From: Greg Kroah-Hartman Date: Mon, 25 Feb 2019 16:37:20 +0000 (+0100) Subject: 4.20-stable patches X-Git-Tag: v4.9.161~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b1dbb5941ce619c99369e286dbaedf3d78de37be;p=thirdparty%2Fkernel%2Fstable-queue.git 4.20-stable patches added patches: netfilter-ipt_clusterip-fix-sleep-in-atomic-bug-in-clusterip_config_entry_put.patch netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch netfilter-nfnetlink_osf-add-missing-fmatch-check.patch netfilter-nft_compat-use-after-free-when-deleting-targets.patch revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch --- diff --git a/queue-4.20/netfilter-ipt_clusterip-fix-sleep-in-atomic-bug-in-clusterip_config_entry_put.patch b/queue-4.20/netfilter-ipt_clusterip-fix-sleep-in-atomic-bug-in-clusterip_config_entry_put.patch new file mode 100644 index 00000000000..cfab3c80656 --- /dev/null +++ b/queue-4.20/netfilter-ipt_clusterip-fix-sleep-in-atomic-bug-in-clusterip_config_entry_put.patch @@ -0,0 +1,137 @@ +From 2a61d8b883bbad26b06d2e6cc3777a697e78830d Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Mon, 5 Nov 2018 18:23:13 +0900 +Subject: netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in clusterip_config_entry_put() + +From: Taehee Yoo + +commit 2a61d8b883bbad26b06d2e6cc3777a697e78830d upstream. + +A proc_remove() can sleep. so that it can't be inside of spin_lock. +Hence proc_remove() is moved to outside of spin_lock. and it also +adds mutex to sync create and remove of proc entry(config->pde). + +test commands: +SHELL#1 + %while :; do iptables -A INPUT -p udp -i enp2s0 -d 192.168.1.100 \ + --dport 9000 -j CLUSTERIP --new --hashmode sourceip \ + --clustermac 01:00:5e:00:00:21 --total-nodes 3 --local-node 3; \ + iptables -F; done + +SHELL#2 + %while :; do echo +1 > /proc/net/ipt_CLUSTERIP/192.168.1.100; \ + echo -1 > /proc/net/ipt_CLUSTERIP/192.168.1.100; done + +[ 2949.569864] BUG: sleeping function called from invalid context at kernel/sched/completion.c:99 +[ 2949.579944] in_atomic(): 1, irqs_disabled(): 0, pid: 5472, name: iptables +[ 2949.587920] 1 lock held by iptables/5472: +[ 2949.592711] #0: 000000008f0ebcf2 (&(&cn->lock)->rlock){+...}, at: refcount_dec_and_lock+0x24/0x50 +[ 2949.603307] CPU: 1 PID: 5472 Comm: iptables Tainted: G W 4.19.0-rc5+ #16 +[ 2949.604212] Hardware name: To be filled by O.E.M. To be filled by O.E.M./Aptio CRB, BIOS 5.6.5 07/08/2015 +[ 2949.604212] Call Trace: +[ 2949.604212] dump_stack+0xc9/0x16b +[ 2949.604212] ? show_regs_print_info+0x5/0x5 +[ 2949.604212] ___might_sleep+0x2eb/0x420 +[ 2949.604212] ? set_rq_offline.part.87+0x140/0x140 +[ 2949.604212] ? _rcu_barrier_trace+0x400/0x400 +[ 2949.604212] wait_for_completion+0x94/0x710 +[ 2949.604212] ? wait_for_completion_interruptible+0x780/0x780 +[ 2949.604212] ? __kernel_text_address+0xe/0x30 +[ 2949.604212] ? __lockdep_init_map+0x10e/0x5c0 +[ 2949.604212] ? __lockdep_init_map+0x10e/0x5c0 +[ 2949.604212] ? __init_waitqueue_head+0x86/0x130 +[ 2949.604212] ? init_wait_entry+0x1a0/0x1a0 +[ 2949.604212] proc_entry_rundown+0x208/0x270 +[ 2949.604212] ? proc_reg_get_unmapped_area+0x370/0x370 +[ 2949.604212] ? __lock_acquire+0x4500/0x4500 +[ 2949.604212] ? complete+0x18/0x70 +[ 2949.604212] remove_proc_subtree+0x143/0x2a0 +[ 2949.708655] ? remove_proc_entry+0x390/0x390 +[ 2949.708655] clusterip_tg_destroy+0x27a/0x630 [ipt_CLUSTERIP] +[ ... ] + +Fixes: b3e456fce9f5 ("netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation") +Signed-off-by: Taehee Yoo +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/ipt_CLUSTERIP.c | 19 ++++++++++++++----- + 1 file changed, 14 insertions(+), 5 deletions(-) + +--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c ++++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c +@@ -56,7 +56,7 @@ struct clusterip_config { + #endif + enum clusterip_hashmode hash_mode; /* which hashing mode */ + u_int32_t hash_initval; /* hash initialization */ +- struct rcu_head rcu; ++ struct rcu_head rcu; /* for call_rcu_bh */ + struct net *net; /* netns for pernet list */ + char ifname[IFNAMSIZ]; /* device ifname */ + }; +@@ -72,6 +72,8 @@ struct clusterip_net { + + #ifdef CONFIG_PROC_FS + struct proc_dir_entry *procdir; ++ /* mutex protects the config->pde*/ ++ struct mutex mutex; + #endif + }; + +@@ -118,17 +120,18 @@ clusterip_config_entry_put(struct cluste + + local_bh_disable(); + if (refcount_dec_and_lock(&c->entries, &cn->lock)) { ++ list_del_rcu(&c->list); ++ spin_unlock(&cn->lock); ++ local_bh_enable(); + /* In case anyone still accesses the file, the open/close + * functions are also incrementing the refcount on their own, + * so it's safe to remove the entry even if it's in use. */ + #ifdef CONFIG_PROC_FS ++ mutex_lock(&cn->mutex); + if (cn->procdir) + proc_remove(c->pde); ++ mutex_unlock(&cn->mutex); + #endif +- list_del_rcu(&c->list); +- spin_unlock(&cn->lock); +- local_bh_enable(); +- + return; + } + local_bh_enable(); +@@ -278,9 +281,11 @@ clusterip_config_init(struct net *net, c + + /* create proc dir entry */ + sprintf(buffer, "%pI4", &ip); ++ mutex_lock(&cn->mutex); + c->pde = proc_create_data(buffer, 0600, + cn->procdir, + &clusterip_proc_fops, c); ++ mutex_unlock(&cn->mutex); + if (!c->pde) { + err = -ENOMEM; + goto err; +@@ -833,6 +838,7 @@ static int clusterip_net_init(struct net + pr_err("Unable to proc dir entry\n"); + return -ENOMEM; + } ++ mutex_init(&cn->mutex); + #endif /* CONFIG_PROC_FS */ + + return 0; +@@ -841,9 +847,12 @@ static int clusterip_net_init(struct net + static void clusterip_net_exit(struct net *net) + { + struct clusterip_net *cn = clusterip_pernet(net); ++ + #ifdef CONFIG_PROC_FS ++ mutex_lock(&cn->mutex); + proc_remove(cn->procdir); + cn->procdir = NULL; ++ mutex_unlock(&cn->mutex); + #endif + nf_unregister_net_hook(net, &cip_arp_ops); + } diff --git a/queue-4.20/netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch b/queue-4.20/netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch new file mode 100644 index 00000000000..7a47eb37172 --- /dev/null +++ b/queue-4.20/netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch @@ -0,0 +1,45 @@ +From 15df03c661cb362366ecfc3a21820cb934f3e4ca Mon Sep 17 00:00:00 2001 +From: Eli Cooper +Date: Mon, 21 Jan 2019 18:45:27 +0800 +Subject: netfilter: ipv6: Don't preserve original oif for loopback address + +From: Eli Cooper + +commit 15df03c661cb362366ecfc3a21820cb934f3e4ca upstream. + +Commit 508b09046c0f ("netfilter: ipv6: Preserve link scope traffic +original oif") made ip6_route_me_harder() keep the original oif for +link-local and multicast packets. However, it also affected packets +for the loopback address because it used rt6_need_strict(). + +REDIRECT rules in the OUTPUT chain rewrite the destination to loopback +address; thus its oif should not be preserved. This commit fixes the bug +that redirected local packets are being dropped. Actually the packet was +not exactly dropped; Instead it was sent out to the original oif rather +than lo. When a packet with daddr ::1 is sent to the router, it is +effectively dropped. + +Fixes: 508b09046c0f ("netfilter: ipv6: Preserve link scope traffic original oif") +Signed-off-by: Eli Cooper +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/netfilter.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/ipv6/netfilter.c ++++ b/net/ipv6/netfilter.c +@@ -23,9 +23,11 @@ int ip6_route_me_harder(struct net *net, + struct sock *sk = sk_to_full_sk(skb->sk); + unsigned int hh_len; + struct dst_entry *dst; ++ int strict = (ipv6_addr_type(&iph->daddr) & ++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL)); + struct flowi6 fl6 = { + .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if : +- rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0, ++ strict ? skb_dst(skb)->dev->ifindex : 0, + .flowi6_mark = skb->mark, + .flowi6_uid = sock_net_uid(net, sk), + .daddr = iph->daddr, diff --git a/queue-4.20/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch b/queue-4.20/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch new file mode 100644 index 00000000000..1130525f400 --- /dev/null +++ b/queue-4.20/netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch @@ -0,0 +1,35 @@ +From 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 15 Feb 2019 12:50:24 +0100 +Subject: netfilter: nf_tables: fix flush after rule deletion in the same batch + +From: Pablo Neira Ayuso + +commit 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 upstream. + +Flush after rule deletion bogusly hits -ENOENT. Skip rules that have +been already from nft_delrule_by_chain() which is always called from the +flush path. + +Fixes: cf9dc09d0949 ("netfilter: nf_tables: fix missing rules flushing per table") +Reported-by: Phil Sutter +Acked-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -307,6 +307,9 @@ static int nft_delrule_by_chain(struct n + int err; + + list_for_each_entry(rule, &ctx->chain->rules, list) { ++ if (!nft_is_active_next(ctx->net, rule)) ++ continue; ++ + err = nft_delrule(ctx, rule); + if (err < 0) + return err; diff --git a/queue-4.20/netfilter-nfnetlink_osf-add-missing-fmatch-check.patch b/queue-4.20/netfilter-nfnetlink_osf-add-missing-fmatch-check.patch new file mode 100644 index 00000000000..760ceb6b2e1 --- /dev/null +++ b/queue-4.20/netfilter-nfnetlink_osf-add-missing-fmatch-check.patch @@ -0,0 +1,57 @@ +From 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b Mon Sep 17 00:00:00 2001 +From: Fernando Fernandez Mancera +Date: Mon, 21 Jan 2019 12:53:21 +0100 +Subject: netfilter: nfnetlink_osf: add missing fmatch check + +From: Fernando Fernandez Mancera + +commit 1a6a0951fc009f6d9fe8ebea2d2417d80d54097b upstream. + +When we check the tcp options of a packet and it doesn't match the current +fingerprint, the tcp packet option pointer must be restored to its initial +value in order to do the proper tcp options check for the next fingerprint. + +Here we can see an example. +Assumming the following fingerprint base with two lines: + +S10:64:1:60:M*,S,T,N,W6: Linux:3.0::Linux 3.0 +S20:64:1:60:M*,S,T,N,W7: Linux:4.19:arch:Linux 4.1 + +Where TCP options are the last field in the OS signature, all of them overlap +except by the last one, ie. 'W6' versus 'W7'. + +In case a packet for Linux 4.19 kicks in, the osf finds no matching because the +TCP options pointer is updated after checking for the TCP options in the first +line. + +Therefore, reset pointer back to where it should be. + +Fixes: 11eeef41d5f6 ("netfilter: passive OS fingerprint xtables match") +Signed-off-by: Fernando Fernandez Mancera +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_osf.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/netfilter/nfnetlink_osf.c ++++ b/net/netfilter/nfnetlink_osf.c +@@ -66,6 +66,7 @@ static bool nf_osf_match_one(const struc + int ttl_check, + struct nf_osf_hdr_ctx *ctx) + { ++ const __u8 *optpinit = ctx->optp; + unsigned int check_WSS = 0; + int fmatch = FMATCH_WRONG; + int foptsize, optnum; +@@ -155,6 +156,9 @@ static bool nf_osf_match_one(const struc + } + } + ++ if (fmatch != FMATCH_OK) ++ ctx->optp = optpinit; ++ + return fmatch == FMATCH_OK; + } + diff --git a/queue-4.20/netfilter-nft_compat-use-after-free-when-deleting-targets.patch b/queue-4.20/netfilter-nft_compat-use-after-free-when-deleting-targets.patch new file mode 100644 index 00000000000..338691f00bf --- /dev/null +++ b/queue-4.20/netfilter-nft_compat-use-after-free-when-deleting-targets.patch @@ -0,0 +1,39 @@ +From 753c111f655e38bbd52fc01321266633f022ebe2 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 13 Feb 2019 13:03:53 +0100 +Subject: netfilter: nft_compat: use-after-free when deleting targets + +From: Pablo Neira Ayuso + +commit 753c111f655e38bbd52fc01321266633f022ebe2 upstream. + +Fetch pointer to module before target object is released. + +Fixes: 29e3880109e3 ("netfilter: nf_tables: fix use-after-free when deleting compat expressions") +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_compat.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -282,6 +282,7 @@ nft_target_destroy(const struct nft_ctx + { + struct xt_target *target = expr->ops->data; + void *info = nft_expr_priv(expr); ++ struct module *me = target->me; + struct xt_tgdtor_param par; + + par.net = ctx->net; +@@ -292,7 +293,7 @@ nft_target_destroy(const struct nft_ctx + par.target->destroy(&par); + + if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops))) +- module_put(target->me); ++ module_put(me); + } + + static int nft_extension_dump_info(struct sk_buff *skb, int attr, diff --git a/queue-4.20/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch b/queue-4.20/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch new file mode 100644 index 00000000000..a955b9d07b4 --- /dev/null +++ b/queue-4.20/revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch @@ -0,0 +1,56 @@ +From 278e2148c07559dd4ad8602f22366d61eb2ee7b7 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Fri, 22 Feb 2019 21:22:32 +0800 +Subject: Revert "bridge: do not add port to router list when receives query with source 0.0.0.0" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Hangbin Liu + +commit 278e2148c07559dd4ad8602f22366d61eb2ee7b7 upstream. + +This reverts commit 5a2de63fd1a5 ("bridge: do not add port to router list +when receives query with source 0.0.0.0") and commit 0fe5119e267f ("net: +bridge: remove ipv6 zero address check in mcast queries") + +The reason is RFC 4541 is not a standard but suggestive. Currently we +will elect 0.0.0.0 as Querier if there is no ip address configured on +bridge. If we do not add the port which recives query with source +0.0.0.0 to router list, the IGMP reports will not be about to forward +to Querier, IGMP data will also not be able to forward to dest. + +As Nikolay suggested, revert this change first and add a boolopt api +to disable none-zero election in future if needed. + +Reported-by: Linus Lüssing +Reported-by: Sebastian Gottschall +Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0") +Fixes: 0fe5119e267f ("net: bridge: remove ipv6 zero address check in mcast queries") +Signed-off-by: Hangbin Liu +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/br_multicast.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1422,14 +1422,7 @@ static void br_multicast_query_received( + return; + + br_multicast_update_query_timer(br, query, max_delay); +- +- /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules, +- * the arrival port for IGMP Queries where the source address +- * is 0.0.0.0 should not be added to router port list. +- */ +- if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) || +- saddr->proto == htons(ETH_P_IPV6)) +- br_multicast_mark_router(br, port); ++ br_multicast_mark_router(br, port); + } + + static void br_ip4_multicast_query(struct net_bridge *br, diff --git a/queue-4.20/series b/queue-4.20/series index 761d769ba37..e662b732ae0 100644 --- a/queue-4.20/series +++ b/queue-4.20/series @@ -174,3 +174,9 @@ staging-erofs-add-a-full-barrier-in-erofs_workgroup_unfreeze.patch staging-erofs-dir-inode-super-.c-rectify-bug_ons.patch staging-erofs-unzip_-pagevec.h-vle.c-rectify-bug_ons.patch staging-erofs-unzip_vle_lz4.c-utils.c-rectify-bug_ons.patch +revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch +netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch +netfilter-nft_compat-use-after-free-when-deleting-targets.patch +netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch +netfilter-nfnetlink_osf-add-missing-fmatch-check.patch +netfilter-ipt_clusterip-fix-sleep-in-atomic-bug-in-clusterip_config_entry_put.patch