--- /dev/null
+From 51edb2ff1c6fc27d3fa73f0773a31597ecd8e230 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 10 Jan 2022 20:48:17 +0100
+Subject: netfilter: nf_tables: typo NULL check in _clone() function
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 51edb2ff1c6fc27d3fa73f0773a31597ecd8e230 upstream.
+
+This should check for NULL in case memory allocation fails.
+
+Reported-by: Julian Wiedmann <jwiedmann.dev@gmail.com>
+Fixes: 3b9e2ea6c11b ("netfilter: nft_limit: move stateful fields out of expression data")
+Fixes: 37f319f37d90 ("netfilter: nft_connlimit: move stateful fields out of expression data")
+Fixes: 33a24de37e81 ("netfilter: nft_last: move stateful fields out of expression data")
+Fixes: ed0a0c60f0e5 ("netfilter: nft_quota: move stateful fields out of expression data")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Link: https://lore.kernel.org/r/20220110194817.53481-1-pablo@netfilter.org
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_connlimit.c | 2 +-
+ net/netfilter/nft_last.c | 2 +-
+ net/netfilter/nft_limit.c | 2 +-
+ net/netfilter/nft_quota.c | 2 +-
+ 4 files changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/nft_connlimit.c
++++ b/net/netfilter/nft_connlimit.c
+@@ -206,7 +206,7 @@ static int nft_connlimit_clone(struct nf
+ struct nft_connlimit *priv_src = nft_expr_priv(src);
+
+ priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC);
+- if (priv_dst->list)
++ if (!priv_dst->list)
+ return -ENOMEM;
+
+ nf_conncount_list_init(priv_dst->list);
+--- a/net/netfilter/nft_last.c
++++ b/net/netfilter/nft_last.c
+@@ -106,7 +106,7 @@ static int nft_last_clone(struct nft_exp
+ struct nft_last_priv *priv_dst = nft_expr_priv(dst);
+
+ priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC);
+- if (priv_dst->last)
++ if (!priv_dst->last)
+ return -ENOMEM;
+
+ return 0;
+--- a/net/netfilter/nft_limit.c
++++ b/net/netfilter/nft_limit.c
+@@ -150,7 +150,7 @@ static int nft_limit_clone(struct nft_li
+ priv_dst->invert = priv_src->invert;
+
+ priv_dst->limit = kmalloc(sizeof(*priv_dst->limit), GFP_ATOMIC);
+- if (priv_dst->limit)
++ if (!priv_dst->limit)
+ return -ENOMEM;
+
+ spin_lock_init(&priv_dst->limit->lock);
+--- a/net/netfilter/nft_quota.c
++++ b/net/netfilter/nft_quota.c
+@@ -237,7 +237,7 @@ static int nft_quota_clone(struct nft_ex
+ struct nft_quota *priv_dst = nft_expr_priv(dst);
+
+ priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC);
+- if (priv_dst->consumed)
++ if (!priv_dst->consumed)
+ return -ENOMEM;
+
+ atomic64_set(priv_dst->consumed, 0);
--- /dev/null
+From 7d70984a1ad4c445dff08edb9aacce8906b6a222 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 13 Jan 2022 12:22:38 +0100
+Subject: netfilter: nft_connlimit: memleak if nf_ct_netns_get() fails
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 7d70984a1ad4c445dff08edb9aacce8906b6a222 upstream.
+
+Check if nf_ct_netns_get() fails then release the limit object
+previously allocated via kmalloc().
+
+Fixes: 37f319f37d90 ("netfilter: nft_connlimit: move stateful fields out of expression data")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_connlimit.c | 11 ++++++++++-
+ 1 file changed, 10 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_connlimit.c
++++ b/net/netfilter/nft_connlimit.c
+@@ -62,6 +62,7 @@ static int nft_connlimit_do_init(const s
+ {
+ bool invert = false;
+ u32 flags, limit;
++ int err;
+
+ if (!tb[NFTA_CONNLIMIT_COUNT])
+ return -EINVAL;
+@@ -84,7 +85,15 @@ static int nft_connlimit_do_init(const s
+ priv->limit = limit;
+ priv->invert = invert;
+
+- return nf_ct_netns_get(ctx->net, ctx->family);
++ err = nf_ct_netns_get(ctx->net, ctx->family);
++ if (err < 0)
++ goto err_netns;
++
++ return 0;
++err_netns:
++ kfree(priv->list);
++
++ return err;
+ }
+
+ static void nft_connlimit_do_destroy(const struct nft_ctx *ctx,
--- /dev/null
+From 860e874290fb3be08e966c9c8ffc510c5b0f2bd8 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 28 Feb 2023 17:09:03 +0100
+Subject: netfilter: nft_last: copy content when cloning expression
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 860e874290fb3be08e966c9c8ffc510c5b0f2bd8 upstream.
+
+If the ruleset contains last timestamps, restore them accordingly.
+Otherwise, listing after restoration shows never used items.
+
+Fixes: 33a24de37e81 ("netfilter: nft_last: move stateful fields out of expression data")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_last.c | 4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nft_last.c
++++ b/net/netfilter/nft_last.c
+@@ -104,11 +104,15 @@ static void nft_last_destroy(const struc
+ static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src)
+ {
+ struct nft_last_priv *priv_dst = nft_expr_priv(dst);
++ struct nft_last_priv *priv_src = nft_expr_priv(src);
+
+ priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC);
+ if (!priv_dst->last)
+ return -ENOMEM;
+
++ priv_dst->last->set = priv_src->last->set;
++ priv_dst->last->jiffies = priv_src->last->jiffies;
++
+ return 0;
+ }
+
--- /dev/null
+From 558254b0b602b8605d7246a10cfeb584b1fcabfc Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Tue, 24 May 2022 14:50:01 +0200
+Subject: netfilter: nft_limit: Clone packet limits' cost value
+
+From: Phil Sutter <phil@nwl.cc>
+
+commit 558254b0b602b8605d7246a10cfeb584b1fcabfc upstream.
+
+When cloning a packet-based limit expression, copy the cost value as
+well. Otherwise the new limit is not functional anymore.
+
+Fixes: 3b9e2ea6c11bf ("netfilter: nft_limit: move stateful fields out of expression data")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_limit.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/netfilter/nft_limit.c
++++ b/net/netfilter/nft_limit.c
+@@ -218,6 +218,8 @@ static int nft_limit_pkts_clone(struct n
+ struct nft_limit_priv_pkts *priv_dst = nft_expr_priv(dst);
+ struct nft_limit_priv_pkts *priv_src = nft_expr_priv(src);
+
++ priv_dst->cost = priv_src->cost;
++
+ return nft_limit_clone(&priv_dst->limit, &priv_src->limit);
+ }
+
--- /dev/null
+From 1a58f84ea5df7f026bf92a0009f931bf547fe965 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Fri, 18 Feb 2022 13:17:05 +0100
+Subject: netfilter: nft_limit: fix stateful object memory leak
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 1a58f84ea5df7f026bf92a0009f931bf547fe965 upstream.
+
+We need to provide a destroy callback to release the extra fields.
+
+Fixes: 3b9e2ea6c11b ("netfilter: nft_limit: move stateful fields out of expression data")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_limit.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/net/netfilter/nft_limit.c
++++ b/net/netfilter/nft_limit.c
+@@ -345,11 +345,20 @@ static int nft_limit_obj_pkts_dump(struc
+ return nft_limit_dump(skb, &priv->limit, NFT_LIMIT_PKTS);
+ }
+
++static void nft_limit_obj_pkts_destroy(const struct nft_ctx *ctx,
++ struct nft_object *obj)
++{
++ struct nft_limit_priv_pkts *priv = nft_obj_data(obj);
++
++ nft_limit_destroy(ctx, &priv->limit);
++}
++
+ static struct nft_object_type nft_limit_obj_type;
+ static const struct nft_object_ops nft_limit_obj_pkts_ops = {
+ .type = &nft_limit_obj_type,
+ .size = NFT_EXPR_SIZE(sizeof(struct nft_limit_priv_pkts)),
+ .init = nft_limit_obj_pkts_init,
++ .destroy = nft_limit_obj_pkts_destroy,
+ .eval = nft_limit_obj_pkts_eval,
+ .dump = nft_limit_obj_pkts_dump,
+ };
+@@ -383,11 +392,20 @@ static int nft_limit_obj_bytes_dump(stru
+ return nft_limit_dump(skb, priv, NFT_LIMIT_PKT_BYTES);
+ }
+
++static void nft_limit_obj_bytes_destroy(const struct nft_ctx *ctx,
++ struct nft_object *obj)
++{
++ struct nft_limit_priv *priv = nft_obj_data(obj);
++
++ nft_limit_destroy(ctx, priv);
++}
++
+ static struct nft_object_type nft_limit_obj_type;
+ static const struct nft_object_ops nft_limit_obj_bytes_ops = {
+ .type = &nft_limit_obj_type,
+ .size = sizeof(struct nft_limit_priv),
+ .init = nft_limit_obj_bytes_init,
++ .destroy = nft_limit_obj_bytes_destroy,
+ .eval = nft_limit_obj_bytes_eval,
+ .dump = nft_limit_obj_bytes_dump,
+ };
--- /dev/null
+From aabef97a35160461e9c576848ded737558d89055 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Tue, 28 Feb 2023 20:43:02 +0100
+Subject: netfilter: nft_quota: copy content when cloning expression
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit aabef97a35160461e9c576848ded737558d89055 upstream.
+
+If the ruleset contains consumed quota, restore them accordingly.
+Otherwise, listing after restoration shows never used items.
+
+Restore the user-defined quota and flags too.
+
+Fixes: ed0a0c60f0e5 ("netfilter: nft_quota: move stateful fields out of expression data")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_quota.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_quota.c
++++ b/net/netfilter/nft_quota.c
+@@ -235,12 +235,16 @@ static void nft_quota_destroy(const stru
+ static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src)
+ {
+ struct nft_quota *priv_dst = nft_expr_priv(dst);
++ struct nft_quota *priv_src = nft_expr_priv(src);
++
++ priv_dst->quota = priv_src->quota;
++ priv_dst->flags = priv_src->flags;
+
+ priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC);
+ if (!priv_dst->consumed)
+ return -ENOMEM;
+
+- atomic64_set(priv_dst->consumed, 0);
++ *priv_dst->consumed = *priv_src->consumed;
+
+ return 0;
+ }
i2c-s3c24xx-fix-read-transfers-in-polling-mode.patch
i2c-s3c24xx-fix-transferring-more-than-one-message-i.patch
block-remove-special-casing-of-compound-pages.patch
+netfilter-nf_tables-typo-null-check-in-_clone-function.patch
+netfilter-nft_connlimit-memleak-if-nf_ct_netns_get-fails.patch
+netfilter-nft_limit-fix-stateful-object-memory-leak.patch
+netfilter-nft_limit-clone-packet-limits-cost-value.patch
+netfilter-nft_last-copy-content-when-cloning-expression.patch
+netfilter-nft_quota-copy-content-when-cloning-expression.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
