From 27ce26a3260347e53436ebfd5c997804af08e790 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 22 Jul 2021 17:26:27 +0200 Subject: [PATCH] 5.4-stable patches added patches: dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch net-fddi-fix-uaf-in-fza_probe.patch net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch net-moxa-fix-uaf-in-moxart_mac_probe.patch net-qcom-emac-fix-uaf-in-emac_remove.patch net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch net-send-synack-packet-with-accepted-fwmark.patch net-ti-fix-uaf-in-tlan_remove_one.patch net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch --- ...e-don-t-leak-fences-on-merge-failure.patch | 73 ++++++++++++++++ ...e-all-tx-rx-queues-dmas-are-disabled.patch | 46 ++++++++++ ...c-fdb-to-new-unicast-filtering-ports.patch | 73 ++++++++++++++++ ...xxx-enable-.port_set_policy-on-topaz.patch | 45 ++++++++++ ...88e6xxx-enable-.rmu_disable-on-topaz.patch | 45 ++++++++++ queue-5.4/net-fddi-fix-uaf-in-fza_probe.patch | 35 ++++++++ ...calculation-for-ether-tunnel-devices.patch | 86 +++++++++++++++++++ ...-fix-return-value-of-ip6_skb_dst_mtu.patch | 49 +++++++++++ ...net-moxa-fix-uaf-in-moxart_mac_probe.patch | 45 ++++++++++ ...net-qcom-emac-fix-uaf-in-emac_remove.patch | 39 +++++++++ ...x-err-check-for-nf_conntrack_confirm.patch | 32 +++++++ ...d-synack-packet-with-accepted-fwmark.patch | 37 ++++++++ .../net-ti-fix-uaf-in-tlan_remove_one.patch | 35 ++++++++ ...efore-returning-from-skb_tunnel_info.patch | 62 +++++++++++++ ...rcu-usage-in-ctnetlink_dump_helpinfo.patch | 72 ++++++++++++++++ queue-5.4/series | 15 ++++ 16 files changed, 789 insertions(+) create mode 100644 queue-5.4/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch create mode 100644 queue-5.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch create mode 100644 queue-5.4/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch create mode 100644 queue-5.4/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch create mode 100644 queue-5.4/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch create mode 100644 queue-5.4/net-fddi-fix-uaf-in-fza_probe.patch create mode 100644 queue-5.4/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch create mode 100644 queue-5.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch create mode 100644 queue-5.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch create mode 100644 queue-5.4/net-qcom-emac-fix-uaf-in-emac_remove.patch create mode 100644 queue-5.4/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch create mode 100644 queue-5.4/net-send-synack-packet-with-accepted-fwmark.patch create mode 100644 queue-5.4/net-ti-fix-uaf-in-tlan_remove_one.patch create mode 100644 queue-5.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch create mode 100644 queue-5.4/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch diff --git a/queue-5.4/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch b/queue-5.4/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch new file mode 100644 index 00000000000..bdfa8ac58f7 --- /dev/null +++ b/queue-5.4/dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch @@ -0,0 +1,73 @@ +From ffe000217c5068c5da07ccb1c0f8cce7ad767435 Mon Sep 17 00:00:00 2001 +From: Jason Ekstrand +Date: Thu, 24 Jun 2021 12:47:32 -0500 +Subject: dma-buf/sync_file: Don't leak fences on merge failure +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jason Ekstrand + +commit ffe000217c5068c5da07ccb1c0f8cce7ad767435 upstream. + +Each add_fence() call does a dma_fence_get() on the relevant fence. In +the error path, we weren't calling dma_fence_put() so all those fences +got leaked. Also, in the krealloc_array failure case, we weren't +freeing the fences array. Instead, ensure that i and fences are always +zero-initialized and dma_fence_put() all the fences and kfree(fences) on +every error path. + +Signed-off-by: Jason Ekstrand +Reviewed-by: Christian König +Fixes: a02b9dc90d84 ("dma-buf/sync_file: refactor fence storage in struct sync_file") +Cc: Gustavo Padovan +Cc: Christian König +Link: https://patchwork.freedesktop.org/patch/msgid/20210624174732.1754546-1-jason@jlekstrand.net +Signed-off-by: Christian König +Signed-off-by: Greg Kroah-Hartman +--- + drivers/dma-buf/sync_file.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/dma-buf/sync_file.c ++++ b/drivers/dma-buf/sync_file.c +@@ -211,8 +211,8 @@ static struct sync_file *sync_file_merge + struct sync_file *b) + { + struct sync_file *sync_file; +- struct dma_fence **fences, **nfences, **a_fences, **b_fences; +- int i, i_a, i_b, num_fences, a_num_fences, b_num_fences; ++ struct dma_fence **fences = NULL, **nfences, **a_fences, **b_fences; ++ int i = 0, i_a, i_b, num_fences, a_num_fences, b_num_fences; + + sync_file = sync_file_alloc(); + if (!sync_file) +@@ -236,7 +236,7 @@ static struct sync_file *sync_file_merge + * If a sync_file can only be created with sync_file_merge + * and sync_file_create, this is a reasonable assumption. + */ +- for (i = i_a = i_b = 0; i_a < a_num_fences && i_b < b_num_fences; ) { ++ for (i_a = i_b = 0; i_a < a_num_fences && i_b < b_num_fences; ) { + struct dma_fence *pt_a = a_fences[i_a]; + struct dma_fence *pt_b = b_fences[i_b]; + +@@ -278,15 +278,16 @@ static struct sync_file *sync_file_merge + fences = nfences; + } + +- if (sync_file_set_fence(sync_file, fences, i) < 0) { +- kfree(fences); ++ if (sync_file_set_fence(sync_file, fences, i) < 0) + goto err; +- } + + strlcpy(sync_file->user_name, name, sizeof(sync_file->user_name)); + return sync_file; + + err: ++ while (i) ++ dma_fence_put(fences[--i]); ++ kfree(fences); + fput(sync_file->file); + return NULL; + diff --git a/queue-5.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch b/queue-5.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch new file mode 100644 index 00000000000..99962836b2a --- /dev/null +++ b/queue-5.4/net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch @@ -0,0 +1,46 @@ +From 2b452550a203d88112eaf0ba9fc4b750a000b496 Mon Sep 17 00:00:00 2001 +From: Florian Fainelli +Date: Thu, 8 Jul 2021 18:55:32 -0700 +Subject: net: bcmgenet: Ensure all TX/RX queues DMAs are disabled + +From: Florian Fainelli + +commit 2b452550a203d88112eaf0ba9fc4b750a000b496 upstream. + +Make sure that we disable each of the TX and RX queues in the TDMA and +RDMA control registers. This is a correctness change to be symmetrical +with the code that enables the TX and RX queues. + +Tested-by: Maxime Ripard +Fixes: 1c1008c793fa ("net: bcmgenet: add main driver file") +Signed-off-by: Florian Fainelli +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/broadcom/genet/bcmgenet.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c ++++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c +@@ -2783,15 +2783,21 @@ static void bcmgenet_set_hw_addr(struct + /* Returns a reusable dma control register value */ + static u32 bcmgenet_dma_disable(struct bcmgenet_priv *priv) + { ++ unsigned int i; + u32 reg; + u32 dma_ctrl; + + /* disable DMA */ + dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN; ++ for (i = 0; i < priv->hw_params->tx_queues; i++) ++ dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT)); + reg = bcmgenet_tdma_readl(priv, DMA_CTRL); + reg &= ~dma_ctrl; + bcmgenet_tdma_writel(priv, reg, DMA_CTRL); + ++ dma_ctrl = 1 << (DESC_INDEX + DMA_RING_BUF_EN_SHIFT) | DMA_EN; ++ for (i = 0; i < priv->hw_params->rx_queues; i++) ++ dma_ctrl |= (1 << (i + DMA_RING_BUF_EN_SHIFT)); + reg = bcmgenet_rdma_readl(priv, DMA_CTRL); + reg &= ~dma_ctrl; + bcmgenet_rdma_writel(priv, reg, DMA_CTRL); diff --git a/queue-5.4/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch b/queue-5.4/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch new file mode 100644 index 00000000000..3097527f498 --- /dev/null +++ b/queue-5.4/net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch @@ -0,0 +1,73 @@ +From a019abd8022061b917da767cd1a66ed823724eab Mon Sep 17 00:00:00 2001 +From: Wolfgang Bumiller +Date: Fri, 2 Jul 2021 14:07:36 +0200 +Subject: net: bridge: sync fdb to new unicast-filtering ports + +From: Wolfgang Bumiller + +commit a019abd8022061b917da767cd1a66ed823724eab upstream. + +Since commit 2796d0c648c9 ("bridge: Automatically manage +port promiscuous mode.") +bridges with `vlan_filtering 1` and only 1 auto-port don't +set IFF_PROMISC for unicast-filtering-capable ports. + +Normally on port changes `br_manage_promisc` is called to +update the promisc flags and unicast filters if necessary, +but it cannot distinguish between *new* ports and ones +losing their promisc flag, and new ports end up not +receiving the MAC address list. + +Fix this by calling `br_fdb_sync_static` in `br_add_if` +after the port promisc flags are updated and the unicast +filter was supposed to have been filled. + +Fixes: 2796d0c648c9 ("bridge: Automatically manage port promiscuous mode.") +Signed-off-by: Wolfgang Bumiller +Acked-by: Nikolay Aleksandrov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/bridge/br_if.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/net/bridge/br_if.c ++++ b/net/bridge/br_if.c +@@ -559,7 +559,7 @@ int br_add_if(struct net_bridge *br, str + struct net_bridge_port *p; + int err = 0; + unsigned br_hr, dev_hr; +- bool changed_addr; ++ bool changed_addr, fdb_synced = false; + + /* Don't allow bridging non-ethernet like devices, or DSA-enabled + * master network devices since the bridge layer rx_handler prevents +@@ -635,6 +635,19 @@ int br_add_if(struct net_bridge *br, str + list_add_rcu(&p->list, &br->port_list); + + nbp_update_port_count(br); ++ if (!br_promisc_port(p) && (p->dev->priv_flags & IFF_UNICAST_FLT)) { ++ /* When updating the port count we also update all ports' ++ * promiscuous mode. ++ * A port leaving promiscuous mode normally gets the bridge's ++ * fdb synced to the unicast filter (if supported), however, ++ * `br_port_clear_promisc` does not distinguish between ++ * non-promiscuous ports and *new* ports, so we need to ++ * sync explicitly here. ++ */ ++ fdb_synced = br_fdb_sync_static(br, p) == 0; ++ if (!fdb_synced) ++ netdev_err(dev, "failed to sync bridge static fdb addresses to this port\n"); ++ } + + netdev_update_features(br->dev); + +@@ -684,6 +697,8 @@ int br_add_if(struct net_bridge *br, str + return 0; + + err7: ++ if (fdb_synced) ++ br_fdb_unsync_static(br, p); + list_del_rcu(&p->list); + br_fdb_delete_by_port(br, p, 0, 1); + nbp_update_port_count(br); diff --git a/queue-5.4/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch b/queue-5.4/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch new file mode 100644 index 00000000000..6bb226aebff --- /dev/null +++ b/queue-5.4/net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch @@ -0,0 +1,45 @@ +From 7da467d82d1ed4fb317aff836f99709169e73f10 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Thu, 1 Jul 2021 00:22:26 +0200 +Subject: net: dsa: mv88e6xxx: enable .port_set_policy() on Topaz +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 7da467d82d1ed4fb317aff836f99709169e73f10 upstream. + +Commit f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy") +introduced .port_set_policy() method with implementation for several +models, but forgot to add Topaz, which can use the 6352 implementation. + +Use the 6352 implementation of .port_set_policy() on Topaz. + +Signed-off-by: Marek Behún +Fixes: f3a2cd326e44 ("net: dsa: mv88e6xxx: introduce .port_set_policy") +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3715,6 +3715,7 @@ static const struct mv88e6xxx_ops mv88e6 + .port_set_rgmii_delay = mv88e6352_port_set_rgmii_delay, + .port_set_speed = mv88e6250_port_set_speed, + .port_tag_remap = mv88e6095_port_tag_remap, ++ .port_set_policy = mv88e6352_port_set_policy, + .port_set_frame_mode = mv88e6351_port_set_frame_mode, + .port_set_egress_floods = mv88e6352_port_set_egress_floods, + .port_set_ether_type = mv88e6351_port_set_ether_type, +@@ -3982,6 +3983,7 @@ static const struct mv88e6xxx_ops mv88e6 + .port_set_rgmii_delay = mv88e6352_port_set_rgmii_delay, + .port_set_speed = mv88e6185_port_set_speed, + .port_tag_remap = mv88e6095_port_tag_remap, ++ .port_set_policy = mv88e6352_port_set_policy, + .port_set_frame_mode = mv88e6351_port_set_frame_mode, + .port_set_egress_floods = mv88e6352_port_set_egress_floods, + .port_set_ether_type = mv88e6351_port_set_ether_type, diff --git a/queue-5.4/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch b/queue-5.4/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch new file mode 100644 index 00000000000..4149439e970 --- /dev/null +++ b/queue-5.4/net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch @@ -0,0 +1,45 @@ +From 3709488790022c85720f991bff50d48ed5a36e6a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Marek=20Beh=C3=BAn?= +Date: Thu, 1 Jul 2021 00:22:28 +0200 +Subject: net: dsa: mv88e6xxx: enable .rmu_disable() on Topaz +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Marek Behún + +commit 3709488790022c85720f991bff50d48ed5a36e6a upstream. + +Commit 9e5baf9b36367 ("net: dsa: mv88e6xxx: add RMU disable op") +introduced .rmu_disable() method with implementation for several models, +but forgot to add Topaz, which can use the Peridot implementation. + +Use the Peridot implementation of .rmu_disable() on Topaz. + +Signed-off-by: Marek Behún +Fixes: 9e5baf9b36367 ("net: dsa: mv88e6xxx: add RMU disable op") +Reviewed-by: Andrew Lunn +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/dsa/mv88e6xxx/chip.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/dsa/mv88e6xxx/chip.c ++++ b/drivers/net/dsa/mv88e6xxx/chip.c +@@ -3917,6 +3917,7 @@ static const struct mv88e6xxx_ops mv88e6 + .mgmt_rsvd2cpu = mv88e6390_g1_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, + .reset = mv88e6352_g1_reset, ++ .rmu_disable = mv88e6390_g1_rmu_disable, + .vtu_getnext = mv88e6352_g1_vtu_getnext, + .vtu_loadpurge = mv88e6352_g1_vtu_loadpurge, + .serdes_power = mv88e6390_serdes_power, +@@ -4006,6 +4007,7 @@ static const struct mv88e6xxx_ops mv88e6 + .mgmt_rsvd2cpu = mv88e6352_g2_mgmt_rsvd2cpu, + .pot_clear = mv88e6xxx_g2_pot_clear, + .reset = mv88e6352_g1_reset, ++ .rmu_disable = mv88e6390_g1_rmu_disable, + .vtu_getnext = mv88e6352_g1_vtu_getnext, + .vtu_loadpurge = mv88e6352_g1_vtu_loadpurge, + .avb_ops = &mv88e6352_avb_ops, diff --git a/queue-5.4/net-fddi-fix-uaf-in-fza_probe.patch b/queue-5.4/net-fddi-fix-uaf-in-fza_probe.patch new file mode 100644 index 00000000000..5371fa4b9a5 --- /dev/null +++ b/queue-5.4/net-fddi-fix-uaf-in-fza_probe.patch @@ -0,0 +1,35 @@ +From deb7178eb940e2c5caca1b1db084a69b2e59b4c9 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Tue, 13 Jul 2021 13:58:53 +0300 +Subject: net: fddi: fix UAF in fza_probe + +From: Pavel Skripkin + +commit deb7178eb940e2c5caca1b1db084a69b2e59b4c9 upstream. + +fp is netdev private data and it cannot be +used after free_netdev() call. Using fp after free_netdev() +can cause UAF bug. Fix it by moving free_netdev() after error message. + +Fixes: 61414f5ec983 ("FDDI: defza: Add support for DEC FDDIcontroller 700 +TURBOchannel adapter") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/fddi/defza.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/fddi/defza.c ++++ b/drivers/net/fddi/defza.c +@@ -1504,9 +1504,8 @@ err_out_resource: + release_mem_region(start, len); + + err_out_kfree: +- free_netdev(dev); +- + pr_err("%s: initialization failure, aborting!\n", fp->name); ++ free_netdev(dev); + return ret; + } + diff --git a/queue-5.4/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch b/queue-5.4/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch new file mode 100644 index 00000000000..8317c53bfa7 --- /dev/null +++ b/queue-5.4/net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch @@ -0,0 +1,86 @@ +From 9992a078b1771da354ac1f9737e1e639b687caa2 Mon Sep 17 00:00:00 2001 +From: Hangbin Liu +Date: Fri, 9 Jul 2021 11:45:02 +0800 +Subject: net: ip_tunnel: fix mtu calculation for ETHER tunnel devices + +From: Hangbin Liu + +commit 9992a078b1771da354ac1f9737e1e639b687caa2 upstream. + +Commit 28e104d00281 ("net: ip_tunnel: fix mtu calculation") removed +dev->hard_header_len subtraction when calculate MTU for tunnel devices +as there is an overhead for device that has header_ops. + +But there are ETHER tunnel devices, like gre_tap or erspan, which don't +have header_ops but set dev->hard_header_len during setup. This makes +pkts greater than (MTU - ETH_HLEN) could not be xmited. Fix it by +subtracting the ETHER tunnel devices' dev->hard_header_len for MTU +calculation. + +Fixes: 28e104d00281 ("net: ip_tunnel: fix mtu calculation") +Reported-by: Jianlin Shi +Signed-off-by: Hangbin Liu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv4/ip_tunnel.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -317,7 +317,7 @@ static int ip_tunnel_bind_dev(struct net + } + + dev->needed_headroom = t_hlen + hlen; +- mtu -= t_hlen; ++ mtu -= t_hlen + (dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0); + + if (mtu < IPV4_MIN_MTU) + mtu = IPV4_MIN_MTU; +@@ -348,6 +348,9 @@ static struct ip_tunnel *ip_tunnel_creat + t_hlen = nt->hlen + sizeof(struct iphdr); + dev->min_mtu = ETH_MIN_MTU; + dev->max_mtu = IP_MAX_MTU - t_hlen; ++ if (dev->type == ARPHRD_ETHER) ++ dev->max_mtu -= dev->hard_header_len; ++ + ip_tunnel_add(itn, nt); + return nt; + +@@ -495,11 +498,14 @@ static int tnl_update_pmtu(struct net_de + + tunnel_hlen = md ? tunnel_hlen : tunnel->hlen; + pkt_size = skb->len - tunnel_hlen; ++ pkt_size -= dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0; + +- if (df) ++ if (df) { + mtu = dst_mtu(&rt->dst) - (sizeof(struct iphdr) + tunnel_hlen); +- else ++ mtu -= dev->type == ARPHRD_ETHER ? dev->hard_header_len : 0; ++ } else { + mtu = skb_valid_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu; ++ } + + if (skb_valid_dst(skb)) + skb_dst_update_pmtu_no_confirm(skb, mtu); +@@ -965,6 +971,9 @@ int __ip_tunnel_change_mtu(struct net_de + int t_hlen = tunnel->hlen + sizeof(struct iphdr); + int max_mtu = IP_MAX_MTU - t_hlen; + ++ if (dev->type == ARPHRD_ETHER) ++ max_mtu -= dev->hard_header_len; ++ + if (new_mtu < ETH_MIN_MTU) + return -EINVAL; + +@@ -1142,6 +1151,9 @@ int ip_tunnel_newlink(struct net_device + if (tb[IFLA_MTU]) { + unsigned int max = IP_MAX_MTU - (nt->hlen + sizeof(struct iphdr)); + ++ if (dev->type == ARPHRD_ETHER) ++ max -= dev->hard_header_len; ++ + mtu = clamp(dev->mtu, (unsigned int)ETH_MIN_MTU, max); + } + diff --git a/queue-5.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch b/queue-5.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch new file mode 100644 index 00000000000..fec60471cf7 --- /dev/null +++ b/queue-5.4/net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch @@ -0,0 +1,49 @@ +From 40fc3054b45820c28ea3c65e2c86d041dc244a8a Mon Sep 17 00:00:00 2001 +From: Vadim Fedorenko +Date: Fri, 2 Jul 2021 02:47:00 +0300 +Subject: net: ipv6: fix return value of ip6_skb_dst_mtu + +From: Vadim Fedorenko + +commit 40fc3054b45820c28ea3c65e2c86d041dc244a8a upstream. + +Commit 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE") introduced +ip6_skb_dst_mtu with return value of signed int which is inconsistent +with actually returned values. Also 2 users of this function actually +assign its value to unsigned int variable and only __xfrm6_output +assigns result of this function to signed variable but actually uses +as unsigned in further comparisons and calls. Change this function +to return unsigned int value. + +Fixes: 628a5c561890 ("[INET]: Add IP(V6)_PMTUDISC_RPOBE") +Reviewed-by: David Ahern +Signed-off-by: Vadim Fedorenko +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/ip6_route.h | 2 +- + net/ipv6/xfrm6_output.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -261,7 +261,7 @@ static inline bool ipv6_anycast_destinat + int ip6_fragment(struct net *net, struct sock *sk, struct sk_buff *skb, + int (*output)(struct net *, struct sock *, struct sk_buff *)); + +-static inline int ip6_skb_dst_mtu(struct sk_buff *skb) ++static inline unsigned int ip6_skb_dst_mtu(struct sk_buff *skb) + { + int mtu; + +--- a/net/ipv6/xfrm6_output.c ++++ b/net/ipv6/xfrm6_output.c +@@ -144,7 +144,7 @@ static int __xfrm6_output(struct net *ne + { + struct dst_entry *dst = skb_dst(skb); + struct xfrm_state *x = dst->xfrm; +- int mtu; ++ unsigned int mtu; + bool toobig; + + #ifdef CONFIG_NETFILTER diff --git a/queue-5.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch b/queue-5.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch new file mode 100644 index 00000000000..f0afa6285e8 --- /dev/null +++ b/queue-5.4/net-moxa-fix-uaf-in-moxart_mac_probe.patch @@ -0,0 +1,45 @@ +From c78eaeebe855fd93f2e77142ffd0404a54070d84 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Fri, 9 Jul 2021 17:09:53 +0300 +Subject: net: moxa: fix UAF in moxart_mac_probe + +From: Pavel Skripkin + +commit c78eaeebe855fd93f2e77142ffd0404a54070d84 upstream. + +In case of netdev registration failure the code path will +jump to init_fail label: + +init_fail: + netdev_err(ndev, "init failed\n"); + moxart_mac_free_memory(ndev); +irq_map_fail: + free_netdev(ndev); + return ret; + +So, there is no need to call free_netdev() before jumping +to error handling path, since it can cause UAF or double-free +bug. + +Fixes: 6c821bd9edc9 ("net: Add MOXA ART SoCs ethernet driver") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/moxa/moxart_ether.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/net/ethernet/moxa/moxart_ether.c ++++ b/drivers/net/ethernet/moxa/moxart_ether.c +@@ -545,10 +545,8 @@ static int moxart_mac_probe(struct platf + SET_NETDEV_DEV(ndev, &pdev->dev); + + ret = register_netdev(ndev); +- if (ret) { +- free_netdev(ndev); ++ if (ret) + goto init_fail; +- } + + netdev_dbg(ndev, "%s: IRQ=%d address=%pM\n", + __func__, ndev->irq, ndev->dev_addr); diff --git a/queue-5.4/net-qcom-emac-fix-uaf-in-emac_remove.patch b/queue-5.4/net-qcom-emac-fix-uaf-in-emac_remove.patch new file mode 100644 index 00000000000..bc9c139ff54 --- /dev/null +++ b/queue-5.4/net-qcom-emac-fix-uaf-in-emac_remove.patch @@ -0,0 +1,39 @@ +From ad297cd2db8953e2202970e9504cab247b6c7cb4 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Fri, 9 Jul 2021 17:24:18 +0300 +Subject: net: qcom/emac: fix UAF in emac_remove + +From: Pavel Skripkin + +commit ad297cd2db8953e2202970e9504cab247b6c7cb4 upstream. + +adpt is netdev private data and it cannot be +used after free_netdev() call. Using adpt after free_netdev() +can cause UAF bug. Fix it by moving free_netdev() at the end of the +function. + +Fixes: 54e19bc74f33 ("net: qcom/emac: do not use devm on internal phy pdev") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/qualcomm/emac/emac.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qualcomm/emac/emac.c ++++ b/drivers/net/ethernet/qualcomm/emac/emac.c +@@ -745,12 +745,13 @@ static int emac_remove(struct platform_d + + put_device(&adpt->phydev->mdio.dev); + mdiobus_unregister(adpt->mii_bus); +- free_netdev(netdev); + + if (adpt->phy.digital) + iounmap(adpt->phy.digital); + iounmap(adpt->phy.base); + ++ free_netdev(netdev); ++ + return 0; + } + diff --git a/queue-5.4/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch b/queue-5.4/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch new file mode 100644 index 00000000000..5e1869bf56e --- /dev/null +++ b/queue-5.4/net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch @@ -0,0 +1,32 @@ +From 8955b90c3cdad199137809aac8ccbbb585355913 Mon Sep 17 00:00:00 2001 +From: wenxu +Date: Fri, 2 Jul 2021 11:34:31 +0800 +Subject: net/sched: act_ct: fix err check for nf_conntrack_confirm + +From: wenxu + +commit 8955b90c3cdad199137809aac8ccbbb585355913 upstream. + +The confirm operation should be checked. If there are any failed, +the packet should be dropped like in ovs and netfilter. + +Fixes: b57dc7c13ea9 ("net/sched: Introduce action ct") +Signed-off-by: wenxu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/sched/act_ct.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/sched/act_ct.c ++++ b/net/sched/act_ct.c +@@ -474,7 +474,8 @@ static int tcf_ct_act(struct sk_buff *sk + /* This will take care of sending queued events + * even if the connection is already confirmed. + */ +- nf_conntrack_confirm(skb); ++ if (nf_conntrack_confirm(skb) != NF_ACCEPT) ++ goto drop; + } + + out_push: diff --git a/queue-5.4/net-send-synack-packet-with-accepted-fwmark.patch b/queue-5.4/net-send-synack-packet-with-accepted-fwmark.patch new file mode 100644 index 00000000000..dda999d3bba --- /dev/null +++ b/queue-5.4/net-send-synack-packet-with-accepted-fwmark.patch @@ -0,0 +1,37 @@ +From 43b90bfad34bcb81b8a5bc7dc650800f4be1787e Mon Sep 17 00:00:00 2001 +From: Alexander Ovechkin +Date: Fri, 9 Jul 2021 18:28:23 +0300 +Subject: net: send SYNACK packet with accepted fwmark + +From: Alexander Ovechkin + +commit 43b90bfad34bcb81b8a5bc7dc650800f4be1787e upstream. + +commit e05a90ec9e16 ("net: reflect mark on tcp syn ack packets") +fixed IPv4 only. + +This part is for the IPv6 side. + +Fixes: e05a90ec9e16 ("net: reflect mark on tcp syn ack packets") +Signed-off-by: Alexander Ovechkin +Acked-by: Dmitry Yakunin +Reviewed-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + net/ipv6/tcp_ipv6.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/ipv6/tcp_ipv6.c ++++ b/net/ipv6/tcp_ipv6.c +@@ -513,8 +513,8 @@ static int tcp_v6_send_synack(const stru + opt = ireq->ipv6_opt; + if (!opt) + opt = rcu_dereference(np->opt); +- err = ip6_xmit(sk, skb, fl6, sk->sk_mark, opt, np->tclass, +- sk->sk_priority); ++ err = ip6_xmit(sk, skb, fl6, skb->mark ? : sk->sk_mark, opt, ++ np->tclass, sk->sk_priority); + rcu_read_unlock(); + err = net_xmit_eval(err); + } diff --git a/queue-5.4/net-ti-fix-uaf-in-tlan_remove_one.patch b/queue-5.4/net-ti-fix-uaf-in-tlan_remove_one.patch new file mode 100644 index 00000000000..d8cda38e160 --- /dev/null +++ b/queue-5.4/net-ti-fix-uaf-in-tlan_remove_one.patch @@ -0,0 +1,35 @@ +From 0336f8ffece62f882ab3012820965a786a983f70 Mon Sep 17 00:00:00 2001 +From: Pavel Skripkin +Date: Fri, 9 Jul 2021 17:58:29 +0300 +Subject: net: ti: fix UAF in tlan_remove_one + +From: Pavel Skripkin + +commit 0336f8ffece62f882ab3012820965a786a983f70 upstream. + +priv is netdev private data and it cannot be +used after free_netdev() call. Using priv after free_netdev() +can cause UAF bug. Fix it by moving free_netdev() at the end of the +function. + +Fixes: 1e0a8b13d355 ("tlan: cancel work at remove path") +Signed-off-by: Pavel Skripkin +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/ethernet/ti/tlan.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/ethernet/ti/tlan.c ++++ b/drivers/net/ethernet/ti/tlan.c +@@ -314,9 +314,8 @@ static void tlan_remove_one(struct pci_d + pci_release_regions(pdev); + #endif + +- free_netdev(dev); +- + cancel_work_sync(&priv->tlan_tqueue); ++ free_netdev(dev); + } + + static void tlan_start(struct net_device *dev) diff --git a/queue-5.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch b/queue-5.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch new file mode 100644 index 00000000000..d26ab7ef437 --- /dev/null +++ b/queue-5.4/net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch @@ -0,0 +1,62 @@ +From 67a9c94317402b826fc3db32afc8f39336803d97 Mon Sep 17 00:00:00 2001 +From: Taehee Yoo +Date: Fri, 9 Jul 2021 17:35:18 +0000 +Subject: net: validate lwtstate->data before returning from skb_tunnel_info() + +From: Taehee Yoo + +commit 67a9c94317402b826fc3db32afc8f39336803d97 upstream. + +skb_tunnel_info() returns pointer of lwtstate->data as ip_tunnel_info +type without validation. lwtstate->data can have various types such as +mpls_iptunnel_encap, etc and these are not compatible. +So skb_tunnel_info() should validate before returning that pointer. + +Splat looks like: +BUG: KASAN: slab-out-of-bounds in vxlan_get_route+0x418/0x4b0 [vxlan] +Read of size 2 at addr ffff888106ec2698 by task ping/811 + +CPU: 1 PID: 811 Comm: ping Not tainted 5.13.0+ #1195 +Call Trace: + dump_stack_lvl+0x56/0x7b + print_address_description.constprop.8.cold.13+0x13/0x2ee + ? vxlan_get_route+0x418/0x4b0 [vxlan] + ? vxlan_get_route+0x418/0x4b0 [vxlan] + kasan_report.cold.14+0x83/0xdf + ? vxlan_get_route+0x418/0x4b0 [vxlan] + vxlan_get_route+0x418/0x4b0 [vxlan] + [ ... ] + vxlan_xmit_one+0x148b/0x32b0 [vxlan] + [ ... ] + vxlan_xmit+0x25c5/0x4780 [vxlan] + [ ... ] + dev_hard_start_xmit+0x1ae/0x6e0 + __dev_queue_xmit+0x1f39/0x31a0 + [ ... ] + neigh_xmit+0x2f9/0x940 + mpls_xmit+0x911/0x1600 [mpls_iptunnel] + lwtunnel_xmit+0x18f/0x450 + ip_finish_output2+0x867/0x2040 + [ ... ] + +Fixes: 61adedf3e3f1 ("route: move lwtunnel state to dst_entry") +Signed-off-by: Taehee Yoo +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + include/net/dst_metadata.h | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/include/net/dst_metadata.h ++++ b/include/net/dst_metadata.h +@@ -45,7 +45,9 @@ skb_tunnel_info(const struct sk_buff *sk + return &md_dst->u.tun_info; + + dst = skb_dst(skb); +- if (dst && dst->lwtstate) ++ if (dst && dst->lwtstate && ++ (dst->lwtstate->type == LWTUNNEL_ENCAP_IP || ++ dst->lwtstate->type == LWTUNNEL_ENCAP_IP6)) + return lwt_tun_info(dst->lwtstate); + + return NULL; diff --git a/queue-5.4/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch b/queue-5.4/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch new file mode 100644 index 00000000000..313c08fa69e --- /dev/null +++ b/queue-5.4/netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch @@ -0,0 +1,72 @@ +From c23a9fd209bc6f8c1fa6ee303fdf037d784a1627 Mon Sep 17 00:00:00 2001 +From: Vasily Averin +Date: Thu, 1 Jul 2021 08:02:49 +0300 +Subject: netfilter: ctnetlink: suspicious RCU usage in ctnetlink_dump_helpinfo + +From: Vasily Averin + +commit c23a9fd209bc6f8c1fa6ee303fdf037d784a1627 upstream. + +Two patches listed below removed ctnetlink_dump_helpinfo call from under +rcu_read_lock. Now its rcu_dereference generates following warning: +============================= +WARNING: suspicious RCU usage +5.13.0+ #5 Not tainted +----------------------------- +net/netfilter/nf_conntrack_netlink.c:221 suspicious rcu_dereference_check() usage! + +other info that might help us debug this: +rcu_scheduler_active = 2, debug_locks = 1 +stack backtrace: +CPU: 1 PID: 2251 Comm: conntrack Not tainted 5.13.0+ #5 +Call Trace: + dump_stack+0x7f/0xa1 + ctnetlink_dump_helpinfo+0x134/0x150 [nf_conntrack_netlink] + ctnetlink_fill_info+0x2c2/0x390 [nf_conntrack_netlink] + ctnetlink_dump_table+0x13f/0x370 [nf_conntrack_netlink] + netlink_dump+0x10c/0x370 + __netlink_dump_start+0x1a7/0x260 + ctnetlink_get_conntrack+0x1e5/0x250 [nf_conntrack_netlink] + nfnetlink_rcv_msg+0x613/0x993 [nfnetlink] + netlink_rcv_skb+0x50/0x100 + nfnetlink_rcv+0x55/0x120 [nfnetlink] + netlink_unicast+0x181/0x260 + netlink_sendmsg+0x23f/0x460 + sock_sendmsg+0x5b/0x60 + __sys_sendto+0xf1/0x160 + __x64_sys_sendto+0x24/0x30 + do_syscall_64+0x36/0x70 + entry_SYSCALL_64_after_hwframe+0x44/0xae + +Fixes: 49ca022bccc5 ("netfilter: ctnetlink: don't dump ct extensions of unconfirmed conntracks") +Fixes: 0b35f6031a00 ("netfilter: Remove duplicated rcu_read_lock.") +Signed-off-by: Vasily Averin +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_conntrack_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -211,6 +211,7 @@ static int ctnetlink_dump_helpinfo(struc + if (!help) + return 0; + ++ rcu_read_lock(); + helper = rcu_dereference(help->helper); + if (!helper) + goto out; +@@ -226,9 +227,11 @@ static int ctnetlink_dump_helpinfo(struc + + nla_nest_end(skb, nest_helper); + out: ++ rcu_read_unlock(); + return 0; + + nla_put_failure: ++ rcu_read_unlock(); + return -1; + } + diff --git a/queue-5.4/series b/queue-5.4/series index 1775bc94f8a..3738db37988 100644 --- a/queue-5.4/series +++ b/queue-5.4/series @@ -49,3 +49,18 @@ f2fs-show-casefolding-support-only-when-supported.patch usb-cdns3-enable-tdl_chk-only-for-out-ep.patch mm-slab-fix-kmem_cache_create-failed-when-sysfs-node-not-destroyed.patch dm-writecache-return-the-exact-table-values-that-were-set.patch +net-dsa-mv88e6xxx-enable-.port_set_policy-on-topaz.patch +net-dsa-mv88e6xxx-enable-.rmu_disable-on-topaz.patch +net-ipv6-fix-return-value-of-ip6_skb_dst_mtu.patch +netfilter-ctnetlink-suspicious-rcu-usage-in-ctnetlink_dump_helpinfo.patch +net-sched-act_ct-fix-err-check-for-nf_conntrack_confirm.patch +net-bridge-sync-fdb-to-new-unicast-filtering-ports.patch +net-bcmgenet-ensure-all-tx-rx-queues-dmas-are-disabled.patch +net-ip_tunnel-fix-mtu-calculation-for-ether-tunnel-devices.patch +net-moxa-fix-uaf-in-moxart_mac_probe.patch +net-qcom-emac-fix-uaf-in-emac_remove.patch +net-ti-fix-uaf-in-tlan_remove_one.patch +net-send-synack-packet-with-accepted-fwmark.patch +net-validate-lwtstate-data-before-returning-from-skb_tunnel_info.patch +net-fddi-fix-uaf-in-fza_probe.patch +dma-buf-sync_file-don-t-leak-fences-on-merge-failure.patch -- 2.47.3