From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 11 Jun 2020 10:46:19 +0000 (+0200)
Subject: 4.4-stable patches
X-Git-Tag: v5.4.47~147
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=191e08469115792a074a1e3f6e8d9707b0bdedf8;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	ipv6-fix-ipv6_addrform-operation-logic.patch
	vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
---

diff --git a/queue-4.14/series b/queue-4.14/series
new file mode 100644
index 00000000000..7aa47feaebb
--- /dev/null
+++ b/queue-4.14/series
@@ -0,0 +1,2 @@
+ipv6-fix-ipv6_addrform-operation-logic.patch
+vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
diff --git a/queue-4.19/series b/queue-4.19/series
new file mode 100644
index 00000000000..f1041cd19a3
--- /dev/null
+++ b/queue-4.19/series
@@ -0,0 +1,5 @@
+ipv6-fix-ipv6_addrform-operation-logic.patch
+net_failover-fixed-rollback-in-net_failover_open.patch
+bridge-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
+vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
+tun-correct-header-offsets-in-napi-frags-mode.patch
diff --git a/queue-4.4/ipv6-fix-ipv6_addrform-operation-logic.patch b/queue-4.4/ipv6-fix-ipv6_addrform-operation-logic.patch
new file mode 100644
index 00000000000..17c57445873
--- /dev/null
+++ b/queue-4.4/ipv6-fix-ipv6_addrform-operation-logic.patch
@@ -0,0 +1,77 @@
+From foo@baz Thu 11 Jun 2020 12:45:51 PM CEST
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Mon, 1 Jun 2020 11:55:03 +0800
+Subject: ipv6: fix IPV6_ADDRFORM operation logic
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+[ Upstream commit 79a1f0ccdbb4ad700590f61b00525b390cb53905 ]
+
+Socket option IPV6_ADDRFORM supports UDP/UDPLITE and TCP at present.
+Previously the checking logic looks like:
+if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
+	do_some_check;
+else if (sk->sk_protocol != IPPROTO_TCP)
+	break;
+
+After commit b6f6118901d1 ("ipv6: restrict IPV6_ADDRFORM operation"), TCP
+was blocked as the logic changed to:
+if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
+	do_some_check;
+else if (sk->sk_protocol == IPPROTO_TCP)
+	do_some_check;
+	break;
+else
+	break;
+
+Then after commit 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation")
+UDP/UDPLITE were blocked as the logic changed to:
+if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
+	do_some_check;
+if (sk->sk_protocol == IPPROTO_TCP)
+	do_some_check;
+
+if (sk->sk_protocol != IPPROTO_TCP)
+	break;
+
+Fix it by using Eric's code and simply remove the break in TCP check, which
+looks like:
+if (sk->sk_protocol == IPPROTO_UDP || sk->sk_protocol == IPPROTO_UDPLITE)
+	do_some_check;
+else if (sk->sk_protocol == IPPROTO_TCP)
+	do_some_check;
+else
+	break;
+
+Fixes: 82c9ae440857 ("ipv6: fix restrict IPV6_ADDRFORM operation")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv6/ipv6_sockglue.c |   13 +++++++------
+ 1 file changed, 7 insertions(+), 6 deletions(-)
+
+--- a/net/ipv6/ipv6_sockglue.c
++++ b/net/ipv6/ipv6_sockglue.c
+@@ -185,14 +185,15 @@ static int do_ipv6_setsockopt(struct soc
+ 					retv = -EBUSY;
+ 					break;
+ 				}
+-			}
+-			if (sk->sk_protocol == IPPROTO_TCP &&
+-			    sk->sk_prot != &tcpv6_prot) {
+-				retv = -EBUSY;
++			} else if (sk->sk_protocol == IPPROTO_TCP) {
++				if (sk->sk_prot != &tcpv6_prot) {
++					retv = -EBUSY;
++					break;
++				}
++			} else {
+ 				break;
+ 			}
+-			if (sk->sk_protocol != IPPROTO_TCP)
+-				break;
++
+ 			if (sk->sk_state != TCP_ESTABLISHED) {
+ 				retv = -ENOTCONN;
+ 				break;
diff --git a/queue-4.4/series b/queue-4.4/series
new file mode 100644
index 00000000000..7aa47feaebb
--- /dev/null
+++ b/queue-4.4/series
@@ -0,0 +1,2 @@
+ipv6-fix-ipv6_addrform-operation-logic.patch
+vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
diff --git a/queue-4.4/vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch b/queue-4.4/vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
new file mode 100644
index 00000000000..7f34816d4d2
--- /dev/null
+++ b/queue-4.4/vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
@@ -0,0 +1,48 @@
+From foo@baz Thu 11 Jun 2020 12:45:51 PM CEST
+From: Ido Schimmel <idosch@mellanox.com>
+Date: Mon, 1 Jun 2020 15:58:55 +0300
+Subject: vxlan: Avoid infinite loop when suppressing NS messages with invalid options
+
+From: Ido Schimmel <idosch@mellanox.com>
+
+[ Upstream commit 8066e6b449e050675df48e7c4b16c29f00507ff0 ]
+
+When proxy mode is enabled the vxlan device might reply to Neighbor
+Solicitation (NS) messages on behalf of remote hosts.
+
+In case the NS message includes the "Source link-layer address" option
+[1], the vxlan device will use the specified address as the link-layer
+destination address in its reply.
+
+To avoid an infinite loop, break out of the options parsing loop when
+encountering an option with length zero and disregard the NS message.
+
+This is consistent with the IPv6 ndisc code and RFC 4886 which states
+that "Nodes MUST silently discard an ND packet that contains an option
+with length zero" [2].
+
+[1] https://tools.ietf.org/html/rfc4861#section-4.3
+[2] https://tools.ietf.org/html/rfc4861#section-4.6
+
+Fixes: 4b29dba9c085 ("vxlan: fix nonfunctional neigh_reduce()")
+Signed-off-by: Ido Schimmel <idosch@mellanox.com>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/net/vxlan.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1476,6 +1476,10 @@ static struct sk_buff *vxlan_na_create(s
+ 	daddr = eth_hdr(request)->h_source;
+ 	ns_olen = request->len - skb_transport_offset(request) - sizeof(*ns);
+ 	for (i = 0; i < ns_olen-1; i += (ns->opt[i+1]<<3)) {
++		if (!ns->opt[i + 1]) {
++			kfree_skb(reply);
++			return NULL;
++		}
+ 		if (ns->opt[i] == ND_OPT_SOURCE_LL_ADDR) {
+ 			daddr = ns->opt + i + sizeof(struct nd_opt_hdr);
+ 			break;
diff --git a/queue-4.9/series b/queue-4.9/series
new file mode 100644
index 00000000000..7aa47feaebb
--- /dev/null
+++ b/queue-4.9/series
@@ -0,0 +1,2 @@
+ipv6-fix-ipv6_addrform-operation-logic.patch
+vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
diff --git a/queue-5.4/series b/queue-5.4/series
new file mode 100644
index 00000000000..f2ddbcfd54b
--- /dev/null
+++ b/queue-5.4/series
@@ -0,0 +1,6 @@
+ipv6-fix-ipv6_addrform-operation-logic.patch
+mlxsw-core-use-different-get_trend-callbacks-for-different-thermal-zones.patch
+net_failover-fixed-rollback-in-net_failover_open.patch
+tun-correct-header-offsets-in-napi-frags-mode.patch
+bridge-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch
+vxlan-avoid-infinite-loop-when-suppressing-ns-messages-with-invalid-options.patch