From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Thu, 5 Jul 2018 17:11:28 +0000 (+0200)
Subject: 4.9-stable patches
X-Git-Tag: v4.14.54~7
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2c8c1290cd21a07b1653b066ca7267a54aef4e7d;p=thirdparty%2Fkernel%2Fstable-queue.git

4.9-stable patches

added patches:
	netfilter-nf_tables-use-warn_on_once-instead-of-bug_on-in-nft_do_chain.patch
	revert-sit-reload-iphdr-in-ipip6_rcv.patch
---

diff --git a/queue-4.9/netfilter-nf_tables-use-warn_on_once-instead-of-bug_on-in-nft_do_chain.patch b/queue-4.9/netfilter-nf_tables-use-warn_on_once-instead-of-bug_on-in-nft_do_chain.patch
new file mode 100644
index 00000000000..db6fc401c6d
--- /dev/null
+++ b/queue-4.9/netfilter-nf_tables-use-warn_on_once-instead-of-bug_on-in-nft_do_chain.patch
@@ -0,0 +1,34 @@
+From adc972c5b88829d38ede08b1069718661c7330ae Mon Sep 17 00:00:00 2001
+From: Taehee Yoo <ap420073@gmail.com>
+Date: Mon, 11 Jun 2018 22:16:33 +0900
+Subject: netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain()
+
+From: Taehee Yoo <ap420073@gmail.com>
+
+commit adc972c5b88829d38ede08b1069718661c7330ae upstream.
+
+When depth of chain is bigger than NFT_JUMP_STACK_SIZE, the nft_do_chain
+crashes. But there is no need to crash hard here.
+
+Suggested-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Taehee Yoo <ap420073@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_core.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_core.c
++++ b/net/netfilter/nf_tables_core.c
+@@ -185,7 +185,8 @@ next_rule:
+ 
+ 	switch (regs.verdict.code) {
+ 	case NFT_JUMP:
+-		BUG_ON(stackptr >= NFT_JUMP_STACK_SIZE);
++		if (WARN_ON_ONCE(stackptr >= NFT_JUMP_STACK_SIZE))
++			return NF_DROP;
+ 		jumpstack[stackptr].chain = chain;
+ 		jumpstack[stackptr].rule  = rule;
+ 		jumpstack[stackptr].rulenum = rulenum;
diff --git a/queue-4.9/revert-sit-reload-iphdr-in-ipip6_rcv.patch b/queue-4.9/revert-sit-reload-iphdr-in-ipip6_rcv.patch
new file mode 100644
index 00000000000..95061a0b51c
--- /dev/null
+++ b/queue-4.9/revert-sit-reload-iphdr-in-ipip6_rcv.patch
@@ -0,0 +1,32 @@
+From f4eb17e1efe538d4da7d574bedb00a8dafcc26b7 Mon Sep 17 00:00:00 2001
+From: "David S. Miller" <davem@davemloft.net>
+Date: Tue, 6 Jun 2017 11:34:06 -0400
+Subject: Revert "sit: reload iphdr in ipip6_rcv"
+
+From: David S. Miller <davem@davemloft.net>
+
+commit f4eb17e1efe538d4da7d574bedb00a8dafcc26b7 upstream.
+
+This reverts commit b699d0035836f6712917a41e7ae58d84359b8ff9.
+
+As per Eric Dumazet, the pskb_may_pull() is a NOP in this
+particular case, so the 'iph' reload is unnecessary.
+
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Cc: Luca Boccassi <luca.boccassi@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/sit.c |    1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/net/ipv6/sit.c
++++ b/net/ipv6/sit.c
+@@ -659,7 +659,6 @@ static int ipip6_rcv(struct sk_buff *skb
+ 		if (iptunnel_pull_header(skb, 0, htons(ETH_P_IPV6),
+ 		    !net_eq(tunnel->net, dev_net(tunnel->dev))))
+ 			goto out;
+-		iph = ip_hdr(skb);
+ 
+ 		err = IP_ECN_decapsulate(iph, skb);
+ 		if (unlikely(err)) {
diff --git a/queue-4.9/series b/queue-4.9/series
index 6969e553156..878529bbc8d 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -9,3 +9,5 @@ vt-prevent-leaking-uninitialized-data-to-userspace-via-dev-vcs.patch
 i2c-rcar-fix-resume-by-always-initializing-registers-before-transfer.patch
 ipv4-fix-error-return-value-in-fib_convert_metrics.patch
 kprobes-x86-do-not-modify-singlestep-buffer-while-resuming.patch
+netfilter-nf_tables-use-warn_on_once-instead-of-bug_on-in-nft_do_chain.patch
+revert-sit-reload-iphdr-in-ipip6_rcv.patch