5.4-stable patches

added patches:
	skbuff-fix-nfct-leak-on-napi-stolen.patch

diff --git a/queue-5.4/series b/queue-5.4/series
index 8d6f8c5b03a0e1e4eac04bf17110834f7d665a06..ce548e77d5c683c4f240465589af04a43480b48b 100644 (file)
--- a/queue-5.4/series
+++ b/queue-5.4/series
@@ -68,3 +68,4 @@ pci-avoid-flr-for-solidrun-snet-dpu-rev-1.patch
 media-ov5640-fix-analogue-gain-control.patch
 ipmi-watchdog-replace-atomic_add-and-atomic_sub.patch
 ipmi-watchdog-set-panic-count-to-proper-value-on-a-panic.patch
+skbuff-fix-nfct-leak-on-napi-stolen.patch

diff --git a/queue-5.4/skbuff-fix-nfct-leak-on-napi-stolen.patch b/queue-5.4/skbuff-fix-nfct-leak-on-napi-stolen.patch
new file mode 100644 (file)
index 0000000..2cfbc91
--- /dev/null
+++ b/queue-5.4/skbuff-fix-nfct-leak-on-napi-stolen.patch
@@ -0,0 +1,51 @@
+From taoliu828@163.com  Wed Mar 15 08:41:51 2023
+From: Tao Liu <taoliu828@163.com>
+Date: Tue, 14 Mar 2023 20:10:17 +0800
+Subject: skbuff: Fix nfct leak on napi stolen
+To: paulb@nvidia.com, roid@nvidia.com, davem@davemloft.net, kuba@kernel.org, gregkh@linuxfoundation.org
+Cc: netdev@vger.kernel.org, taoliu828@163.com
+Message-ID: <20230314121017.1929515-1-taoliu828@163.com>
+
+From: Tao Liu <taoliu828@163.com>
+
+Upstream commit [0] had fixed this issue, and backported to kernel 5.10.54.
+However, nf_reset_ct() added in skb_release_head_state() instead of
+napi_skb_free_stolen_head(), which lead to leakage still exist in 5.10.
+
+[0] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=8550ff8d8c75416e984d9c4b082845e57e560984
+
+Fixes: 570341f10ecc ("skbuff: Release nfct refcount on napi stolen or re-used skbs"))
+Signed-off-by: Tao Liu <taoliu828@163.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c    | 1 +
+ net/core/skbuff.c | 1 -
+ 2 files changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/net/core/dev.c b/net/core/dev.c
+index 8cbcb6a104f2..413c2a08d79d 100644
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6111,6 +6111,7 @@ EXPORT_SYMBOL(gro_find_complete_by_type);
+ 
+ static void napi_skb_free_stolen_head(struct sk_buff *skb)
+ {
++      nf_reset_ct(skb);
+       skb_dst_drop(skb);
+       skb_ext_put(skb);
+       kmem_cache_free(skbuff_head_cache, skb);
+diff --git a/net/core/skbuff.c b/net/core/skbuff.c
+index 668a9d0fbbc6..09cdefe5e1c8 100644
+--- a/net/core/skbuff.c
++++ b/net/core/skbuff.c
+@@ -659,7 +659,6 @@ static void kfree_skbmem(struct sk_buff *skb)
+ 
+ void skb_release_head_state(struct sk_buff *skb)
+ {
+-      nf_reset_ct(skb);
+       skb_dst_drop(skb);
+       if (skb->destructor) {
+               WARN_ON(in_irq());
+-- 
+2.31.1
+