--- /dev/null
+From 2a61d8b883bbad26b06d2e6cc3777a697e78830d Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 5 Nov 2018 18:23:13 +0900
+Subject: netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in clusterip_config_entry_put()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+commit 2a61d8b883bbad26b06d2e6cc3777a697e78830d upstream.
+
+A proc_remove() can sleep. so that it can't be inside of spin_lock.
+Hence proc_remove() is moved to outside of spin_lock. and it also
+adds mutex to sync create and remove of proc entry(config->pde).
+
+test commands:
+SHELL#1
+ %while :; do iptables -A INPUT -p udp -i enp2s0 -d 192.168.1.100 \
+ --dport 9000 -j CLUSTERIP --new --hashmode sourceip \
+ --clustermac 01:00:5e:00:00:21 --total-nodes 3 --local-node 3; \
+ iptables -F; done
+
+SHELL#2
+ %while :; do echo +1 > /proc/net/ipt_CLUSTERIP/192.168.1.100; \
+ echo -1 > /proc/net/ipt_CLUSTERIP/192.168.1.100; done
+
+[ 2949.569864] BUG: sleeping function called from invalid context at kernel/sched/completion.c:99
+[ 2949.579944] in_atomic(): 1, irqs_disabled(): 0, pid: 5472, name: iptables
+[ 2949.587920] 1 lock held by iptables/5472:
+[ 2949.592711] #0: 000000008f0ebcf2 (&(&cn->lock)->rlock){+...}, at: refcount_dec_and_lock+0x24/0x50
+[ 2949.603307] CPU: 1 PID: 5472 Comm: iptables Tainted: G W 4.19.0-rc5+ #16
+[ 2949.604212] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015
+[ 2949.604212] Call Trace:
+[ 2949.604212] dump_stack+0xc9/0x16b
+[ 2949.604212] ? show_regs_print_info+0x5/0x5
+[ 2949.604212] ___might_sleep+0x2eb/0x420
+[ 2949.604212] ? set_rq_offline.part.87+0x140/0x140
+[ 2949.604212] ? _rcu_barrier_trace+0x400/0x400
+[ 2949.604212] wait_for_completion+0x94/0x710
+[ 2949.604212] ? wait_for_completion_interruptible+0x780/0x780
+[ 2949.604212] ? __kernel_text_address+0xe/0x30
+[ 2949.604212] ? __lockdep_init_map+0x10e/0x5c0
+[ 2949.604212] ? __lockdep_init_map+0x10e/0x5c0
+[ 2949.604212] ? __init_waitqueue_head+0x86/0x130
+[ 2949.604212] ? init_wait_entry+0x1a0/0x1a0
+[ 2949.604212] proc_entry_rundown+0x208/0x270
+[ 2949.604212] ? proc_reg_get_unmapped_area+0x370/0x370
+[ 2949.604212] ? __lock_acquire+0x4500/0x4500
+[ 2949.604212] ? complete+0x18/0x70
+[ 2949.604212] remove_proc_subtree+0x143/0x2a0
+[ 2949.708655] ? remove_proc_entry+0x390/0x390
+[ 2949.708655] clusterip_tg_destroy+0x27a/0x630 [ipt_CLUSTERIP]
+[ ... ]
+
+Fixes: b3e456fce9f5 ("netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation")
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/ipt_CLUSTERIP.c | 19 ++++++++++++++-----
+ 1 file changed, 14 insertions(+), 5 deletions(-)
+
+--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
+@@ -56,7 +56,7 @@ struct clusterip_config {
+ #endif
+ enum clusterip_hashmode hash_mode; /* which hashing mode */
+ u_int32_t hash_initval; /* hash initialization */
+- struct rcu_head rcu;
++ struct rcu_head rcu; /* for call_rcu_bh */
+ struct net *net; /* netns for pernet list */
+ char ifname[IFNAMSIZ]; /* device ifname */
+ };
+@@ -72,6 +72,8 @@ struct clusterip_net {
+
+ #ifdef CONFIG_PROC_FS
+ struct proc_dir_entry *procdir;
++ /* mutex protects the config->pde*/
++ struct mutex mutex;
+ #endif
+ };
+
+@@ -118,17 +120,18 @@ clusterip_config_entry_put(struct cluste
+
+ local_bh_disable();
+ if (refcount_dec_and_lock(&c->entries, &cn->lock)) {
++ list_del_rcu(&c->list);
++ spin_unlock(&cn->lock);
++ local_bh_enable();
+ /* In case anyone still accesses the file, the open/close
+ * functions are also incrementing the refcount on their own,
+ * so it's safe to remove the entry even if it's in use. */
+ #ifdef CONFIG_PROC_FS
++ mutex_lock(&cn->mutex);
+ if (cn->procdir)
+ proc_remove(c->pde);
++ mutex_unlock(&cn->mutex);
+ #endif
+- list_del_rcu(&c->list);
+- spin_unlock(&cn->lock);
+- local_bh_enable();
+-
+ return;
+ }
+ local_bh_enable();
+@@ -278,9 +281,11 @@ clusterip_config_init(struct net *net, c
+
+ /* create proc dir entry */
+ sprintf(buffer, "%pI4", &ip);
++ mutex_lock(&cn->mutex);
+ c->pde = proc_create_data(buffer, 0600,
+ cn->procdir,
+ &clusterip_proc_fops, c);
++ mutex_unlock(&cn->mutex);
+ if (!c->pde) {
+ err = -ENOMEM;
+ goto err;
+@@ -833,6 +838,7 @@ static int clusterip_net_init(struct net
+ pr_err("Unable to proc dir entry\n");
+ return -ENOMEM;
+ }
++ mutex_init(&cn->mutex);
+ #endif /* CONFIG_PROC_FS */
+
+ return 0;
+@@ -841,9 +847,12 @@ static int clusterip_net_init(struct net
+ static void clusterip_net_exit(struct net *net)
+ {
+ struct clusterip_net *cn = clusterip_pernet(net);
++
+ #ifdef CONFIG_PROC_FS
++ mutex_lock(&cn->mutex);
+ proc_remove(cn->procdir);
+ cn->procdir = NULL;
++ mutex_unlock(&cn->mutex);
+ #endif
+ nf_unregister_net_hook(net, &cip_arp_ops);
+ }
--- /dev/null
+From 15df03c661cb362366ecfc3a21820cb934f3e4ca Mon Sep 17 00:00:00 2001
+From: Eli Cooper <elicooper@gmx.com>
+Date: Mon, 21 Jan 2019 18:45:27 +0800
+Subject: netfilter: ipv6: Don't preserve original oif for loopback address
+
+From: Eli Cooper <elicooper@gmx.com>
+
+commit 15df03c661cb362366ecfc3a21820cb934f3e4ca upstream.
+
+Commit 508b09046c0f ("netfilter: ipv6: Preserve link scope traffic
+original oif") made ip6_route_me_harder() keep the original oif for
+link-local and multicast packets. However, it also affected packets
+for the loopback address because it used rt6_need_strict().
+
+REDIRECT rules in the OUTPUT chain rewrite the destination to loopback
+address; thus its oif should not be preserved. This commit fixes the bug
+that redirected local packets are being dropped. Actually the packet was
+not exactly dropped; Instead it was sent out to the original oif rather
+than lo. When a packet with daddr ::1 is sent to the router, it is
+effectively dropped.
+
+Fixes: 508b09046c0f ("netfilter: ipv6: Preserve link scope traffic original oif")
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/netfilter.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -23,9 +23,11 @@ int ip6_route_me_harder(struct net *net,
+ struct sock *sk = sk_to_full_sk(skb->sk);
+ unsigned int hh_len;
+ struct dst_entry *dst;
++ int strict = (ipv6_addr_type(&iph->daddr) &
++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
+ struct flowi6 fl6 = {
+ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
+- rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
++ strict ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .flowi6_uid = sock_net_uid(net, sk),
+ .daddr = iph->daddr,
--- /dev/null
+From 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 15 Feb 2019 12:50:24 +0100
+Subject: netfilter: nf_tables: fix flush after rule deletion in the same batch
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 upstream.
+
+Flush after rule deletion bogusly hits -ENOENT. Skip rules that have
+been already from nft_delrule_by_chain() which is always called from the
+flush path.
+
+Fixes: cf9dc09d0949 ("netfilter: nf_tables: fix missing rules flushing per table")
+Reported-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -307,6 +307,9 @@ static int nft_delrule_by_chain(struct n
+ int err;
+
+ list_for_each_entry(rule, &ctx->chain->rules, list) {
++ if (!nft_is_active_next(ctx->net, rule))
++ continue;
++
+ err = nft_delrule(ctx, rule);
+ if (err < 0)
+ return err;
--- /dev/null
+From 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b Mon Sep 17 00:00:00 2001
+From: Fernando Fernandez Mancera <ffmancera@riseup.net>
+Date: Mon, 21 Jan 2019 12:53:21 +0100
+Subject: netfilter: nfnetlink_osf: add missing fmatch check
+
+From: Fernando Fernandez Mancera <ffmancera@riseup.net>
+
+commit 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b upstream.
+
+When we check the tcp options of a packet and it doesn't match the current
+fingerprint, the tcp packet option pointer must be restored to its initial
+value in order to do the proper tcp options check for the next fingerprint.
+
+Here we can see an example.
+Assumming the following fingerprint base with two lines:
+
+S10:64:1:60:M*,S,T,N,W6: Linux:3.0::Linux 3.0
+S20:64:1:60:M*,S,T,N,W7: Linux:4.19:arch:Linux 4.1
+
+Where TCP options are the last field in the OS signature, all of them overlap
+except by the last one, ie. 'W6' versus 'W7'.
+
+In case a packet for Linux 4.19 kicks in, the osf finds no matching because the
+TCP options pointer is updated after checking for the TCP options in the first
+line.
+
+Therefore, reset pointer back to where it should be.
+
+Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match")
+Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nfnetlink_osf.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nfnetlink_osf.c
++++ b/net/netfilter/nfnetlink_osf.c
+@@ -66,6 +66,7 @@ static bool nf_osf_match_one(const struc
+ int ttl_check,
+ struct nf_osf_hdr_ctx *ctx)
+ {
++ const __u8 *optpinit = ctx->optp;
+ unsigned int check_WSS = 0;
+ int fmatch = FMATCH_WRONG;
+ int foptsize, optnum;
+@@ -155,6 +156,9 @@ static bool nf_osf_match_one(const struc
+ }
+ }
+
++ if (fmatch != FMATCH_OK)
++ ctx->optp = optpinit;
++
+ return fmatch == FMATCH_OK;
+ }
+
--- /dev/null
+From 753c111f655e38bbd52fc01321266633f022ebe2 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 13 Feb 2019 13:03:53 +0100
+Subject: netfilter: nft_compat: use-after-free when deleting targets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 753c111f655e38bbd52fc01321266633f022ebe2 upstream.
+
+Fetch pointer to module before target object is released.
+
+Fixes: 29e3880109e3 ("netfilter: nf_tables: fix use-after-free when deleting compat expressions")
+Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_compat.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -282,6 +282,7 @@ nft_target_destroy(const struct nft_ctx
+ {
+ struct xt_target *target = expr->ops->data;
+ void *info = nft_expr_priv(expr);
++ struct module *me = target->me;
+ struct xt_tgdtor_param par;
+
+ par.net = ctx->net;
+@@ -292,7 +293,7 @@ nft_target_destroy(const struct nft_ctx
+ par.target->destroy(&par);
+
+ if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+- module_put(target->me);
++ module_put(me);
+ }
+
+ static int nft_extension_dump_info(struct sk_buff *skb, int attr,
--- /dev/null
+From 278e2148c07559dd4ad8602f22366d61eb2ee7b7 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 22 Feb 2019 21:22:32 +0800
+Subject: Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+commit 278e2148c07559dd4ad8602f22366d61eb2ee7b7 upstream.
+
+This reverts commit 5a2de63fd1a5 ("bridge: do not add port to router list
+when receives query with source 0.0.0.0") and commit 0fe5119e267f ("net:
+bridge: remove ipv6 zero address check in mcast queries")
+
+The reason is RFC 4541 is not a standard but suggestive. Currently we
+will elect 0.0.0.0 as Querier if there is no ip address configured on
+bridge. If we do not add the port which recives query with source
+0.0.0.0 to router list, the IGMP reports will not be about to forward
+to Querier, IGMP data will also not be able to forward to dest.
+
+As Nikolay suggested, revert this change first and add a boolopt api
+to disable none-zero election in future if needed.
+
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Reported-by: Sebastian Gottschall <s.gottschall@newmedia-net.de>
+Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0")
+Fixes: 0fe5119e267f ("net: bridge: remove ipv6 zero address check in mcast queries")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/br_multicast.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1422,14 +1422,7 @@ static void br_multicast_query_received(
+ return;
+
+ br_multicast_update_query_timer(br, query, max_delay);
+-
+- /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules,
+- * the arrival port for IGMP Queries where the source address
+- * is 0.0.0.0 should not be added to router port list.
+- */
+- if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
+- saddr->proto == htons(ETH_P_IPV6))
+- br_multicast_mark_router(br, port);
++ br_multicast_mark_router(br, port);
+ }
+
+ static void br_ip4_multicast_query(struct net_bridge *br,
staging-erofs-dir-inode-super-.c-rectify-bug_ons.patch
staging-erofs-unzip_-pagevec.h-vle.c-rectify-bug_ons.patch
staging-erofs-unzip_vle_lz4.c-utils.c-rectify-bug_ons.patch
+revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch
+netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch
+netfilter-nft_compat-use-after-free-when-deleting-targets.patch
+netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch
+netfilter-nfnetlink_osf-add-missing-fmatch-check.patch
+netfilter-ipt_clusterip-fix-sleep-in-atomic-bug-in-clusterip_config_entry_put.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
