5.10-stable patches

added patches:
	netfilter-nf_tables-fix-false-positive-lockdep-splat.patch
	netfilter-nf_tables-fix-kdoc-warnings-after-gc-rework.patch
	netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch

diff --git a/queue-5.10/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch b/queue-5.10/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch
new file mode 100644 (file)
index 0000000..961ff49
--- /dev/null
+++ b/queue-5.10/netfilter-nf_tables-fix-false-positive-lockdep-splat.patch
@@ -0,0 +1,65 @@
+From b9f052dc68f69dac89fe1e24693354c033daa091 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 8 Aug 2023 20:40:17 +0200
+Subject: netfilter: nf_tables: fix false-positive lockdep splat
+
+From: Florian Westphal <fw@strlen.de>
+
+commit b9f052dc68f69dac89fe1e24693354c033daa091 upstream.
+
+->abort invocation may cause splat on debug kernels:
+
+WARNING: suspicious RCU usage
+net/netfilter/nft_set_pipapo.c:1697 suspicious rcu_dereference_check() usage!
+[..]
+rcu_scheduler_active = 2, debug_locks = 1
+1 lock held by nft/133554: [..] (nft_net->commit_mutex){+.+.}-{3:3}, at: nf_tables_valid_genid
+[..]
+ lockdep_rcu_suspicious+0x1ad/0x260
+ nft_pipapo_abort+0x145/0x180
+ __nf_tables_abort+0x5359/0x63d0
+ nf_tables_abort+0x24/0x40
+ nfnetlink_rcv+0x1a0a/0x22c0
+ netlink_unicast+0x73c/0x900
+ netlink_sendmsg+0x7f0/0xc20
+ ____sys_sendmsg+0x48d/0x760
+
+Transaction mutex is held, so parallel updates are not possible.
+Switch to _protected and check mutex is held for lockdep enabled builds.
+
+Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_set_pipapo.c |   13 ++++++++++++-
+ 1 file changed, 12 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_set_pipapo.c
++++ b/net/netfilter/nft_set_pipapo.c
+@@ -1695,6 +1695,17 @@ static void nft_pipapo_commit(const stru
+       priv->clone = new_clone;
+ }
+ 
++static bool nft_pipapo_transaction_mutex_held(const struct nft_set *set)
++{
++#ifdef CONFIG_PROVE_LOCKING
++      const struct net *net = read_pnet(&set->net);
++
++      return lockdep_is_held(&nft_pernet(net)->commit_mutex);
++#else
++      return true;
++#endif
++}
++
+ static void nft_pipapo_abort(const struct nft_set *set)
+ {
+       struct nft_pipapo *priv = nft_set_priv(set);
+@@ -1703,7 +1714,7 @@ static void nft_pipapo_abort(const struc
+       if (!priv->dirty)
+               return;
+ 
+-      m = rcu_dereference(priv->match);
++      m = rcu_dereference_protected(priv->match, nft_pipapo_transaction_mutex_held(set));
+ 
+       new_clone = pipapo_clone(m);
+       if (IS_ERR(new_clone))

diff --git a/queue-5.10/netfilter-nf_tables-fix-kdoc-warnings-after-gc-rework.patch b/queue-5.10/netfilter-nf_tables-fix-kdoc-warnings-after-gc-rework.patch
new file mode 100644 (file)
index 0000000..951ac25
--- /dev/null
+++ b/queue-5.10/netfilter-nf_tables-fix-kdoc-warnings-after-gc-rework.patch
@@ -0,0 +1,35 @@
+From 08713cb006b6f07434f276c5ee214fb20c7fd965 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Thu, 10 Aug 2023 23:59:03 +0200
+Subject: netfilter: nf_tables: fix kdoc warnings after gc rework
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 08713cb006b6f07434f276c5ee214fb20c7fd965 upstream.
+
+Jakub Kicinski says:
+  We've got some new kdoc warnings here:
+  net/netfilter/nft_set_pipapo.c:1557: warning: Function parameter or member '_set' not described in 'pipapo_gc'
+  net/netfilter/nft_set_pipapo.c:1557: warning: Excess function parameter 'set' description in 'pipapo_gc'
+  include/net/netfilter/nf_tables.h:577: warning: Function parameter or member 'dead' not described in 'nft_set'
+
+Fixes: 5f68718b34a5 ("netfilter: nf_tables: GC transaction API to avoid race with control plane")
+Fixes: f6c383b8c31a ("netfilter: nf_tables: adapt set backend to use GC transaction API")
+Reported-by: Jakub Kicinski <kuba@kernel.org>
+Closes: https://lore.kernel.org/netdev/20230810104638.746e46f1@kernel.org/
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/net/netfilter/nf_tables.h |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/include/net/netfilter/nf_tables.h
++++ b/include/net/netfilter/nf_tables.h
+@@ -439,6 +439,7 @@ struct nft_set_type {
+  *    @expr: stateful expression
+  *    @ops: set ops
+  *    @flags: set flags
++ *    @dead: set will be freed, never cleared
+  *    @genmask: generation mask
+  *    @klen: key length
+  *    @dlen: data length

diff --git a/queue-5.10/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch b/queue-5.10/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch
new file mode 100644 (file)
index 0000000..8aba236
--- /dev/null
+++ b/queue-5.10/netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch
@@ -0,0 +1,91 @@
+From fd94d9dadee58e09b49075240fe83423eb1dcd36 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Tue, 5 Sep 2023 23:13:56 +0200
+Subject: netfilter: nftables: exthdr: fix 4-byte stack OOB write
+
+From: Florian Westphal <fw@strlen.de>
+
+commit fd94d9dadee58e09b49075240fe83423eb1dcd36 upstream.
+
+If priv->len is a multiple of 4, then dst[len / 4] can write past
+the destination array which leads to stack corruption.
+
+This construct is necessary to clean the remainder of the register
+in case ->len is NOT a multiple of the register size, so make it
+conditional just like nft_payload.c does.
+
+The bug was added in 4.1 cycle and then copied/inherited when
+tcp/sctp and ip option support was added.
+
+Bug reported by Zero Day Initiative project (ZDI-CAN-21950,
+ZDI-CAN-21951, ZDI-CAN-21961).
+
+Fixes: 49499c3e6e18 ("netfilter: nf_tables: switch registers to 32 bit addressing")
+Fixes: 935b7f643018 ("netfilter: nft_exthdr: add TCP option matching")
+Fixes: 133dc203d77d ("netfilter: nft_exthdr: Support SCTP chunks")
+Fixes: dbb5281a1f84 ("netfilter: nf_tables: add support for matching IPv4 options")
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nft_exthdr.c |   22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/nft_exthdr.c
++++ b/net/netfilter/nft_exthdr.c
+@@ -35,6 +35,14 @@ static unsigned int optlen(const u8 *opt
+               return opt[offset + 1];
+ }
+ 
++static int nft_skb_copy_to_reg(const struct sk_buff *skb, int offset, u32 *dest, unsigned int len)
++{
++      if (len % NFT_REG32_SIZE)
++              dest[len / NFT_REG32_SIZE] = 0;
++
++      return skb_copy_bits(skb, offset, dest, len);
++}
++
+ static void nft_exthdr_ipv6_eval(const struct nft_expr *expr,
+                                struct nft_regs *regs,
+                                const struct nft_pktinfo *pkt)
+@@ -56,8 +64,7 @@ static void nft_exthdr_ipv6_eval(const s
+       }
+       offset += priv->offset;
+ 
+-      dest[priv->len / NFT_REG32_SIZE] = 0;
+-      if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
++      if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
+               goto err;
+       return;
+ err:
+@@ -153,8 +160,7 @@ static void nft_exthdr_ipv4_eval(const s
+       }
+       offset += priv->offset;
+ 
+-      dest[priv->len / NFT_REG32_SIZE] = 0;
+-      if (skb_copy_bits(pkt->skb, offset, dest, priv->len) < 0)
++      if (nft_skb_copy_to_reg(pkt->skb, offset, dest, priv->len) < 0)
+               goto err;
+       return;
+ err:
+@@ -210,7 +216,8 @@ static void nft_exthdr_tcp_eval(const st
+               if (priv->flags & NFT_EXTHDR_F_PRESENT) {
+                       *dest = 1;
+               } else {
+-                      dest[priv->len / NFT_REG32_SIZE] = 0;
++                      if (priv->len % NFT_REG32_SIZE)
++                              dest[priv->len / NFT_REG32_SIZE] = 0;
+                       memcpy(dest, opt + offset, priv->len);
+               }
+ 
+@@ -388,9 +395,8 @@ static void nft_exthdr_sctp_eval(const s
+                           offset + ntohs(sch->length) > pkt->skb->len)
+                               break;
+ 
+-                      dest[priv->len / NFT_REG32_SIZE] = 0;
+-                      if (skb_copy_bits(pkt->skb, offset + priv->offset,
+-                                        dest, priv->len) < 0)
++                      if (nft_skb_copy_to_reg(pkt->skb, offset + priv->offset,
++                                              dest, priv->len) < 0)
+                               break;
+                       return;
+               }

diff --git a/queue-5.10/series b/queue-5.10/series
index 729affd9131fc7184174527b6c3af74cc56404aa..74e5654e41b53c62e2ef017df3977eed5d5cb12d 100644 (file)
--- a/queue-5.10/series
+++ b/queue-5.10/series
@@ -223,3 +223,6 @@ rdma-uverbs-fix-typo-of-sizeof-argument.patch
 rdma-siw-fix-connection-failure-handling.patch
 rdma-mlx5-fix-null-string-error.patch
 parisc-restore-__ldcw_align-for-pa-risc-2.0-processors.patch
+netfilter-nf_tables-fix-false-positive-lockdep-splat.patch
+netfilter-nf_tables-fix-kdoc-warnings-after-gc-rework.patch
+netfilter-nftables-exthdr-fix-4-byte-stack-oob-write.patch