From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 11 Oct 2020 11:33:28 +0000 (+0200)
Subject: 4.14-stable patches
X-Git-Tag: v4.4.239~32
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=87f69e70bfed0881ef4bfc615759a73a4ed9fa55;p=thirdparty%2Fkernel%2Fstable-queue.git

4.14-stable patches

added patches:
	net-team-fix-memory-leak-in-__team_options_register.patch
	openvswitch-handle-dnat-tuple-collision.patch
	team-set-dev-needed_headroom-in-team_setup_by_port.patch
---

diff --git a/queue-4.14/net-team-fix-memory-leak-in-__team_options_register.patch b/queue-4.14/net-team-fix-memory-leak-in-__team_options_register.patch
new file mode 100644
index 00000000000..de6c00c65ab
--- /dev/null
+++ b/queue-4.14/net-team-fix-memory-leak-in-__team_options_register.patch
@@ -0,0 +1,48 @@
+From 9a9e77495958c7382b2438bc19746dd3aaaabb8e Mon Sep 17 00:00:00 2001
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Date: Mon, 5 Oct 2020 02:25:36 +0530
+Subject: net: team: fix memory leak in __team_options_register
+
+From: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+
+commit 9a9e77495958c7382b2438bc19746dd3aaaabb8e upstream.
+
+The variable "i" isn't initialized back correctly after the first loop
+under the label inst_rollback gets executed.
+
+The value of "i" is assigned to be option_count - 1, and the ensuing
+loop (under alloc_rollback) begins by initializing i--.
+Thus, the value of i when the loop begins execution will now become
+i = option_count - 2.
+
+Thus, when kfree(dst_opts[i]) is called in the second loop in this
+order, (i.e., inst_rollback followed by alloc_rollback),
+dst_optsp[option_count - 2] is the first element freed, and
+dst_opts[option_count - 1] does not get freed, and thus, a memory
+leak is caused.
+
+This memory leak can be fixed, by assigning i = option_count (instead of
+option_count - 1).
+
+Fixes: 80f7c6683fe0 ("team: add support for per-port options")
+Reported-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
+Tested-by: syzbot+69b804437cfec30deac3@syzkaller.appspotmail.com
+Signed-off-by: Anant Thazhemadam <anant.thazhemadam@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -299,7 +299,7 @@ inst_rollback:
+ 	for (i--; i >= 0; i--)
+ 		__team_option_inst_del_option(team, dst_opts[i]);
+ 
+-	i = option_count - 1;
++	i = option_count;
+ alloc_rollback:
+ 	for (i--; i >= 0; i--)
+ 		kfree(dst_opts[i]);
diff --git a/queue-4.14/openvswitch-handle-dnat-tuple-collision.patch b/queue-4.14/openvswitch-handle-dnat-tuple-collision.patch
new file mode 100644
index 00000000000..4e2b7166771
--- /dev/null
+++ b/queue-4.14/openvswitch-handle-dnat-tuple-collision.patch
@@ -0,0 +1,69 @@
+From 8aa7b526dc0b5dbf40c1b834d76a667ad672a410 Mon Sep 17 00:00:00 2001
+From: Dumitru Ceara <dceara@redhat.com>
+Date: Wed, 7 Oct 2020 17:48:03 +0200
+Subject: openvswitch: handle DNAT tuple collision
+
+From: Dumitru Ceara <dceara@redhat.com>
+
+commit 8aa7b526dc0b5dbf40c1b834d76a667ad672a410 upstream.
+
+With multiple DNAT rules it's possible that after destination
+translation the resulting tuples collide.
+
+For example, two openvswitch flows:
+nw_dst=10.0.0.10,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
+nw_dst=10.0.0.20,tp_dst=10, actions=ct(commit,table=2,nat(dst=20.0.0.1:20))
+
+Assuming two TCP clients initiating the following connections:
+10.0.0.10:5000->10.0.0.10:10
+10.0.0.10:5000->10.0.0.20:10
+
+Both tuples would translate to 10.0.0.10:5000->20.0.0.1:20 causing
+nf_conntrack_confirm() to fail because of tuple collision.
+
+Netfilter handles this case by allocating a null binding for SNAT at
+egress by default.  Perform the same operation in openvswitch for DNAT
+if no explicit SNAT is requested by the user and allocate a null binding
+for SNAT for packets in the "original" direction.
+
+Reported-at: https://bugzilla.redhat.com/1877128
+Suggested-by: Florian Westphal <fw@strlen.de>
+Fixes: 05752523e565 ("openvswitch: Interface with NAT.")
+Signed-off-by: Dumitru Ceara <dceara@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/openvswitch/conntrack.c |   20 ++++++++++++--------
+ 1 file changed, 12 insertions(+), 8 deletions(-)
+
+--- a/net/openvswitch/conntrack.c
++++ b/net/openvswitch/conntrack.c
+@@ -881,15 +881,19 @@ static int ovs_ct_nat(struct net *net, s
+ 	}
+ 	err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range, maniptype);
+ 
+-	if (err == NF_ACCEPT &&
+-	    ct->status & IPS_SRC_NAT && ct->status & IPS_DST_NAT) {
+-		if (maniptype == NF_NAT_MANIP_SRC)
+-			maniptype = NF_NAT_MANIP_DST;
+-		else
+-			maniptype = NF_NAT_MANIP_SRC;
++	if (err == NF_ACCEPT && ct->status & IPS_DST_NAT) {
++		if (ct->status & IPS_SRC_NAT) {
++			if (maniptype == NF_NAT_MANIP_SRC)
++				maniptype = NF_NAT_MANIP_DST;
++			else
++				maniptype = NF_NAT_MANIP_SRC;
+ 
+-		err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range,
+-					 maniptype);
++			err = ovs_ct_nat_execute(skb, ct, ctinfo, &info->range,
++						 maniptype);
++		} else if (CTINFO2DIR(ctinfo) == IP_CT_DIR_ORIGINAL) {
++			err = ovs_ct_nat_execute(skb, ct, ctinfo, NULL,
++						 NF_NAT_MANIP_SRC);
++		}
+ 	}
+ 
+ 	/* Mark NAT done if successful and update the flow key. */
diff --git a/queue-4.14/series b/queue-4.14/series
index 3023576b153..7febdc47432 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -47,3 +47,6 @@ mm-khugepaged-fix-filemap-page_to_pgoff-page-offset.patch
 cifs-fix-incomplete-memory-allocation-on-setxattr-path.patch
 i2c-meson-fix-clock-setting-overwrite.patch
 sctp-fix-sctp_auth_init_hmacs-error-path.patch
+team-set-dev-needed_headroom-in-team_setup_by_port.patch
+net-team-fix-memory-leak-in-__team_options_register.patch
+openvswitch-handle-dnat-tuple-collision.patch
diff --git a/queue-4.14/team-set-dev-needed_headroom-in-team_setup_by_port.patch b/queue-4.14/team-set-dev-needed_headroom-in-team_setup_by_port.patch
new file mode 100644
index 00000000000..c28f84f37a4
--- /dev/null
+++ b/queue-4.14/team-set-dev-needed_headroom-in-team_setup_by_port.patch
@@ -0,0 +1,32 @@
+From 89d01748b2354e210b5d4ea47bc25a42a1b42c82 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Fri, 25 Sep 2020 06:38:08 -0700
+Subject: team: set dev->needed_headroom in team_setup_by_port()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 89d01748b2354e210b5d4ea47bc25a42a1b42c82 upstream.
+
+Some devices set needed_headroom. If we ignore it, we might
+end up crashing in various skb_push() for example in ipgre_header()
+since some layers assume enough headroom has been reserved.
+
+Fixes: 1d76efe1577b ("team: add support for non-ethernet devices")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/team/team.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/net/team/team.c
++++ b/drivers/net/team/team.c
+@@ -2078,6 +2078,7 @@ static void team_setup_by_port(struct ne
+ 	dev->header_ops	= port_dev->header_ops;
+ 	dev->type = port_dev->type;
+ 	dev->hard_header_len = port_dev->hard_header_len;
++	dev->needed_headroom = port_dev->needed_headroom;
+ 	dev->addr_len = port_dev->addr_len;
+ 	dev->mtu = port_dev->mtu;
+ 	memcpy(dev->broadcast, port_dev->broadcast, port_dev->addr_len);