From: Greg Kroah-Hartman Date: Mon, 20 Jan 2020 11:35:15 +0000 (+0100) Subject: 4.14-stable patches X-Git-Tag: v4.4.211~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e54b349f5eb0e893ec4debac62581d3ef8000c32;p=thirdparty%2Fkernel%2Fstable-queue.git 4.14-stable patches added patches: batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch netfilter-fix-a-use-after-free-in-mtype_destroy.patch nfc-pn533-fix-bulk-message-timeout.patch --- diff --git a/queue-4.14/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch b/queue-4.14/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch new file mode 100644 index 00000000000..3bb99063bc3 --- /dev/null +++ b/queue-4.14/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch @@ -0,0 +1,49 @@ +From 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Thu, 28 Nov 2019 12:25:45 +0100 +Subject: batman-adv: Fix DAT candidate selection on little endian systems + +From: Sven Eckelmann + +commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream. + +The distributed arp table is using a DHT to store and retrieve MAC address +information for an IP address. This is done using unicast messages to +selected peers. The potential peers are looked up using the IP address and +the VID. + +While the IP address is always stored in big endian byte order, this is not +the case of the VID. It can (depending on the host system) either be big +endian or little endian. The host must therefore always convert it to big +endian to ensure that all devices calculate the same peers for the same +lookup data. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/distributed-arp-table.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -243,6 +243,7 @@ static u32 batadv_hash_dat(const void *d + u32 hash = 0; + const struct batadv_dat_entry *dat = data; + const unsigned char *key; ++ __be16 vid; + u32 i; + + key = (const unsigned char *)&dat->ip; +@@ -252,7 +253,8 @@ static u32 batadv_hash_dat(const void *d + hash ^= (hash >> 6); + } + +- key = (const unsigned char *)&dat->vid; ++ vid = htons(dat->vid); ++ key = (__force const unsigned char *)&vid; + for (i = 0; i < sizeof(dat->vid); i++) { + hash += key[i]; + hash += (hash << 10); diff --git a/queue-4.14/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch b/queue-4.14/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch new file mode 100644 index 00000000000..8aba6c01fd5 --- /dev/null +++ b/queue-4.14/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch @@ -0,0 +1,124 @@ +From 212e7f56605ef9688d0846db60c6c6ec06544095 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 11 Jan 2020 23:19:53 +0100 +Subject: netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct + +From: Florian Westphal + +commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream. + +An earlier commit (1b789577f655060d98d20e, +"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct") +fixed missing net initialization for arptables, but turns out it was +incomplete. We can get a very similar struct net NULL deref during +error unwinding: + +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77 + xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175 + cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline] + translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587 + do_replace net/ipv4/netfilter/arp_tables.c:981 [inline] + do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461 + +Also init the netns pointer in xt_tgdtor_param struct. + +Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") +Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arp_tables.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -506,12 +506,13 @@ static inline int check_entry_size_and_h + return 0; + } + +-static inline void cleanup_entry(struct arpt_entry *e) ++static void cleanup_entry(struct arpt_entry *e, struct net *net) + { + struct xt_tgdtor_param par; + struct xt_entry_target *t; + + t = arpt_get_target(e); ++ par.net = net; + par.target = t->u.kernel.target; + par.targinfo = t->data; + par.family = NFPROTO_ARP; +@@ -601,7 +602,7 @@ static int translate_table(struct net *n + xt_entry_foreach(iter, entry0, newinfo->size) { + if (i-- == 0) + break; +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + } + return ret; + } +@@ -926,7 +927,7 @@ static int __do_replace(struct net *net, + /* Decrease module usage counts and free resource */ + loc_cpu_old_entry = oldinfo->entries; + xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +@@ -990,7 +991,7 @@ static int do_replace(struct net *net, c + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1287,7 +1288,7 @@ static int compat_do_replace(struct net + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1514,7 +1515,7 @@ static int do_arpt_get_ctl(struct sock * + return ret; + } + +-static void __arpt_unregister_table(struct xt_table *table) ++static void __arpt_unregister_table(struct net *net, struct xt_table *table) + { + struct xt_table_info *private; + void *loc_cpu_entry; +@@ -1526,7 +1527,7 @@ static void __arpt_unregister_table(stru + /* Decrease module usage counts and free resources */ + loc_cpu_entry = private->entries; + xt_entry_foreach(iter, loc_cpu_entry, private->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + if (private->number > private->initial_entries) + module_put(table_owner); + xt_free_table_info(private); +@@ -1566,7 +1567,7 @@ int arpt_register_table(struct net *net, + + ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks)); + if (ret != 0) { +- __arpt_unregister_table(new_table); ++ __arpt_unregister_table(net, new_table); + *res = NULL; + } + +@@ -1581,7 +1582,7 @@ void arpt_unregister_table(struct net *n + const struct nf_hook_ops *ops) + { + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); +- __arpt_unregister_table(table); ++ __arpt_unregister_table(net, table); + } + + /* The built-in targets: standard (NULL) and error. */ diff --git a/queue-4.14/netfilter-fix-a-use-after-free-in-mtype_destroy.patch b/queue-4.14/netfilter-fix-a-use-after-free-in-mtype_destroy.patch new file mode 100644 index 00000000000..f80e1ad9ed7 --- /dev/null +++ b/queue-4.14/netfilter-fix-a-use-after-free-in-mtype_destroy.patch @@ -0,0 +1,36 @@ +From c120959387efa51479056fd01dc90adfba7a590c Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Fri, 10 Jan 2020 11:53:08 -0800 +Subject: netfilter: fix a use-after-free in mtype_destroy() + +From: Cong Wang + +commit c120959387efa51479056fd01dc90adfba7a590c upstream. + +map->members is freed by ip_set_free() right before using it in +mtype_ext_cleanup() again. So we just have to move it down. + +Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com +Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function") +Acked-by: Jozsef Kadlecsik +Signed-off-by: Cong Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_gen.h ++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h +@@ -64,9 +64,9 @@ mtype_destroy(struct ip_set *set) + if (SET_WITH_TIMEOUT(set)) + del_timer_sync(&map->gc); + +- ip_set_free(map->members); + if (set->dsize && set->extensions & IPSET_EXT_DESTROY) + mtype_ext_cleanup(set); ++ ip_set_free(map->members); + ip_set_free(map); + + set->data = NULL; diff --git a/queue-4.14/nfc-pn533-fix-bulk-message-timeout.patch b/queue-4.14/nfc-pn533-fix-bulk-message-timeout.patch new file mode 100644 index 00000000000..7f023d4071b --- /dev/null +++ b/queue-4.14/nfc-pn533-fix-bulk-message-timeout.patch @@ -0,0 +1,38 @@ +From a112adafcb47760feff959ee1ecd10b74d2c5467 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Jan 2020 18:23:58 +0100 +Subject: NFC: pn533: fix bulk-message timeout + +From: Johan Hovold + +commit a112adafcb47760feff959ee1ecd10b74d2c5467 upstream. + +The driver was doing a synchronous uninterruptible bulk-transfer without +using a timeout. This could lead to the driver hanging on probe due to a +malfunctioning (or malicious) device until the device is physically +disconnected. While sleeping in probe the driver prevents other devices +connected to the same hub from being added to (or removed from) the bus. + +An arbitrary limit of five seconds should be more than enough. + +Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack") +Signed-off-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/pn533/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -403,7 +403,7 @@ static int pn533_acr122_poweron_rdr(stru + cmd, sizeof(cmd), false); + + rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd), +- &transferred, 0); ++ &transferred, 5000); + kfree(buffer); + if (rc || (transferred != sizeof(cmd))) { + nfc_err(&phy->udev->dev, diff --git a/queue-4.14/series b/queue-4.14/series index aa8b268a4b3..6aabbdd8faa 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -34,3 +34,7 @@ mm-huge_memory.c-make-__thp_get_unmapped_area-static.patch mm-huge_memory.c-thp-fix-conflict-of-above-47bit-hin.patch arm64-dts-agilex-stratix10-fix-pmu-interrupt-numbers.patch cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch +netfilter-fix-a-use-after-free-in-mtype_destroy.patch +netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch +nfc-pn533-fix-bulk-message-timeout.patch +batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch