From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 20 Jan 2020 11:34:26 +0000 (+0100)
Subject: 4.4-stable patches
X-Git-Tag: v4.4.211~31
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=28d0630787fc1db7b660756f33e7aff692bedc24;p=thirdparty%2Fkernel%2Fstable-queue.git

4.4-stable patches

added patches:
	batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
	netfilter-fix-a-use-after-free-in-mtype_destroy.patch
---

diff --git a/queue-4.4/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch b/queue-4.4/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
new file mode 100644
index 00000000000..8dd814b66de
--- /dev/null
+++ b/queue-4.4/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch
@@ -0,0 +1,49 @@
+From 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 Mon Sep 17 00:00:00 2001
+From: Sven Eckelmann <sven@narfation.org>
+Date: Thu, 28 Nov 2019 12:25:45 +0100
+Subject: batman-adv: Fix DAT candidate selection on little endian systems
+
+From: Sven Eckelmann <sven@narfation.org>
+
+commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream.
+
+The distributed arp table is using a DHT to store and retrieve MAC address
+information for an IP address. This is done using unicast messages to
+selected peers. The potential peers are looked up using the IP address and
+the VID.
+
+While the IP address is always stored in big endian byte order, this is not
+the case of the VID. It can (depending on the host system) either be big
+endian or little endian. The host must therefore always convert it to big
+endian to ensure that all devices calculate the same peers for the same
+lookup data.
+
+Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware")
+Signed-off-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: Simon Wunderlich <sw@simonwunderlich.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/batman-adv/distributed-arp-table.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/batman-adv/distributed-arp-table.c
++++ b/net/batman-adv/distributed-arp-table.c
+@@ -226,6 +226,7 @@ static u32 batadv_hash_dat(const void *d
+ 	u32 hash = 0;
+ 	const struct batadv_dat_entry *dat = data;
+ 	const unsigned char *key;
++	__be16 vid;
+ 	u32 i;
+ 
+ 	key = (const unsigned char *)&dat->ip;
+@@ -235,7 +236,8 @@ static u32 batadv_hash_dat(const void *d
+ 		hash ^= (hash >> 6);
+ 	}
+ 
+-	key = (const unsigned char *)&dat->vid;
++	vid = htons(dat->vid);
++	key = (__force const unsigned char *)&vid;
+ 	for (i = 0; i < sizeof(dat->vid); i++) {
+ 		hash += key[i];
+ 		hash += (hash << 10);
diff --git a/queue-4.4/netfilter-fix-a-use-after-free-in-mtype_destroy.patch b/queue-4.4/netfilter-fix-a-use-after-free-in-mtype_destroy.patch
new file mode 100644
index 00000000000..e1924e75c16
--- /dev/null
+++ b/queue-4.4/netfilter-fix-a-use-after-free-in-mtype_destroy.patch
@@ -0,0 +1,36 @@
+From c120959387efa51479056fd01dc90adfba7a590c Mon Sep 17 00:00:00 2001
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Fri, 10 Jan 2020 11:53:08 -0800
+Subject: netfilter: fix a use-after-free in mtype_destroy()
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+commit c120959387efa51479056fd01dc90adfba7a590c upstream.
+
+map->members is freed by ip_set_free() right before using it in
+mtype_ext_cleanup() again. So we just have to move it down.
+
+Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com
+Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function")
+Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_bitmap_gen.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_bitmap_gen.h
++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h
+@@ -66,9 +66,9 @@ mtype_destroy(struct ip_set *set)
+ 	if (SET_WITH_TIMEOUT(set))
+ 		del_timer_sync(&map->gc);
+ 
+-	ip_set_free(map->members);
+ 	if (set->dsize && set->extensions & IPSET_EXT_DESTROY)
+ 		mtype_ext_cleanup(set);
++	ip_set_free(map->members);
+ 	ip_set_free(map);
+ 
+ 	set->data = NULL;
diff --git a/queue-4.4/series b/queue-4.4/series
index 6223bd3a2eb..f9a02cb074b 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -58,3 +58,5 @@ usb-serial-keyspan-handle-unbound-ports.patch
 scsi-fnic-use-kernel-s-pm-format-option-to-print-mac.patch
 scsi-fnic-fix-invalid-stack-access.patch
 arm64-dts-agilex-stratix10-fix-pmu-interrupt-numbers.patch
+netfilter-fix-a-use-after-free-in-mtype_destroy.patch
+batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch