,
++ &iter->dev->adj_list.upper);
++ netdev_adjacent_sysfs_del(dev, iter->dev->name,
++ &dev->adj_list.lower);
++ }
++}
++
+ void netdev_adjacent_rename_links(struct net_device *dev, char *oldname)
+ {
+ struct netdev_adjacent *iter;
+
++ struct net *net = dev_net(dev);
++
+ list_for_each_entry(iter, &dev->adj_list.upper, list) {
++ if (!net_eq(net,dev_net(iter->dev)))
++ continue;
+ netdev_adjacent_sysfs_del(iter->dev, oldname,
+ &iter->dev->adj_list.lower);
+ netdev_adjacent_sysfs_add(iter->dev, dev,
+@@ -5073,6 +5128,8 @@ void netdev_adjacent_rename_links(struct
+ }
+
+ list_for_each_entry(iter, &dev->adj_list.lower, list) {
++ if (!net_eq(net,dev_net(iter->dev)))
++ continue;
+ netdev_adjacent_sysfs_del(iter->dev, oldname,
+ &iter->dev->adj_list.upper);
+ netdev_adjacent_sysfs_add(iter->dev, dev,
+@@ -6679,6 +6736,7 @@ int dev_change_net_namespace(struct net_
+
+ /* Send a netdev-removed uevent to the old namespace */
+ kobject_uevent(&dev->dev.kobj, KOBJ_REMOVE);
++ netdev_adjacent_del_links(dev);
+
+ /* Actually switch the network namespace */
+ dev_net_set(dev, net);
+@@ -6693,6 +6751,7 @@ int dev_change_net_namespace(struct net_
+
+ /* Send a netdev-add uevent to the new namespace */
+ kobject_uevent(&dev->dev.kobj, KOBJ_ADD);
++ netdev_adjacent_add_links(dev);
+
+ /* Fixup kobjects */
+ err = device_rename(&dev->dev, dev->name);
--- /dev/null
+From 2196937e12b1b4ba139806d132647e1651d655df Mon Sep 17 00:00:00 2001
+From: Dan Carpenter <dan.carpenter@oracle.com>
+Date: Mon, 10 Nov 2014 17:11:21 +0100
+Subject: netfilter: ipset: small potential read beyond the end of buffer
+
+From: Dan Carpenter <dan.carpenter@oracle.com>
+
+commit 2196937e12b1b4ba139806d132647e1651d655df upstream.
+
+We could be reading 8 bytes into a 4 byte buffer here. It seems
+harmless but adding a check is the right thing to do and it silences a
+static checker warning.
+
+Signed-off-by: Dan Carpenter <dan.carpenter@oracle.com>
+Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_core.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/netfilter/ipset/ip_set_core.c
++++ b/net/netfilter/ipset/ip_set_core.c
+@@ -1839,6 +1839,12 @@ ip_set_sockfn_get(struct sock *sk, int o
+ if (*op < IP_SET_OP_VERSION) {
+ /* Check the version at the beginning of operations */
+ struct ip_set_req_version *req_version = data;
++
++ if (*len < sizeof(struct ip_set_req_version)) {
++ ret = -EINVAL;
++ goto done;
++ }
++
+ if (req_version->version != IPSET_PROTOCOL) {
+ ret = -EPROTO;
+ goto done;
projects / thirdparty / kernel / stable-queue.git / commitdiff
