From 3337b7b0c363b6f2194706b09f5441d44157b61d Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 29 Feb 2016 21:24:48 -0800
Subject: [PATCH] 3.14-stable patches

added patches:
	netfilter-ip6t_synproxy-fix-null-pointer-dereference.patch
	netfilter-ipt_rpfilter-remove-the-nh_scope-test-in-rpfilter_lookup_reverse.patch
	netfilter-nf_tables-fix-bogus-warning-in-nft_data_uninit.patch
---
 ...ynproxy-fix-null-pointer-dereference.patch | 94 +++++++++++++++++++
 ...cope-test-in-rpfilter_lookup_reverse.patch | 62 ++++++++++++
 ...fix-bogus-warning-in-nft_data_uninit.patch | 40 ++++++++
 queue-3.14/series                             |  3 +
 4 files changed, 199 insertions(+)
 create mode 100644 queue-3.14/netfilter-ip6t_synproxy-fix-null-pointer-dereference.patch
 create mode 100644 queue-3.14/netfilter-ipt_rpfilter-remove-the-nh_scope-test-in-rpfilter_lookup_reverse.patch
 create mode 100644 queue-3.14/netfilter-nf_tables-fix-bogus-warning-in-nft_data_uninit.patch

diff --git a/queue-3.14/netfilter-ip6t_synproxy-fix-null-pointer-dereference.patch b/queue-3.14/netfilter-ip6t_synproxy-fix-null-pointer-dereference.patch
new file mode 100644
index 00000000000..7bffe75468c
--- /dev/null
+++ b/queue-3.14/netfilter-ip6t_synproxy-fix-null-pointer-dereference.patch
@@ -0,0 +1,94 @@
+From 96fffb4f23f124f297d51dedc9cf51d19eb88ee1 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Sun, 9 Aug 2015 13:14:15 +0200
+Subject: netfilter: ip6t_SYNPROXY: fix NULL pointer dereference
+
+From: Phil Sutter <phil@nwl.cc>
+
+commit 96fffb4f23f124f297d51dedc9cf51d19eb88ee1 upstream.
+
+This happens when networking namespaces are enabled.
+
+Suggested-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/netfilter/ip6t_SYNPROXY.c |   18 ++++++++++--------
+ 1 file changed, 10 insertions(+), 8 deletions(-)
+
+--- a/net/ipv6/netfilter/ip6t_SYNPROXY.c
++++ b/net/ipv6/netfilter/ip6t_SYNPROXY.c
+@@ -37,12 +37,13 @@ synproxy_build_ip(struct sk_buff *skb, c
+ }
+ 
+ static void
+-synproxy_send_tcp(const struct sk_buff *skb, struct sk_buff *nskb,
++synproxy_send_tcp(const struct synproxy_net *snet,
++		  const struct sk_buff *skb, struct sk_buff *nskb,
+ 		  struct nf_conntrack *nfct, enum ip_conntrack_info ctinfo,
+ 		  struct ipv6hdr *niph, struct tcphdr *nth,
+ 		  unsigned int tcp_hdr_size)
+ {
+-	struct net *net = nf_ct_net((struct nf_conn *)nfct);
++	struct net *net = nf_ct_net(snet->tmpl);
+ 	struct dst_entry *dst;
+ 	struct flowi6 fl6;
+ 
+@@ -83,7 +84,8 @@ free_nskb:
+ }
+ 
+ static void
+-synproxy_send_client_synack(const struct sk_buff *skb, const struct tcphdr *th,
++synproxy_send_client_synack(const struct synproxy_net *snet,
++			    const struct sk_buff *skb, const struct tcphdr *th,
+ 			    const struct synproxy_options *opts)
+ {
+ 	struct sk_buff *nskb;
+@@ -119,7 +121,7 @@ synproxy_send_client_synack(const struct
+ 
+ 	synproxy_build_options(nth, opts);
+ 
+-	synproxy_send_tcp(skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
++	synproxy_send_tcp(snet, skb, nskb, skb->nfct, IP_CT_ESTABLISHED_REPLY,
+ 			  niph, nth, tcp_hdr_size);
+ }
+ 
+@@ -163,7 +165,7 @@ synproxy_send_server_syn(const struct sy
+ 
+ 	synproxy_build_options(nth, opts);
+ 
+-	synproxy_send_tcp(skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
++	synproxy_send_tcp(snet, skb, nskb, &snet->tmpl->ct_general, IP_CT_NEW,
+ 			  niph, nth, tcp_hdr_size);
+ }
+ 
+@@ -203,7 +205,7 @@ synproxy_send_server_ack(const struct sy
+ 
+ 	synproxy_build_options(nth, opts);
+ 
+-	synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
++	synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+ }
+ 
+ static void
+@@ -241,7 +243,7 @@ synproxy_send_client_ack(const struct sy
+ 
+ 	synproxy_build_options(nth, opts);
+ 
+-	synproxy_send_tcp(skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
++	synproxy_send_tcp(snet, skb, nskb, NULL, 0, niph, nth, tcp_hdr_size);
+ }
+ 
+ static bool
+@@ -301,7 +303,7 @@ synproxy_tg6(struct sk_buff *skb, const
+ 					  XT_SYNPROXY_OPT_SACK_PERM |
+ 					  XT_SYNPROXY_OPT_ECN);
+ 
+-		synproxy_send_client_synack(skb, th, &opts);
++		synproxy_send_client_synack(snet, skb, th, &opts);
+ 		return NF_DROP;
+ 
+ 	} else if (th->ack && !(th->fin || th->rst || th->syn)) {
diff --git a/queue-3.14/netfilter-ipt_rpfilter-remove-the-nh_scope-test-in-rpfilter_lookup_reverse.patch b/queue-3.14/netfilter-ipt_rpfilter-remove-the-nh_scope-test-in-rpfilter_lookup_reverse.patch
new file mode 100644
index 00000000000..194b8cdb1d3
--- /dev/null
+++ b/queue-3.14/netfilter-ipt_rpfilter-remove-the-nh_scope-test-in-rpfilter_lookup_reverse.patch
@@ -0,0 +1,62 @@
+From cc4998febd567d1c671684abce5595344bd4e8b2 Mon Sep 17 00:00:00 2001
+From: lucien <lucien.xin@gmail.com>
+Date: Tue, 6 Oct 2015 21:03:07 +0800
+Subject: netfilter: ipt_rpfilter: remove the nh_scope test in rpfilter_lookup_reverse
+
+From: lucien <lucien.xin@gmail.com>
+
+commit cc4998febd567d1c671684abce5595344bd4e8b2 upstream.
+
+--accept-local  option works for res.type == RTN_LOCAL, which should be
+from the local table, but there, the fib_info's nh->nh_scope =
+RT_SCOPE_NOWHERE ( > RT_SCOPE_HOST). in fib_create_info().
+
+	if (cfg->fc_scope == RT_SCOPE_HOST) {
+		struct fib_nh *nh = fi->fib_nh;
+
+		/* Local address is added. */
+		if (nhs != 1 || nh->nh_gw)
+			goto err_inval;
+		nh->nh_scope = RT_SCOPE_NOWHERE;   <===
+		nh->nh_dev = dev_get_by_index(net, fi->fib_nh->nh_oif);
+		err = -ENODEV;
+		if (!nh->nh_dev)
+			goto failure;
+
+but in our rpfilter_lookup_reverse():
+
+	if (dev_match || flags & XT_RPFILTER_LOOSE)
+		return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
+
+if nh->nh_scope > RT_SCOPE_HOST, it will fail. --accept-local option
+will never be passed.
+
+it seems the test is bogus and can be removed to fix this issue.
+
+	if (dev_match || flags & XT_RPFILTER_LOOSE)
+		return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
+
+ipv6 does not have this issue.
+
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Acked-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/ipt_rpfilter.c |    4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/net/ipv4/netfilter/ipt_rpfilter.c
++++ b/net/ipv4/netfilter/ipt_rpfilter.c
+@@ -61,9 +61,7 @@ static bool rpfilter_lookup_reverse(stru
+ 	if (FIB_RES_DEV(res) == dev)
+ 		dev_match = true;
+ #endif
+-	if (dev_match || flags & XT_RPFILTER_LOOSE)
+-		return FIB_RES_NH(res).nh_scope <= RT_SCOPE_HOST;
+-	return dev_match;
++	return dev_match || flags & XT_RPFILTER_LOOSE;
+ }
+ 
+ static bool rpfilter_is_local(const struct sk_buff *skb)
diff --git a/queue-3.14/netfilter-nf_tables-fix-bogus-warning-in-nft_data_uninit.patch b/queue-3.14/netfilter-nf_tables-fix-bogus-warning-in-nft_data_uninit.patch
new file mode 100644
index 00000000000..87a42cb1f11
--- /dev/null
+++ b/queue-3.14/netfilter-nf_tables-fix-bogus-warning-in-nft_data_uninit.patch
@@ -0,0 +1,40 @@
+From 960bd2c26421d321e890f1936938196ead41976f Mon Sep 17 00:00:00 2001
+From: Mirek Kratochvil <exa.exa@gmail.com>
+Date: Fri, 15 May 2015 21:15:29 +0200
+Subject: netfilter: nf_tables: fix bogus warning in nft_data_uninit()
+
+From: Mirek Kratochvil <exa.exa@gmail.com>
+
+commit 960bd2c26421d321e890f1936938196ead41976f upstream.
+
+The values 0x00000000-0xfffffeff are reserved for userspace datatype. When,
+deleting set elements with maps, a bogus warning is triggered.
+
+WARNING: CPU: 0 PID: 11133 at net/netfilter/nf_tables_api.c:4481 nft_data_uninit+0x35/0x40 [nf_tables]()
+
+This fixes the check accordingly to enum definition in
+include/linux/netfilter/nf_tables.h
+
+Fixes: https://bugzilla.netfilter.org/show_bug.cgi?id=1013
+Signed-off-by: Mirek Kratochvil <exa.exa@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -3316,9 +3316,9 @@ EXPORT_SYMBOL_GPL(nft_data_init);
+  */
+ void nft_data_uninit(const struct nft_data *data, enum nft_data_types type)
+ {
+-	switch (type) {
+-	case NFT_DATA_VALUE:
++	if (type < NFT_DATA_VERDICT)
+ 		return;
++	switch (type) {
+ 	case NFT_DATA_VERDICT:
+ 		return nft_verdict_uninit(data);
+ 	default:
diff --git a/queue-3.14/series b/queue-3.14/series
index 80382e6e498..1246ae206d3 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -1,2 +1,5 @@
 tracepoints-do-not-trace-when-cpu-is-offline.patch
 drm-ast-initialized-data-needed-to-map-fbdev-memory.patch
+netfilter-nf_tables-fix-bogus-warning-in-nft_data_uninit.patch
+netfilter-ipt_rpfilter-remove-the-nh_scope-test-in-rpfilter_lookup_reverse.patch
+netfilter-ip6t_synproxy-fix-null-pointer-dereference.patch
-- 
2.47.3