Fixes for 4.14

Signed-off-by: Sasha Levin <sashal@kernel.org>

diff --git a/queue-4.14/net-sungem_phy-add-of_node_put-for-reference-returne.patch b/queue-4.14/net-sungem_phy-add-of_node_put-for-reference-returne.patch
new file mode 100644 (file)
index 0000000..eadee59
--- /dev/null
+++ b/queue-4.14/net-sungem_phy-add-of_node_put-for-reference-returne.patch
@@ -0,0 +1,37 @@
+From 88a18a72eef7a98e14fef545b17c3dde155459a9 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jul 2022 21:10:03 +0800
+Subject: net: sungem_phy: Add of_node_put() for reference returned by
+ of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit ebbbe23fdf6070e31509638df3321688358cc211 ]
+
+In bcm5421_init(), we should call of_node_put() for the reference
+returned by of_get_parent() which has increased the refcount.
+
+Fixes: 3c326fe9cb7a ("[PATCH] ppc64: Add new PHY to sungem")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220720131003.1287426-1-windhl@126.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/sungem_phy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/sungem_phy.c b/drivers/net/sungem_phy.c
+index 63a8ff816e59..e556b00dfed2 100644
+--- a/drivers/net/sungem_phy.c
++++ b/drivers/net/sungem_phy.c
+@@ -453,6 +453,7 @@ static int bcm5421_init(struct mii_phy* phy)
+               int can_low_power = 1;
+               if (np == NULL || of_get_property(np, "no-autolowpower", NULL))
+                       can_low_power = 0;
++              of_node_put(np);
+               if (can_low_power) {
+                       /* Enable automatic low-power */
+                       sungem_phy_write(phy, 0x1c, 0x9002);
+-- 
+2.35.1
+

diff --git a/queue-4.14/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch b/queue-4.14/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch
new file mode 100644 (file)
index 0000000..9df9061
--- /dev/null
+++ b/queue-4.14/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch
@@ -0,0 +1,53 @@
+From bab893233260229ee8d558c0e53ebf015aab17cb Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Jul 2022 12:42:06 +0200
+Subject: netfilter: nf_queue: do not allow packet truncation below transport
+ header offset
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 ]
+
+Domingo Dirutigliano and Nicola Guerrera report kernel panic when
+sending nf_queue verdict with 1-byte nfta_payload attribute.
+
+The IP/IPv6 stack pulls the IP(v6) header from the packet after the
+input hook.
+
+If user truncates the packet below the header size, this skb_pull() will
+result in a malformed skb (skb->len < 0).
+
+Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
+Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_queue.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index ba74bb2d6341..369f1634afe9 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -827,11 +827,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+ }
+ 
+ static int
+-nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff)
++nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff)
+ {
+       struct sk_buff *nskb;
+ 
+       if (diff < 0) {
++              unsigned int min_len = skb_transport_offset(e->skb);
++
++              if (data_len < min_len)
++                      return -EINVAL;
++
+               if (pskb_trim(e->skb, data_len))
+                       return -ENOMEM;
+       } else if (diff > 0) {
+-- 
+2.35.1
+

diff --git a/queue-4.14/series b/queue-4.14/series
index 00600a2a98f2be7b97bcf190f9626015382a86ce..285523ddc1529bbb21c410330fd0193833a43cf4 100644 (file)
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -3,3 +3,5 @@ ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch
 s390-archrandom-prevent-cpacf-trng-invocations-in-interrupt-context.patch
 scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch
 net-ping6-fix-memleak-in-ipv6_renew_options.patch
+net-sungem_phy-add-of_node_put-for-reference-returne.patch
+netfilter-nf_queue-do-not-allow-packet-truncation-be.patch