From d91c0680522e6f6e95d68fe7079759bc5ee4068e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 20 Jan 2020 12:35:39 +0100 Subject: [PATCH] 4.19-stable patches added patches: batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch netfilter-fix-a-use-after-free-in-mtype_destroy.patch netfilter-nf_tables-fix-flowtable-list-del-corruption.patch netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch netfilter-nft_tunnel-fix-null-attribute-check.patch nfc-pn533-fix-bulk-message-timeout.patch --- ...e-selection-on-little-endian-systems.patch | 49 +++++++ ...ns-pointer-in-xt_tgdtor_param-struct.patch | 124 ++++++++++++++++++ ...ix-a-use-after-free-in-mtype_destroy.patch | 36 +++++ ...es-fix-flowtable-list-del-corruption.patch | 71 ++++++++++ ...warn-and-add-nla_string-upper-limits.patch | 74 +++++++++++ ...list-locally-while-requesting-module.patch | 98 ++++++++++++++ ...-nft_tunnel-fix-null-attribute-check.patch | 33 +++++ .../nfc-pn533-fix-bulk-message-timeout.patch | 38 ++++++ queue-4.19/series | 8 ++ 9 files changed, 531 insertions(+) create mode 100644 queue-4.19/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch create mode 100644 queue-4.19/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch create mode 100644 queue-4.19/netfilter-fix-a-use-after-free-in-mtype_destroy.patch create mode 100644 queue-4.19/netfilter-nf_tables-fix-flowtable-list-del-corruption.patch create mode 100644 queue-4.19/netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch create mode 100644 queue-4.19/netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch create mode 100644 queue-4.19/netfilter-nft_tunnel-fix-null-attribute-check.patch create mode 100644 queue-4.19/nfc-pn533-fix-bulk-message-timeout.patch diff --git a/queue-4.19/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch b/queue-4.19/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch new file mode 100644 index 00000000000..1023260de7b --- /dev/null +++ b/queue-4.19/batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch @@ -0,0 +1,49 @@ +From 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Thu, 28 Nov 2019 12:25:45 +0100 +Subject: batman-adv: Fix DAT candidate selection on little endian systems + +From: Sven Eckelmann + +commit 4cc4a1708903f404d2ca0dfde30e71e052c6cbc9 upstream. + +The distributed arp table is using a DHT to store and retrieve MAC address +information for an IP address. This is done using unicast messages to +selected peers. The potential peers are looked up using the IP address and +the VID. + +While the IP address is always stored in big endian byte order, this is not +the case of the VID. It can (depending on the host system) either be big +endian or little endian. The host must therefore always convert it to big +endian to ensure that all devices calculate the same peers for the same +lookup data. + +Fixes: be1db4f6615b ("batman-adv: make the Distributed ARP Table vlan aware") +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Signed-off-by: Greg Kroah-Hartman + +--- + net/batman-adv/distributed-arp-table.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/batman-adv/distributed-arp-table.c ++++ b/net/batman-adv/distributed-arp-table.c +@@ -251,6 +251,7 @@ static u32 batadv_hash_dat(const void *d + u32 hash = 0; + const struct batadv_dat_entry *dat = data; + const unsigned char *key; ++ __be16 vid; + u32 i; + + key = (const unsigned char *)&dat->ip; +@@ -260,7 +261,8 @@ static u32 batadv_hash_dat(const void *d + hash ^= (hash >> 6); + } + +- key = (const unsigned char *)&dat->vid; ++ vid = htons(dat->vid); ++ key = (__force const unsigned char *)&vid; + for (i = 0; i < sizeof(dat->vid); i++) { + hash += key[i]; + hash += (hash << 10); diff --git a/queue-4.19/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch b/queue-4.19/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch new file mode 100644 index 00000000000..da99305207f --- /dev/null +++ b/queue-4.19/netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch @@ -0,0 +1,124 @@ +From 212e7f56605ef9688d0846db60c6c6ec06544095 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 11 Jan 2020 23:19:53 +0100 +Subject: netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct + +From: Florian Westphal + +commit 212e7f56605ef9688d0846db60c6c6ec06544095 upstream. + +An earlier commit (1b789577f655060d98d20e, +"netfilter: arp_tables: init netns pointer in xt_tgchk_param struct") +fixed missing net initialization for arptables, but turns out it was +incomplete. We can get a very similar struct net NULL deref during +error unwinding: + +general protection fault: 0000 [#1] PREEMPT SMP KASAN +RIP: 0010:xt_rateest_put+0xa1/0x440 net/netfilter/xt_RATEEST.c:77 + xt_rateest_tg_destroy+0x72/0xa0 net/netfilter/xt_RATEEST.c:175 + cleanup_entry net/ipv4/netfilter/arp_tables.c:509 [inline] + translate_table+0x11f4/0x1d80 net/ipv4/netfilter/arp_tables.c:587 + do_replace net/ipv4/netfilter/arp_tables.c:981 [inline] + do_arpt_set_ctl+0x317/0x650 net/ipv4/netfilter/arp_tables.c:1461 + +Also init the netns pointer in xt_tgdtor_param struct. + +Fixes: add67461240c1d ("netfilter: add struct net * to target parameters") +Reported-by: syzbot+91bdd8eece0f6629ec8b@syzkaller.appspotmail.com +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/arp_tables.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/net/ipv4/netfilter/arp_tables.c ++++ b/net/ipv4/netfilter/arp_tables.c +@@ -495,12 +495,13 @@ static inline int check_entry_size_and_h + return 0; + } + +-static inline void cleanup_entry(struct arpt_entry *e) ++static void cleanup_entry(struct arpt_entry *e, struct net *net) + { + struct xt_tgdtor_param par; + struct xt_entry_target *t; + + t = arpt_get_target(e); ++ par.net = net; + par.target = t->u.kernel.target; + par.targinfo = t->data; + par.family = NFPROTO_ARP; +@@ -583,7 +584,7 @@ static int translate_table(struct net *n + xt_entry_foreach(iter, entry0, newinfo->size) { + if (i-- == 0) + break; +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + } + return ret; + } +@@ -926,7 +927,7 @@ static int __do_replace(struct net *net, + /* Decrease module usage counts and free resource */ + loc_cpu_old_entry = oldinfo->entries; + xt_entry_foreach(iter, loc_cpu_old_entry, oldinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + + xt_free_table_info(oldinfo); + if (copy_to_user(counters_ptr, counters, +@@ -989,7 +990,7 @@ static int do_replace(struct net *net, c + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1286,7 +1287,7 @@ static int compat_do_replace(struct net + + free_newinfo_untrans: + xt_entry_foreach(iter, loc_cpu_entry, newinfo->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + free_newinfo: + xt_free_table_info(newinfo); + return ret; +@@ -1513,7 +1514,7 @@ static int do_arpt_get_ctl(struct sock * + return ret; + } + +-static void __arpt_unregister_table(struct xt_table *table) ++static void __arpt_unregister_table(struct net *net, struct xt_table *table) + { + struct xt_table_info *private; + void *loc_cpu_entry; +@@ -1525,7 +1526,7 @@ static void __arpt_unregister_table(stru + /* Decrease module usage counts and free resources */ + loc_cpu_entry = private->entries; + xt_entry_foreach(iter, loc_cpu_entry, private->size) +- cleanup_entry(iter); ++ cleanup_entry(iter, net); + if (private->number > private->initial_entries) + module_put(table_owner); + xt_free_table_info(private); +@@ -1565,7 +1566,7 @@ int arpt_register_table(struct net *net, + + ret = nf_register_net_hooks(net, ops, hweight32(table->valid_hooks)); + if (ret != 0) { +- __arpt_unregister_table(new_table); ++ __arpt_unregister_table(net, new_table); + *res = NULL; + } + +@@ -1580,7 +1581,7 @@ void arpt_unregister_table(struct net *n + const struct nf_hook_ops *ops) + { + nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks)); +- __arpt_unregister_table(table); ++ __arpt_unregister_table(net, table); + } + + /* The built-in targets: standard (NULL) and error. */ diff --git a/queue-4.19/netfilter-fix-a-use-after-free-in-mtype_destroy.patch b/queue-4.19/netfilter-fix-a-use-after-free-in-mtype_destroy.patch new file mode 100644 index 00000000000..f80e1ad9ed7 --- /dev/null +++ b/queue-4.19/netfilter-fix-a-use-after-free-in-mtype_destroy.patch @@ -0,0 +1,36 @@ +From c120959387efa51479056fd01dc90adfba7a590c Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Fri, 10 Jan 2020 11:53:08 -0800 +Subject: netfilter: fix a use-after-free in mtype_destroy() + +From: Cong Wang + +commit c120959387efa51479056fd01dc90adfba7a590c upstream. + +map->members is freed by ip_set_free() right before using it in +mtype_ext_cleanup() again. So we just have to move it down. + +Reported-by: syzbot+4c3cc6dbe7259dbf9054@syzkaller.appspotmail.com +Fixes: 40cd63bf33b2 ("netfilter: ipset: Support extensions which need a per data destroy function") +Acked-by: Jozsef Kadlecsik +Signed-off-by: Cong Wang +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_bitmap_gen.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_bitmap_gen.h ++++ b/net/netfilter/ipset/ip_set_bitmap_gen.h +@@ -64,9 +64,9 @@ mtype_destroy(struct ip_set *set) + if (SET_WITH_TIMEOUT(set)) + del_timer_sync(&map->gc); + +- ip_set_free(map->members); + if (set->dsize && set->extensions & IPSET_EXT_DESTROY) + mtype_ext_cleanup(set); ++ ip_set_free(map->members); + ip_set_free(map); + + set->data = NULL; diff --git a/queue-4.19/netfilter-nf_tables-fix-flowtable-list-del-corruption.patch b/queue-4.19/netfilter-nf_tables-fix-flowtable-list-del-corruption.patch new file mode 100644 index 00000000000..1f6ed1af076 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-fix-flowtable-list-del-corruption.patch @@ -0,0 +1,71 @@ +From 335178d5429c4cee61b58f4ac80688f556630818 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 16 Jan 2020 12:03:01 +0100 +Subject: netfilter: nf_tables: fix flowtable list del corruption + +From: Florian Westphal + +commit 335178d5429c4cee61b58f4ac80688f556630818 upstream. + +syzbot reported following crash: + + list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122) + [..] + Call Trace: + __list_del_entry include/linux/list.h:131 [inline] + list_del_rcu include/linux/rculist.h:148 [inline] + nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183 + [..] + +The commit transaction list has: + +NFT_MSG_NEWTABLE +NFT_MSG_NEWFLOWTABLE +NFT_MSG_DELFLOWTABLE +NFT_MSG_DELTABLE + +A missing generation check during DELTABLE processing causes it to queue +the DELFLOWTABLE operation a second time, so we corrupt the list here: + + case NFT_MSG_DELFLOWTABLE: + list_del_rcu(&nft_trans_flowtable(trans)->list); + nf_tables_flowtable_notify(&trans->ctx, + +because we have two different DELFLOWTABLE transactions for the same +flowtable. We then call list_del_rcu() twice for the same flowtable->list. + +The object handling seems to suffer from the same bug so add a generation +check too and only queue delete transactions for flowtables/objects that +are still active in the next generation. + +Reported-by: syzbot+37a6804945a3a13b1572@syzkaller.appspotmail.com +Fixes: 3b49e2e94e6eb ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -936,12 +936,18 @@ static int nft_flush_table(struct nft_ct + } + + list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) { ++ if (!nft_is_active_next(ctx->net, flowtable)) ++ continue; ++ + err = nft_delflowtable(ctx, flowtable); + if (err < 0) + goto out; + } + + list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) { ++ if (!nft_is_active_next(ctx->net, obj)) ++ continue; ++ + err = nft_delobj(ctx, obj); + if (err < 0) + goto out; diff --git a/queue-4.19/netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch b/queue-4.19/netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch new file mode 100644 index 00000000000..1c04cd0b07d --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch @@ -0,0 +1,74 @@ +From 9332d27d7918182add34e8043f6a754530fdd022 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 16 Jan 2020 09:06:50 +0100 +Subject: netfilter: nf_tables: remove WARN and add NLA_STRING upper limits + +From: Florian Westphal + +commit 9332d27d7918182add34e8043f6a754530fdd022 upstream. + +This WARN can trigger because some of the names fed to the module +autoload function can be of arbitrary length. + +Remove the WARN and add limits for all NLA_STRING attributes. + +Reported-by: syzbot+0e63ae76d117ae1c3a01@syzkaller.appspotmail.com +Fixes: 452238e8d5ffd8 ("netfilter: nf_tables: add and use helper for module autoload") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -24,6 +24,8 @@ + #include + #include + ++#define NFT_MODULE_AUTOLOAD_LIMIT (MODULE_NAME_LEN - sizeof("nft-expr-255-")) ++ + static LIST_HEAD(nf_tables_expressions); + static LIST_HEAD(nf_tables_objects); + static LIST_HEAD(nf_tables_flowtables); +@@ -504,7 +506,7 @@ static void nft_request_module(struct ne + va_start(args, fmt); + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); + va_end(args); +- if (WARN(ret >= MODULE_NAME_LEN, "truncated: '%s' (len %d)", module_name, ret)) ++ if (ret >= MODULE_NAME_LEN) + return; + + mutex_unlock(&net->nft.commit_mutex); +@@ -1129,7 +1131,8 @@ static const struct nla_policy nft_chain + .len = NFT_CHAIN_MAXNAMELEN - 1 }, + [NFTA_CHAIN_HOOK] = { .type = NLA_NESTED }, + [NFTA_CHAIN_POLICY] = { .type = NLA_U32 }, +- [NFTA_CHAIN_TYPE] = { .type = NLA_STRING }, ++ [NFTA_CHAIN_TYPE] = { .type = NLA_STRING, ++ .len = NFT_MODULE_AUTOLOAD_LIMIT }, + [NFTA_CHAIN_COUNTERS] = { .type = NLA_NESTED }, + }; + +@@ -2012,7 +2015,8 @@ static const struct nft_expr_type *nft_e + } + + static const struct nla_policy nft_expr_policy[NFTA_EXPR_MAX + 1] = { +- [NFTA_EXPR_NAME] = { .type = NLA_STRING }, ++ [NFTA_EXPR_NAME] = { .type = NLA_STRING, ++ .len = NFT_MODULE_AUTOLOAD_LIMIT }, + [NFTA_EXPR_DATA] = { .type = NLA_NESTED }, + }; + +@@ -3796,7 +3800,8 @@ static const struct nla_policy nft_set_e + [NFTA_SET_ELEM_USERDATA] = { .type = NLA_BINARY, + .len = NFT_USERDATA_MAXLEN }, + [NFTA_SET_ELEM_EXPR] = { .type = NLA_NESTED }, +- [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING }, ++ [NFTA_SET_ELEM_OBJREF] = { .type = NLA_STRING, ++ .len = NFT_OBJ_MAXNAMELEN - 1 }, + }; + + static const struct nla_policy nft_set_elem_list_policy[NFTA_SET_ELEM_LIST_MAX + 1] = { diff --git a/queue-4.19/netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch b/queue-4.19/netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch new file mode 100644 index 00000000000..1f0bd517481 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch @@ -0,0 +1,98 @@ +From ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 13 Jan 2020 18:09:58 +0100 +Subject: netfilter: nf_tables: store transaction list locally while requesting module + +From: Pablo Neira Ayuso + +commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 upstream. + +This patch fixes a WARN_ON in nft_set_destroy() due to missing +set reference count drop from the preparation phase. This is triggered +by the module autoload path. Do not exercise the abort path from +nft_request_module() while preparation phase cleaning up is still +pending. + + WARNING: CPU: 3 PID: 3456 at net/netfilter/nf_tables_api.c:3740 nft_set_destroy+0x45/0x50 [nf_tables] + [...] + CPU: 3 PID: 3456 Comm: nft Not tainted 5.4.6-arch3-1 #1 + RIP: 0010:nft_set_destroy+0x45/0x50 [nf_tables] + Code: e8 30 eb 83 c6 48 8b 85 80 00 00 00 48 8b b8 90 00 00 00 e8 dd 6b d7 c5 48 8b 7d 30 e8 24 dd eb c5 48 89 ef 5d e9 6b c6 e5 c5 <0f> 0b c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 7f 10 e9 52 + RSP: 0018:ffffac4f43e53700 EFLAGS: 00010202 + RAX: 0000000000000001 RBX: ffff99d63a154d80 RCX: 0000000001f88e03 + RDX: 0000000001f88c03 RSI: ffff99d6560ef0c0 RDI: ffff99d63a101200 + RBP: ffff99d617721de0 R08: 0000000000000000 R09: 0000000000000318 + R10: 00000000f0000000 R11: 0000000000000001 R12: ffffffff880fabf0 + R13: dead000000000122 R14: dead000000000100 R15: ffff99d63a154d80 + FS: 00007ff3dbd5b740(0000) GS:ffff99d6560c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 00001cb5de6a9000 CR3: 000000016eb6a004 CR4: 00000000001606e0 + Call Trace: + __nf_tables_abort+0x3e3/0x6d0 [nf_tables] + nft_request_module+0x6f/0x110 [nf_tables] + nft_expr_type_request_module+0x28/0x50 [nf_tables] + nf_tables_expr_parse+0x198/0x1f0 [nf_tables] + nft_expr_init+0x3b/0xf0 [nf_tables] + nft_dynset_init+0x1e2/0x410 [nf_tables] + nf_tables_newrule+0x30a/0x930 [nf_tables] + nfnetlink_rcv_batch+0x2a0/0x640 [nfnetlink] + nfnetlink_rcv+0x125/0x171 [nfnetlink] + netlink_unicast+0x179/0x210 + netlink_sendmsg+0x208/0x3d0 + sock_sendmsg+0x5e/0x60 + ____sys_sendmsg+0x21b/0x290 + +Update comment on the code to describe the new behaviour. + +Reported-by: Marco Oliverio +Fixes: 452238e8d5ff ("netfilter: nf_tables: add and use helper for module autoload") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 19 ++++++++++--------- + 1 file changed, 10 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -485,23 +485,21 @@ __nf_tables_chain_type_lookup(const stru + } + + /* +- * Loading a module requires dropping mutex that guards the +- * transaction. +- * We first need to abort any pending transactions as once +- * mutex is unlocked a different client could start a new +- * transaction. It must not see any 'future generation' +- * changes * as these changes will never happen. ++ * Loading a module requires dropping mutex that guards the transaction. ++ * A different client might race to start a new transaction meanwhile. Zap the ++ * list of pending transaction and then restore it once the mutex is grabbed ++ * again. Users of this function return EAGAIN which implicitly triggers the ++ * transaction abort path to clean up the list of pending transactions. + */ + #ifdef CONFIG_MODULES +-static int __nf_tables_abort(struct net *net); +- + static void nft_request_module(struct net *net, const char *fmt, ...) + { + char module_name[MODULE_NAME_LEN]; ++ LIST_HEAD(commit_list); + va_list args; + int ret; + +- __nf_tables_abort(net); ++ list_splice_init(&net->nft.commit_list, &commit_list); + + va_start(args, fmt); + ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args); +@@ -512,6 +510,9 @@ static void nft_request_module(struct ne + mutex_unlock(&net->nft.commit_mutex); + request_module("%s", module_name); + mutex_lock(&net->nft.commit_mutex); ++ ++ WARN_ON_ONCE(!list_empty(&net->nft.commit_list)); ++ list_splice(&commit_list, &net->nft.commit_list); + } + #endif + diff --git a/queue-4.19/netfilter-nft_tunnel-fix-null-attribute-check.patch b/queue-4.19/netfilter-nft_tunnel-fix-null-attribute-check.patch new file mode 100644 index 00000000000..b7688dd6c07 --- /dev/null +++ b/queue-4.19/netfilter-nft_tunnel-fix-null-attribute-check.patch @@ -0,0 +1,33 @@ +From 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Thu, 16 Jan 2020 08:44:11 +0100 +Subject: netfilter: nft_tunnel: fix null-attribute check + +From: Florian Westphal + +commit 1c702bf902bd37349f6d91cd7f4b372b1e46d0ed upstream. + +else we get null deref when one of the attributes is missing, both +must be non-null. + +Reported-by: syzbot+76d0b80493ac881ff77b@syzkaller.appspotmail.com +Fixes: aaecfdb5c5dd8ba ("netfilter: nf_tables: match on tunnel metadata") +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nft_tunnel.c ++++ b/net/netfilter/nft_tunnel.c +@@ -56,7 +56,7 @@ static int nft_tunnel_get_init(const str + struct nft_tunnel *priv = nft_expr_priv(expr); + u32 len; + +- if (!tb[NFTA_TUNNEL_KEY] && ++ if (!tb[NFTA_TUNNEL_KEY] || + !tb[NFTA_TUNNEL_DREG]) + return -EINVAL; + diff --git a/queue-4.19/nfc-pn533-fix-bulk-message-timeout.patch b/queue-4.19/nfc-pn533-fix-bulk-message-timeout.patch new file mode 100644 index 00000000000..7f023d4071b --- /dev/null +++ b/queue-4.19/nfc-pn533-fix-bulk-message-timeout.patch @@ -0,0 +1,38 @@ +From a112adafcb47760feff959ee1ecd10b74d2c5467 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Jan 2020 18:23:58 +0100 +Subject: NFC: pn533: fix bulk-message timeout + +From: Johan Hovold + +commit a112adafcb47760feff959ee1ecd10b74d2c5467 upstream. + +The driver was doing a synchronous uninterruptible bulk-transfer without +using a timeout. This could lead to the driver hanging on probe due to a +malfunctioning (or malicious) device until the device is physically +disconnected. While sleeping in probe the driver prevents other devices +connected to the same hub from being added to (or removed from) the bus. + +An arbitrary limit of five seconds should be more than enough. + +Fixes: dbafc28955fa ("NFC: pn533: don't send USB data off of the stack") +Signed-off-by: Johan Hovold +Reviewed-by: Greg Kroah-Hartman +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/nfc/pn533/usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/nfc/pn533/usb.c ++++ b/drivers/nfc/pn533/usb.c +@@ -403,7 +403,7 @@ static int pn533_acr122_poweron_rdr(stru + cmd, sizeof(cmd), false); + + rc = usb_bulk_msg(phy->udev, phy->out_urb->pipe, buffer, sizeof(cmd), +- &transferred, 0); ++ &transferred, 5000); + kfree(buffer); + if (rc || (transferred != sizeof(cmd))) { + nfc_err(&phy->udev->dev, diff --git a/queue-4.19/series b/queue-4.19/series index 95b57ac510e..0d83d93c509 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -55,3 +55,11 @@ bpf-fix-incorrect-verifier-simulation-of-arsh-under-alu32.patch cfg80211-fix-deadlocks-in-autodisconnect-work.patch cfg80211-fix-memory-leak-in-cfg80211_cqm_rssi_update.patch cfg80211-fix-page-refcount-issue-in-a-msdu-decap.patch +netfilter-fix-a-use-after-free-in-mtype_destroy.patch +netfilter-arp_tables-init-netns-pointer-in-xt_tgdtor_param-struct.patch +netfilter-nft_tunnel-fix-null-attribute-check.patch +netfilter-nf_tables-remove-warn-and-add-nla_string-upper-limits.patch +netfilter-nf_tables-store-transaction-list-locally-while-requesting-module.patch +netfilter-nf_tables-fix-flowtable-list-del-corruption.patch +nfc-pn533-fix-bulk-message-timeout.patch +batman-adv-fix-dat-candidate-selection-on-little-endian-systems.patch -- 2.47.3