--- /dev/null
+From 9e8db5913264d3967b93c765a6a9e464d9c473db Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Mon, 18 Feb 2019 23:37:12 -0500
+Subject: net: avoid false positives in untrusted gso validation
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit 9e8db5913264d3967b93c765a6a9e464d9c473db upstream.
+
+GSO packets with vnet_hdr must conform to a small set of gso_types.
+The below commit uses flow dissection to drop packets that do not.
+
+But it has false positives when the skb is not fully initialized.
+Dissection needs skb->protocol and skb->network_header.
+
+Infer skb->protocol from gso_type as the two must agree.
+SKB_GSO_UDP can use both ipv4 and ipv6, so try both.
+
+Exclude callers for which network header offset is not known.
+
+Fixes: d5be7f632bad ("net: validate untrusted gso packets without csum offload")
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/virtio_net.h | 14 ++++++++++++--
+ 1 file changed, 12 insertions(+), 2 deletions(-)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -61,10 +61,20 @@ static inline int virtio_net_hdr_to_skb(
+ /* gso packets without NEEDS_CSUM do not set transport_offset.
+ * probe and drop if does not match one of the above types.
+ */
+- if (gso_type) {
++ if (gso_type && skb->network_header) {
++ if (!skb->protocol)
++ virtio_net_hdr_set_proto(skb, hdr);
++retry:
+ skb_probe_transport_header(skb, -1);
+- if (!skb_transport_header_was_set(skb))
++ if (!skb_transport_header_was_set(skb)) {
++ /* UFO does not specify ipv4 or 6: try both */
++ if (gso_type & SKB_GSO_UDP &&
++ skb->protocol == htons(ETH_P_IP)) {
++ skb->protocol = htons(ETH_P_IPV6);
++ goto retry;
++ }
+ return -EINVAL;
++ }
+ }
+ }
+
--- /dev/null
+From d5be7f632bad0f489879eed0ff4b99bd7fe0b74c Mon Sep 17 00:00:00 2001
+From: Willem de Bruijn <willemb@google.com>
+Date: Fri, 15 Feb 2019 12:15:47 -0500
+Subject: net: validate untrusted gso packets without csum offload
+
+From: Willem de Bruijn <willemb@google.com>
+
+commit d5be7f632bad0f489879eed0ff4b99bd7fe0b74c upstream.
+
+Syzkaller again found a path to a kernel crash through bad gso input.
+By building an excessively large packet to cause an skb field to wrap.
+
+If VIRTIO_NET_HDR_F_NEEDS_CSUM was set this would have been dropped in
+skb_partial_csum_set.
+
+GSO packets that do not set checksum offload are suspicious and rare.
+Most callers of virtio_net_hdr_to_skb already pass them to
+skb_probe_transport_header.
+
+Move that test forward, change it to detect parse failure and drop
+packets on failure as those cleary are not one of the legitimate
+VIRTIO_NET_HDR_GSO types.
+
+Fixes: bfd5f4a3d605 ("packet: Add GSO/csum offload support.")
+Fixes: f43798c27684 ("tun: Allow GSO using virtio_net_hdr")
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: Willem de Bruijn <willemb@google.com>
+Reviewed-by: Eric Dumazet <edumazet@google.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/skbuff.h | 2 +-
+ include/linux/virtio_net.h | 9 +++++++++
+ 2 files changed, 10 insertions(+), 1 deletion(-)
+
+--- a/include/linux/skbuff.h
++++ b/include/linux/skbuff.h
+@@ -2377,7 +2377,7 @@ static inline void skb_probe_transport_h
+ return;
+ else if (skb_flow_dissect_flow_keys(skb, &keys, 0))
+ skb_set_transport_header(skb, keys.control.thoff);
+- else
++ else if (offset_hint >= 0)
+ skb_set_transport_header(skb, offset_hint);
+ }
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -57,6 +57,15 @@ static inline int virtio_net_hdr_to_skb(
+
+ if (!skb_partial_csum_set(skb, start, off))
+ return -EINVAL;
++ } else {
++ /* gso packets without NEEDS_CSUM do not set transport_offset.
++ * probe and drop if does not match one of the above types.
++ */
++ if (gso_type) {
++ skb_probe_transport_header(skb, -1);
++ if (!skb_transport_header_was_set(skb))
++ return -EINVAL;
++ }
+ }
+
+ if (hdr->gso_type != VIRTIO_NET_HDR_GSO_NONE) {
--- /dev/null
+From 15df03c661cb362366ecfc3a21820cb934f3e4ca Mon Sep 17 00:00:00 2001
+From: Eli Cooper <elicooper@gmx.com>
+Date: Mon, 21 Jan 2019 18:45:27 +0800
+Subject: netfilter: ipv6: Don't preserve original oif for loopback address
+
+From: Eli Cooper <elicooper@gmx.com>
+
+commit 15df03c661cb362366ecfc3a21820cb934f3e4ca upstream.
+
+Commit 508b09046c0f ("netfilter: ipv6: Preserve link scope traffic
+original oif") made ip6_route_me_harder() keep the original oif for
+link-local and multicast packets. However, it also affected packets
+for the loopback address because it used rt6_need_strict().
+
+REDIRECT rules in the OUTPUT chain rewrite the destination to loopback
+address; thus its oif should not be preserved. This commit fixes the bug
+that redirected local packets are being dropped. Actually the packet was
+not exactly dropped; Instead it was sent out to the original oif rather
+than lo. When a packet with daddr ::1 is sent to the router, it is
+effectively dropped.
+
+Fixes: 508b09046c0f ("netfilter: ipv6: Preserve link scope traffic original oif")
+Signed-off-by: Eli Cooper <elicooper@gmx.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/netfilter.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter.c
++++ b/net/ipv6/netfilter.c
+@@ -24,9 +24,11 @@ int ip6_route_me_harder(struct net *net,
+ struct sock *sk = sk_to_full_sk(skb->sk);
+ unsigned int hh_len;
+ struct dst_entry *dst;
++ int strict = (ipv6_addr_type(&iph->daddr) &
++ (IPV6_ADDR_MULTICAST | IPV6_ADDR_LINKLOCAL));
+ struct flowi6 fl6 = {
+ .flowi6_oif = sk && sk->sk_bound_dev_if ? sk->sk_bound_dev_if :
+- rt6_need_strict(&iph->daddr) ? skb_dst(skb)->dev->ifindex : 0,
++ strict ? skb_dst(skb)->dev->ifindex : 0,
+ .flowi6_mark = skb->mark,
+ .flowi6_uid = sock_net_uid(net, sk),
+ .daddr = iph->daddr,
--- /dev/null
+From 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Fri, 15 Feb 2019 12:50:24 +0100
+Subject: netfilter: nf_tables: fix flush after rule deletion in the same batch
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 23b7ca4f745f21c2b9cfcb67fdd33733b3ae7e66 upstream.
+
+Flush after rule deletion bogusly hits -ENOENT. Skip rules that have
+been already from nft_delrule_by_chain() which is always called from the
+flush path.
+
+Fixes: cf9dc09d0949 ("netfilter: nf_tables: fix missing rules flushing per table")
+Reported-by: Phil Sutter <phil@nwl.cc>
+Acked-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -304,6 +304,9 @@ static int nft_delrule_by_chain(struct n
+ int err;
+
+ list_for_each_entry(rule, &ctx->chain->rules, list) {
++ if (!nft_is_active_next(ctx->net, rule))
++ continue;
++
+ err = nft_delrule(ctx, rule);
+ if (err < 0)
+ return err;
--- /dev/null
+From 753c111f655e38bbd52fc01321266633f022ebe2 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 13 Feb 2019 13:03:53 +0100
+Subject: netfilter: nft_compat: use-after-free when deleting targets
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 753c111f655e38bbd52fc01321266633f022ebe2 upstream.
+
+Fetch pointer to module before target object is released.
+
+Fixes: 29e3880109e3 ("netfilter: nf_tables: fix use-after-free when deleting compat expressions")
+Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables")
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nft_compat.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nft_compat.c
++++ b/net/netfilter/nft_compat.c
+@@ -277,6 +277,7 @@ nft_target_destroy(const struct nft_ctx
+ {
+ struct xt_target *target = expr->ops->data;
+ void *info = nft_expr_priv(expr);
++ struct module *me = target->me;
+ struct xt_tgdtor_param par;
+
+ par.net = ctx->net;
+@@ -287,7 +288,7 @@ nft_target_destroy(const struct nft_ctx
+ par.target->destroy(&par);
+
+ if (nft_xt_put(container_of(expr->ops, struct nft_xt, ops)))
+- module_put(target->me);
++ module_put(me);
+ }
+
+ static int nft_target_dump(struct sk_buff *skb, const struct nft_expr *expr)
--- /dev/null
+From 278e2148c07559dd4ad8602f22366d61eb2ee7b7 Mon Sep 17 00:00:00 2001
+From: Hangbin Liu <liuhangbin@gmail.com>
+Date: Fri, 22 Feb 2019 21:22:32 +0800
+Subject: Revert "bridge: do not add port to router list when receives query with source 0.0.0.0"
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Hangbin Liu <liuhangbin@gmail.com>
+
+commit 278e2148c07559dd4ad8602f22366d61eb2ee7b7 upstream.
+
+This reverts commit 5a2de63fd1a5 ("bridge: do not add port to router list
+when receives query with source 0.0.0.0") and commit 0fe5119e267f ("net:
+bridge: remove ipv6 zero address check in mcast queries")
+
+The reason is RFC 4541 is not a standard but suggestive. Currently we
+will elect 0.0.0.0 as Querier if there is no ip address configured on
+bridge. If we do not add the port which recives query with source
+0.0.0.0 to router list, the IGMP reports will not be about to forward
+to Querier, IGMP data will also not be able to forward to dest.
+
+As Nikolay suggested, revert this change first and add a boolopt api
+to disable none-zero election in future if needed.
+
+Reported-by: Linus Lüssing <linus.luessing@c0d3.blue>
+Reported-by: Sebastian Gottschall <s.gottschall@newmedia-net.de>
+Fixes: 5a2de63fd1a5 ("bridge: do not add port to router list when receives query with source 0.0.0.0")
+Fixes: 0fe5119e267f ("net: bridge: remove ipv6 zero address check in mcast queries")
+Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/br_multicast.c | 9 +--------
+ 1 file changed, 1 insertion(+), 8 deletions(-)
+
+--- a/net/bridge/br_multicast.c
++++ b/net/bridge/br_multicast.c
+@@ -1390,14 +1390,7 @@ static void br_multicast_query_received(
+ return;
+
+ br_multicast_update_query_timer(br, query, max_delay);
+-
+- /* Based on RFC4541, section 2.1.1 IGMP Forwarding Rules,
+- * the arrival port for IGMP Queries where the source address
+- * is 0.0.0.0 should not be added to router port list.
+- */
+- if ((saddr->proto == htons(ETH_P_IP) && saddr->u.ip4) ||
+- saddr->proto == htons(ETH_P_IPV6))
+- br_multicast_mark_router(br, port);
++ br_multicast_mark_router(br, port);
+ }
+
+ static int br_ip4_multicast_query(struct net_bridge *br,
arc-u-boot-check-arguments-paranoidly.patch
arc-define-arch_slab_minalign-8.patch
drm-i915-fbdev-actually-configure-untiled-displays.patch
+net-validate-untrusted-gso-packets-without-csum-offload.patch
+net-avoid-false-positives-in-untrusted-gso-validation.patch
+revert-bridge-do-not-add-port-to-router-list-when-receives-query-with-source-0.0.0.0.patch
+netfilter-nf_tables-fix-flush-after-rule-deletion-in-the-same-batch.patch
+netfilter-nft_compat-use-after-free-when-deleting-targets.patch
+netfilter-ipv6-don-t-preserve-original-oif-for-loopback-address.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
