From: Greg Kroah-Hartman Date: Mon, 20 Jan 2020 11:36:04 +0000 (+0100) Subject: 5.4-stable patches X-Git-Tag: v4.4.211~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01d272c558356e13c895f3ecd12ec6e4da268be5;p=thirdparty%2Fkernel%2Fstable-queue.git 5.4-stable patches added patches: batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch bpf-sockmap-read-psock-ingress_msg-before-sk_receive_queue.patch bpftool-fix-printing-incorrect-pointer-in-btf_dump_ptr.patch i2c-iop3xx-fix-memory-leak-in-probe-error-path.patch net-bpf-don-t-leak-time-wait-and-request-sockets.patch netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch netfilter-fix-a-use-after-free-in-mtype_destroy.patch netfilter-nat-fix-icmp-header-corruption-on-icmp-errors.patch netfilter-nf_tables-fix-flowtable-list-del-corruption.patch netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch netfilter-nft_tunnel-erspan_version-must-not-be-null.patch netfilter-nft_tunnel-fix-null-attribute-check.patch nfc-pn533-fix-bulk-message-timeout.patch --- diff --git a/queue-5.4/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch b/queue-5.4/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch new file mode 100644 index 00000000000..fc12ece738e --- /dev/null +++ b/queue-5.4/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch @@ -0,0 +1,49 @@ +From 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Thu, 28 Nov 2019 12:25:45 +0100 +Subject: batman-adv: Fix DAT candidate selection on little endian systems + +From: Sven Eckelmann + +commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream. + +The distributed arp table is using a DHT to store and retrieve MAC address +information for an IP address. This is done using unicast messages to +selected peers. The potential peers are looked up using the IP address and +the VID. + +While the IP address is always stored in big endian byte order, this is not +the case of the VID. It can (depending on the host system) either be big +endian or little endian. The host must therefore always convert it to big +endian to ensure that all devices calculate the same peers for the same +lookup data. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/distributed-arp-table.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -285,6 +285,7 @@ static u32 batadv_hash_dat(const void *d + u32 hash = 0; + const struct batadv_dat_entry *dat = data; + const unsigned char *key; ++ __be16 vid; + u32 i; + + key = (const unsigned char *)&dat->ip; +@@ -294,7 +295,8 @@ static u32 batadv_hash_dat(const void *d + hash ^= (hash >> 6); + } + +- key = (const unsigned char *)&dat->vid; ++ vid = htons(dat->vid); ++ key = (__force const unsigned char *)&vid; + for (i = 0; i < sizeof(dat->vid); i++) { + hash += key[i]; + hash += (hash << 10); diff --git a/queue-5.4/bpf-sockmap-read-psock-ingress_msg-before-sk_receive_queue.patch b/queue-5.4/bpf-sockmap-read-psock-ingress_msg-before-sk_receive_queue.patch new file mode 100644 index 00000000000..caba60c8b99 --- /dev/null +++ b/queue-5.4/bpf-sockmap-read-psock-ingress_msg-before-sk_receive_queue.patch @@ -0,0 +1,61 @@ +From e7a5f1f1cd0008e5ad379270a8657e121eedb669 Mon Sep 17 00:00:00 2001 +From: Lingpeng Chen +Date: Thu, 9 Jan 2020 09:48:33 +0800 +Subject: bpf/sockmap: Read psock ingress_msg before sk_receive_queue + +From: Lingpeng Chen + +commit e7a5f1f1cd0008e5ad379270a8657e121eedb669 upstream. + +Right now in tcp_bpf_recvmsg, sock read data first from sk_receive_queue +if not empty than psock->ingress_msg otherwise. If a FIN packet arrives +and there's also some data in psock->ingress_msg, the data in +psock->ingress_msg will be purged. It is always happen when request to a +HTTP1.0 server like python SimpleHTTPServer since the server send FIN +packet after data is sent out. + +Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") +Reported-by: Arika Chen +Suggested-by: Arika Chen +Signed-off-by: Lingpeng Chen +Signed-off-by: John Fastabend +Signed-off-by: Daniel Borkmann +Acked-by: Song Liu +Link: https://lore.kernel.org/bpf/20200109014833.18951-1-forrest0579@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_bpf.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/net/ipv4/tcp_bpf.c ++++ b/net/ipv4/tcp_bpf.c +@@ -121,14 +121,14 @@ int tcp_bpf_recvmsg(struct sock *sk, str + struct sk_psock *psock; + int copied, ret; + +- if (unlikely(flags & MSG_ERRQUEUE)) +- return inet_recv_error(sk, msg, len, addr_len); +- if (!skb_queue_empty(&sk->sk_receive_queue)) +- return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); +- + psock = sk_psock_get(sk); + if (unlikely(!psock)) + return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); ++ if (unlikely(flags & MSG_ERRQUEUE)) ++ return inet_recv_error(sk, msg, len, addr_len); ++ if (!skb_queue_empty(&sk->sk_receive_queue) && ++ sk_psock_queue_empty(psock)) ++ return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); + lock_sock(sk); + msg_bytes_ready: + copied = __tcp_bpf_recvmsg(sk, psock, msg, len, flags); +@@ -139,7 +139,7 @@ msg_bytes_ready: + timeo = sock_rcvtimeo(sk, nonblock); + data = tcp_bpf_wait_data(sk, psock, flags, timeo, &err); + if (data) { +- if (skb_queue_empty(&sk->sk_receive_queue)) ++ if (!sk_psock_queue_empty(psock)) + goto msg_bytes_ready; + release_sock(sk); + sk_psock_put(sk, psock); diff --git a/queue-5.4/bpftool-fix-printing-incorrect-pointer-in-btf_dump_ptr.patch b/queue-5.4/bpftool-fix-printing-incorrect-pointer-in-btf_dump_ptr.patch new file mode 100644 index 00000000000..59499c1ca0e --- /dev/null +++ b/queue-5.4/bpftool-fix-printing-incorrect-pointer-in-btf_dump_ptr.patch @@ -0,0 +1,40 @@ +From 555089fdfc37ad65e0ee9b42ca40c238ff546f83 Mon Sep 17 00:00:00 2001 +From: Martin KaFai Lau +Date: Fri, 10 Jan 2020 15:16:44 -0800 +Subject: bpftool: Fix printing incorrect pointer in btf_dump_ptr + +From: Martin KaFai Lau + +commit 555089fdfc37ad65e0ee9b42ca40c238ff546f83 upstream. + +For plain text output, it incorrectly prints the pointer value +"void *data". The "void *data" is actually pointing to memory that +contains a bpf-map's value. The intention is to print the content of +the bpf-map's value instead of printing the pointer pointing to the +bpf-map's value. + +In this case, a member of the bpf-map's value is a pointer type. +Thus, it should print the "*(void **)data". + +Fixes: 22c349e8db89 ("tools: bpftool: fix format strings and arguments for jsonw_printf()") +Signed-off-by: Martin KaFai Lau +Signed-off-by: Alexei Starovoitov +Reviewed-by: Quentin Monnet +Link: https://lore.kernel.org/bpf/20200110231644.3484151-1-kafai@fb.com +Signed-off-by: Greg Kroah-Hartman + +--- + tools/bpf/bpftool/btf_dumper.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/bpf/bpftool/btf_dumper.c ++++ b/tools/bpf/bpftool/btf_dumper.c +@@ -26,7 +26,7 @@ static void btf_dumper_ptr(const void *d + bool is_plain_text) + { + if (is_plain_text) +- jsonw_printf(jw, "%p", data); ++ jsonw_printf(jw, "%p", *(void **)data); + else + jsonw_printf(jw, "%lu", *(unsigned long *)data); + } diff --git a/queue-5.4/i2c-iop3xx-fix-memory-leak-in-probe-error-path.patch b/queue-5.4/i2c-iop3xx-fix-memory-leak-in-probe-error-path.patch new file mode 100644 index 00000000000..d8712f55a65 --- /dev/null +++ b/queue-5.4/i2c-iop3xx-fix-memory-leak-in-probe-error-path.patch @@ -0,0 +1,50 @@ +From e64175776d06a8ceebbfd349d7e66a4a46ca39ef Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 13 Jan 2020 18:29:54 +0100 +Subject: i2c: iop3xx: Fix memory leak in probe error path + +From: Krzysztof Kozlowski + +commit e64175776d06a8ceebbfd349d7e66a4a46ca39ef upstream. + +When handling devm_gpiod_get_optional() errors, free the memory already +allocated. This fixes Smatch warnings: + + drivers/i2c/busses/i2c-iop3xx.c:437 iop3xx_i2c_probe() warn: possible memory leak of 'new_adapter' + drivers/i2c/busses/i2c-iop3xx.c:442 iop3xx_i2c_probe() warn: possible memory leak of 'new_adapter' + +Fixes: fdb7e884ad61 ("i2c: iop: Use GPIO descriptors") +Reported-by: kbuild test robot +Reported-by: Dan Carpenter +Signed-off-by: Krzysztof Kozlowski +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-iop3xx.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/i2c/busses/i2c-iop3xx.c ++++ b/drivers/i2c/busses/i2c-iop3xx.c +@@ -433,13 +433,17 @@ iop3xx_i2c_probe(struct platform_device + adapter_data->gpio_scl = devm_gpiod_get_optional(&pdev->dev, + "scl", + GPIOD_ASIS); +- if (IS_ERR(adapter_data->gpio_scl)) +- return PTR_ERR(adapter_data->gpio_scl); ++ if (IS_ERR(adapter_data->gpio_scl)) { ++ ret = PTR_ERR(adapter_data->gpio_scl); ++ goto free_both; ++ } + adapter_data->gpio_sda = devm_gpiod_get_optional(&pdev->dev, + "sda", + GPIOD_ASIS); +- if (IS_ERR(adapter_data->gpio_sda)) +- return PTR_ERR(adapter_data->gpio_sda); ++ if (IS_ERR(adapter_data->gpio_sda)) { ++ ret = PTR_ERR(adapter_data->gpio_sda); ++ goto free_both; ++ } + + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + if (!res) { diff --git a/queue-5.4/net-bpf-don-t-leak-time-wait-and-request-sockets.patch b/queue-5.4/net-bpf-don-t-leak-time-wait-and-request-sockets.patch new file mode 100644 index 00000000000..7642b35b8bd --- /dev/null +++ b/queue-5.4/net-bpf-don-t-leak-time-wait-and-request-sockets.patch @@ -0,0 +1,73 @@ +From 2e012c74823629d9db27963c79caa3f5b2010746 Mon Sep 17 00:00:00 2001 +From: Lorenz Bauer +Date: Fri, 10 Jan 2020 13:23:36 +0000 +Subject: net: bpf: Don't leak time wait and request sockets +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lorenz Bauer + +commit 2e012c74823629d9db27963c79caa3f5b2010746 upstream. + +It's possible to leak time wait and request sockets via the following +BPF pseudo code: +  + sk = bpf_skc_lookup_tcp(...) + if (sk) + bpf_sk_release(sk) + +If sk->sk_state is TCP_NEW_SYN_RECV or TCP_TIME_WAIT the refcount taken +by bpf_skc_lookup_tcp is not undone by bpf_sk_release. This is because +sk_flags is re-used for other data in both kinds of sockets. The check + + !sock_flag(sk, SOCK_RCU_FREE) + +therefore returns a bogus result. Check that sk_flags is valid by calling +sk_fullsock. Skip checking SOCK_RCU_FREE if we already know that sk is +not a full socket. + +Fixes: edbf8c01de5a ("bpf: add skc_lookup_tcp helper") +Fixes: f7355a6c0497 ("bpf: Check sk_fullsock() before returning from bpf_sk_lookup()") +Signed-off-by: Lorenz Bauer +Signed-off-by: Alexei Starovoitov +Acked-by: Martin KaFai Lau +Link: https://lore.kernel.org/bpf/20200110132336.26099-1-lmb@cloudflare.com +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/filter.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/net/core/filter.c ++++ b/net/core/filter.c +@@ -5306,8 +5306,7 @@ __bpf_sk_lookup(struct sk_buff *skb, str + if (sk) { + sk = sk_to_full_sk(sk); + if (!sk_fullsock(sk)) { +- if (!sock_flag(sk, SOCK_RCU_FREE)) +- sock_gen_put(sk); ++ sock_gen_put(sk); + return NULL; + } + } +@@ -5344,8 +5343,7 @@ bpf_sk_lookup(struct sk_buff *skb, struc + if (sk) { + sk = sk_to_full_sk(sk); + if (!sk_fullsock(sk)) { +- if (!sock_flag(sk, SOCK_RCU_FREE)) +- sock_gen_put(sk); ++ sock_gen_put(sk); + return NULL; + } + } +@@ -5412,7 +5410,8 @@ static const struct bpf_func_proto bpf_s + + BPF_CALL_1(bpf_sk_release, struct sock *, sk) + { +- if (!sock_flag(sk, SOCK_RCU_FREE)) ++ /* Only full sockets have sk->sk_flags. */ ++ if (!sk_fullsock(sk) || !sock_flag(sk, SOCK_RCU_FREE)) + sock_gen_put(sk); + return 0; + } diff --git a/queue-5.4/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch b/queue-5.4/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch new file mode 100644 index 00000000000..aa3fe6fc5d7 --- /dev/null +++ b/queue-5.4/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch @@ -0,0 +1,124 @@ +From 212e7f56605ef9688d0846db60c6c6ec06544095 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 11 Jan 2020 23:19:53 +0100 +Subject: netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct + +From: Florian Westphal + +commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream. + +An earlier commit (1b789577f655060d98d20e, +"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct") +fixed missing net initialization for arptables, but turns out it was +incomplete. We can get a very similar struct net NULL deref during +error unwinding: + +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77 + xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175 + cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline] + translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587 + do_replace net/ipv4/netfilter/arp_tables.c:981 [inline] + do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461 + +Also init the netns pointer in xt_tgdtor_param struct. + +Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") +Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arp_tables.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -496,12 +496,13 @@ static inline int check_entry_size_and_h + return 0; + } + +-static inline void cleanup_entry(struct arpt_entry *e) ++static void cleanup_entry(struct arpt_entry *e, struct net *net) + { + struct xt_tgdtor_param par; + struct xt_entry_target *t; + + t = arpt_get_target(e); ++ par.net = net; + par.target = t->u.kernel.target; + par.targinfo = t->data; + par.family = NFPROTO_ARP; +@@ -584,7 +585,7 @@ static int translate_table(struct net *n + xt_entry_foreach(iter, entry0, newinfo->size) { + if (i-- == 0) + break; +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + } + return ret; + } +@@ -927,7 +928,7 @@ static int __do_replace(struct net *net, + /* Decrease module usage counts and free resource */ + loc_cpu_old_entry = oldinfo->entries; + xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +@@ -990,7 +991,7 @@ static int do_replace(struct net *net, c + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1287,7 +1288,7 @@ static int compat_do_replace(struct net + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1514,7 +1515,7 @@ static int do_arpt_get_ctl(struct sock * + return ret; + } + +-static void __arpt_unregister_table(struct xt_table *table) ++static void __arpt_unregister_table(struct net *net, struct xt_table *table) + { + struct xt_table_info *private; + void *loc_cpu_entry; +@@ -1526,7 +1527,7 @@ static void __arpt_unregister_table(stru + /* Decrease module usage counts and free resources */ + loc_cpu_entry = private->entries; + xt_entry_foreach(iter, loc_cpu_entry, private->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + if (private->number > private->initial_entries) + module_put(table_owner); + xt_free_table_info(private); +@@ -1566,7 +1567,7 @@ int arpt_register_table(struct net *net, + + ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks)); + if (ret != 0) { +- __arpt_unregister_table(new_table); ++ __arpt_unregister_table(net, new_table); + *res = NULL; + } + +@@ -1581,7 +1582,7 @@ void arpt_unregister_table(struct net *n + const struct nf_hook_ops *ops) + { + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); +- __arpt_unregister_table(table); ++ __arpt_unregister_table(net, table); + } + + /* The built-in targets: standard (NULL) and error. */ diff --git a/queue-5.4/netfilter-fix-a-use-after-free-in-mtype_destroy.patch b/queue-5.4/netfilter-fix-a-use-after-free-in-mtype_destroy.patch new file mode 100644 index 00000000000..2831a3fa0ad --- /dev/null +++ b/queue-5.4/netfilter-fix-a-use-after-free-in-mtype_destroy.patch @@ -0,0 +1,36 @@ +From c120959387efa51479056fd01dc90adfba7a590c Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Fri, 10 Jan 2020 11:53:08 -0800 +Subject: netfilter: fix a use-after-free in mtype_destroy() + +From: Cong Wang + +commit c120959387efa51479056fd01dc90adfba7a590c upstream. + +map->members is freed by ip_set_free() right before using it in +mtype_ext_cleanup() again. So we just have to move it down. + +Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com +Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function") +Acked-by: Jozsef Kadlecsik +Signed-off-by: Cong Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_gen.h ++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h +@@ -60,9 +60,9 @@ mtype_destroy(struct ip_set *set) + if (SET_WITH_TIMEOUT(set)) + del_timer_sync(&map->gc); + +- ip_set_free(map->members); + if (set->dsize && set->extensions & IPSET_EXT_DESTROY) + mtype_ext_cleanup(set); ++ ip_set_free(map->members); + ip_set_free(map); + + set->data = NULL; diff --git a/queue-5.4/netfilter-nat-fix-icmp-header-corruption-on-icmp-errors.patch b/queue-5.4/netfilter-nat-fix-icmp-header-corruption-on-icmp-errors.patch new file mode 100644 index 00000000000..504e5487506 --- /dev/null +++ b/queue-5.4/netfilter-nat-fix-icmp-header-corruption-on-icmp-errors.patch @@ -0,0 +1,56 @@ +From 61177e911dad660df86a4553eb01c95ece2f6a82 Mon Sep 17 00:00:00 2001 +From: Eyal Birger +Date: Tue, 14 Jan 2020 10:03:50 +0200 +Subject: netfilter: nat: fix ICMP header corruption on ICMP errors + +From: Eyal Birger + +commit 61177e911dad660df86a4553eb01c95ece2f6a82 upstream. + +Commit 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts") +made nf_nat_icmp_reply_translation() use icmp_manip_pkt() as the l4 +manipulation function for the outer packet on ICMP errors. + +However, icmp_manip_pkt() assumes the packet has an 'id' field which +is not correct for all types of ICMP messages. + +This is not correct for ICMP error packets, and leads to bogus bytes +being written the ICMP header, which can be wrongfully regarded as +'length' bytes by RFC 4884 compliant receivers. + +Fix by assigning the 'id' field only for ICMP messages that have this +semantic. + +Reported-by: Shmulik Ladkani +Fixes: 8303b7e8f018 ("netfilter: nat: fix spurious connection timeouts") +Signed-off-by: Eyal Birger +Acked-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_nat_proto.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/net/netfilter/nf_nat_proto.c ++++ b/net/netfilter/nf_nat_proto.c +@@ -233,6 +233,19 @@ icmp_manip_pkt(struct sk_buff *skb, + return false; + + hdr = (struct icmphdr *)(skb->data + hdroff); ++ switch (hdr->type) { ++ case ICMP_ECHO: ++ case ICMP_ECHOREPLY: ++ case ICMP_TIMESTAMP: ++ case ICMP_TIMESTAMPREPLY: ++ case ICMP_INFO_REQUEST: ++ case ICMP_INFO_REPLY: ++ case ICMP_ADDRESS: ++ case ICMP_ADDRESSREPLY: ++ break; ++ default: ++ return true; ++ } + inet_proto_csum_replace2(&hdr->checksum, skb, + hdr->un.echo.id, tuple->src.u.icmp.id, false); + hdr->un.echo.id = tuple->src.u.icmp.id; diff --git a/queue-5.4/netfilter-nf_tables-fix-flowtable-list-del-corruption.patch b/queue-5.4/netfilter-nf_tables-fix-flowtable-list-del-corruption.patch new file mode 100644 index 00000000000..0977f0b4562 --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-fix-flowtable-list-del-corruption.patch @@ -0,0 +1,71 @@ +From 335178d5429c4cee61b58f4ac80688f556630818 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 16 Jan 2020 12:03:01 +0100 +Subject: netfilter: nf_tables: fix flowtable list del corruption + +From: Florian Westphal + +commit 335178d5429c4cee61b58f4ac80688f556630818 upstream. + +syzbot reported following crash: + + list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122) + [..] + Call Trace: + __list_del_entry include/linux/list.h:131 [inline] + list_del_rcu include/linux/rculist.h:148 [inline] + nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183 + [..] + +The commit transaction list has: + +NFT_MSG_NEWTABLE +NFT_MSG_NEWFLOWTABLE +NFT_MSG_DELFLOWTABLE +NFT_MSG_DELTABLE + +A missing generation check during DELTABLE processing causes it to queue +the DELFLOWTABLE operation a second time, so we corrupt the list here: + + case NFT_MSG_DELFLOWTABLE: + list_del_rcu(&nft_trans_flowtable(trans)->list); + nf_tables_flowtable_notify(&trans->ctx, + +because we have two different DELFLOWTABLE transactions for the same +flowtable. We then call list_del_rcu() twice for the same flowtable->list. + +The object handling seems to suffer from the same bug so add a generation +check too and only queue delete transactions for flowtables/objects that +are still active in the next generation. + +Reported-by: syzbot+37a6804945a3a13b1572@syzkaller.appspotmail.com +Fixes: 3b49e2e94e6eb ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -981,12 +981,18 @@ static int nft_flush_table(struct nft_ct + } + + list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { ++ if (!nft_is_active_next(ctx->net, flowtable)) ++ continue; ++ + err = nft_delflowtable(ctx, flowtable); + if (err < 0) + goto out; + } + + list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { ++ if (!nft_is_active_next(ctx->net, obj)) ++ continue; ++ + err = nft_delobj(ctx, obj); + if (err < 0) + goto out; diff --git a/queue-5.4/netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch b/queue-5.4/netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch new file mode 100644 index 00000000000..79fafc5834a --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch @@ -0,0 +1,74 @@ +From 9332d27d7918182add34e8043f6a754530fdd022 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 16 Jan 2020 09:06:50 +0100 +Subject: netfilter: nf_tables: remove WARN and add NLA_STRING upper limits + +From: Florian Westphal + +commit 9332d27d7918182add34e8043f6a754530fdd022 upstream. + +This WARN can trigger because some of the names fed to the module +autoload function can be of arbitrary length. + +Remove the WARN and add limits for all NLA_STRING attributes. + +Reported-by: syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com +Fixes: 452238e8d5ffd8 ("netfilter: nf_tables: add and use helper for module autoload") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -22,6 +22,8 @@ + #include + #include + ++#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) ++ + static LIST_HEAD(nf_tables_expressions); + static LIST_HEAD(nf_tables_objects); + static LIST_HEAD(nf_tables_flowtables); +@@ -521,7 +523,7 @@ static void nft_request_module(struct ne + va_start(args, fmt); + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); + va_end(args); +- if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret)) ++ if (ret >= MODULE_NAME_LEN) + return; + + mutex_unlock(&net->nft.commit_mutex); +@@ -1174,7 +1176,8 @@ static const struct nla_policy nft_chain + .len = NFT_CHAIN_MAXNAMELEN - 1 }, + [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, + [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, +- [NFTA_CHAIN_TYPE] = { .type = NLA_STRING }, ++ [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, ++ .len = NFT_MODULE_AUTOLOAD_LIMIT }, + [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, + [NFTA_CHAIN_FLAGS] = { .type = NLA_U32 }, + }; +@@ -2088,7 +2091,8 @@ static const struct nft_expr_type *nft_e + } + + static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { +- [NFTA_EXPR_NAME] = { .type = NLA_STRING }, ++ [NFTA_EXPR_NAME] = { .type = NLA_STRING, ++ .len = NFT_MODULE_AUTOLOAD_LIMIT }, + [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, + }; + +@@ -3931,7 +3935,8 @@ static const struct nla_policy nft_set_e + [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, + .len = NFT_USERDATA_MAXLEN }, + [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, +- [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING }, ++ [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, ++ .len = NFT_OBJ_MAXNAMELEN - 1 }, + }; + + static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { diff --git a/queue-5.4/netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch b/queue-5.4/netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch new file mode 100644 index 00000000000..fae506266cb --- /dev/null +++ b/queue-5.4/netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch @@ -0,0 +1,98 @@ +From ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 13 Jan 2020 18:09:58 +0100 +Subject: netfilter: nf_tables: store transaction list locally while requesting module + +From: Pablo Neira Ayuso + +commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 upstream. + +This patch fixes a WARN_ON in nft_set_destroy() due to missing +set reference count drop from the preparation phase. This is triggered +by the module autoload path. Do not exercise the abort path from +nft_request_module() while preparation phase cleaning up is still +pending. + + WARNING: CPU: 3 PID: 3456 at net/netfilter/nf_tables_api.c:3740 nft_set_destroy+0x45/0x50 [nf_tables] + [...] + CPU: 3 PID: 3456 Comm: nft Not tainted 5.4.6-arch3-1 #1 + RIP: 0010:nft_set_destroy+0x45/0x50 [nf_tables] + Code: e8 30 eb 83 c6 48 8b 85 80 00 00 00 48 8b b8 90 00 00 00 e8 dd 6b d7 c5 48 8b 7d 30 e8 24 dd eb c5 48 89 ef 5d e9 6b c6 e5 c5 <0f> 0b c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 7f 10 e9 52 + RSP: 0018:ffffac4f43e53700 EFLAGS: 00010202 + RAX: 0000000000000001 RBX: ffff99d63a154d80 RCX: 0000000001f88e03 + RDX: 0000000001f88c03 RSI: ffff99d6560ef0c0 RDI: ffff99d63a101200 + RBP: ffff99d617721de0 R08: 0000000000000000 R09: 0000000000000318 + R10: 00000000f0000000 R11: 0000000000000001 R12: ffffffff880fabf0 + R13: dead000000000122 R14: dead000000000100 R15: ffff99d63a154d80 + FS: 00007ff3dbd5b740(0000) GS:ffff99d6560c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00001cb5de6a9000 CR3: 000000016eb6a004 CR4: 00000000001606e0 + Call Trace: + __nf_tables_abort+0x3e3/0x6d0 [nf_tables] + nft_request_module+0x6f/0x110 [nf_tables] + nft_expr_type_request_module+0x28/0x50 [nf_tables] + nf_tables_expr_parse+0x198/0x1f0 [nf_tables] + nft_expr_init+0x3b/0xf0 [nf_tables] + nft_dynset_init+0x1e2/0x410 [nf_tables] + nf_tables_newrule+0x30a/0x930 [nf_tables] + nfnetlink_rcv_batch+0x2a0/0x640 [nfnetlink] + nfnetlink_rcv+0x125/0x171 [nfnetlink] + netlink_unicast+0x179/0x210 + netlink_sendmsg+0x208/0x3d0 + sock_sendmsg+0x5e/0x60 + ____sys_sendmsg+0x21b/0x290 + +Update comment on the code to describe the new behaviour. + +Reported-by: Marco Oliverio +Fixes: 452238e8d5ff ("netfilter: nf_tables: add and use helper for module autoload") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -502,23 +502,21 @@ __nf_tables_chain_type_lookup(const stru + } + + /* +- * Loading a module requires dropping mutex that guards the +- * transaction. +- * We first need to abort any pending transactions as once +- * mutex is unlocked a different client could start a new +- * transaction. It must not see any 'future generation' +- * changes * as these changes will never happen. ++ * Loading a module requires dropping mutex that guards the transaction. ++ * A different client might race to start a new transaction meanwhile. Zap the ++ * list of pending transaction and then restore it once the mutex is grabbed ++ * again. Users of this function return EAGAIN which implicitly triggers the ++ * transaction abort path to clean up the list of pending transactions. + */ + #ifdef CONFIG_MODULES +-static int __nf_tables_abort(struct net *net); +- + static void nft_request_module(struct net *net, const char *fmt, ...) + { + char module_name[MODULE_NAME_LEN]; ++ LIST_HEAD(commit_list); + va_list args; + int ret; + +- __nf_tables_abort(net); ++ list_splice_init(&net->nft.commit_list, &commit_list); + + va_start(args, fmt); + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); +@@ -529,6 +527,9 @@ static void nft_request_module(struct ne + mutex_unlock(&net->nft.commit_mutex); + request_module("%s", module_name); + mutex_lock(&net->nft.commit_mutex); ++ ++ WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); ++ list_splice(&commit_list, &net->nft.commit_list); + } + #endif + diff --git a/queue-5.4/netfilter-nft_tunnel-erspan_version-must-not-be-null.patch b/queue-5.4/netfilter-nft_tunnel-erspan_version-must-not-be-null.patch new file mode 100644 index 00000000000..dda1f05c162 --- /dev/null +++ b/queue-5.4/netfilter-nft_tunnel-erspan_version-must-not-be-null.patch @@ -0,0 +1,30 @@ +From 9ec22d7c6c69146180577f3ad5fdf504beeaee62 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 16 Jan 2020 08:58:05 +0100 +Subject: netfilter: nft_tunnel: ERSPAN_VERSION must not be null + +From: Florian Westphal + +commit 9ec22d7c6c69146180577f3ad5fdf504beeaee62 upstream. + +Fixes: af308b94a2a4a5 ("netfilter: nf_tables: add tunnel support") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_tunnel.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -266,6 +266,9 @@ static int nft_tunnel_obj_erspan_init(co + if (err < 0) + return err; + ++ if (!tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION]) ++ return -EINVAL; ++ + version = ntohl(nla_get_be32(tb[NFTA_TUNNEL_KEY_ERSPAN_VERSION])); + switch (version) { + case ERSPAN_VERSION: diff --git a/queue-5.4/netfilter-nft_tunnel-fix-null-attribute-check.patch b/queue-5.4/netfilter-nft_tunnel-fix-null-attribute-check.patch new file mode 100644 index 00000000000..8c6b2722fd3 --- /dev/null +++ b/queue-5.4/netfilter-nft_tunnel-fix-null-attribute-check.patch @@ -0,0 +1,33 @@ +From 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 16 Jan 2020 08:44:11 +0100 +Subject: netfilter: nft_tunnel: fix null-attribute check + +From: Florian Westphal + +commit 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed upstream. + +else we get null deref when one of the attributes is missing, both +must be non-null. + +Reported-by: syzbot+76d0b80493ac881ff77b@syzkaller.appspotmail.com +Fixes: aaecfdb5c5dd8ba ("netfilter: nf_tables: match on tunnel metadata") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -76,7 +76,7 @@ static int nft_tunnel_get_init(const str + struct nft_tunnel *priv = nft_expr_priv(expr); + u32 len; + +- if (!tb[NFTA_TUNNEL_KEY] && ++ if (!tb[NFTA_TUNNEL_KEY] || + !tb[NFTA_TUNNEL_DREG]) + return -EINVAL; + diff --git a/queue-5.4/nfc-pn533-fix-bulk-message-timeout.patch b/queue-5.4/nfc-pn533-fix-bulk-message-timeout.patch new file mode 100644 index 00000000000..4cdca112f47 --- /dev/null +++ b/queue-5.4/nfc-pn533-fix-bulk-message-timeout.patch @@ -0,0 +1,38 @@ +From a112adafcb47760feff959ee1ecd10b74d2c5467 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Jan 2020 18:23:58 +0100 +Subject: NFC: pn533: fix bulk-message timeout + +From: Johan Hovold + +commit a112adafcb47760feff959ee1ecd10b74d2c5467 upstream. + +The driver was doing a synchronous uninterruptible bulk-transfer without +using a timeout. This could lead to the driver hanging on probe due to a +malfunctioning (or malicious) device until the device is physically +disconnected. While sleeping in probe the driver prevents other devices +connected to the same hub from being added to (or removed from) the bus. + +An arbitrary limit of five seconds should be more than enough. + +Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack") +Signed-off-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/pn533/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -391,7 +391,7 @@ static int pn533_acr122_poweron_rdr(stru + cmd, sizeof(cmd), false); + + rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd), +- &transferred, 0); ++ &transferred, 5000); + kfree(buffer); + if (rc || (transferred != sizeof(cmd))) { + nfc_err(&phy->udev->dev, diff --git a/queue-5.4/series b/queue-5.4/series index eaa651cfc01..2617f452dee 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -119,3 +119,17 @@ cfg80211-fix-deadlocks-in-autodisconnect-work.patch cfg80211-fix-memory-leak-in-nl80211_probe_mesh_link.patch cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch +bpf-sockmap-read-psock-ingress_msg-before-sk_receive_queue.patch +i2c-iop3xx-fix-memory-leak-in-probe-error-path.patch +netfilter-fix-a-use-after-free-in-mtype_destroy.patch +netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch +netfilter-nat-fix-icmp-header-corruption-on-icmp-errors.patch +netfilter-nft_tunnel-fix-null-attribute-check.patch +netfilter-nft_tunnel-erspan_version-must-not-be-null.patch +netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch +netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch +netfilter-nf_tables-fix-flowtable-list-del-corruption.patch +nfc-pn533-fix-bulk-message-timeout.patch +net-bpf-don-t-leak-time-wait-and-request-sockets.patch +bpftool-fix-printing-incorrect-pointer-in-btf_dump_ptr.patch +batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch