--- /dev/null
+From a068aab42258e25094bc2c159948d263ed7d7a77 Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Wed, 27 May 2020 22:10:29 -0500
+Subject: bonding: Fix reference count leak in bond_sysfs_slave_add.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit a068aab42258e25094bc2c159948d263ed7d7a77 upstream.
+
+kobject_init_and_add() takes reference even when it fails.
+If this function returns an error, kobject_put() must be called to
+properly clean up the memory associated with the object. Previous
+commit "b8eb718348b8" fixed a similar problem.
+
+Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/bonding/bond_sysfs_slave.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/bonding/bond_sysfs_slave.c
++++ b/drivers/net/bonding/bond_sysfs_slave.c
+@@ -153,8 +153,10 @@ int bond_sysfs_slave_add(struct slave *s
+
+ err = kobject_init_and_add(&slave->kobj, &slave_ktype,
+ &(slave->dev->dev.kobj), "bonding_slave");
+- if (err)
++ if (err) {
++ kobject_put(&slave->kobj);
+ return err;
++ }
+
+ for (a = slave_attrs; *a; ++a) {
+ err = sysfs_create_file(&slave->kobj, &((*a)->attr));
--- /dev/null
+From 976eba8ab596bab94b9714cd46d38d5c6a2c660d Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 21 Apr 2020 20:46:11 +0800
+Subject: ip_vti: receive ipip packet by calling ip_tunnel_rcv
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit 976eba8ab596bab94b9714cd46d38d5c6a2c660d upstream.
+
+In Commit dd9ee3444014 ("vti4: Fix a ipip packet processing bug in
+'IPCOMP' virtual tunnel"), it tries to receive IPIP packets in vti
+by calling xfrm_input(). This case happens when a small packet or
+frag sent by peer is too small to get compressed.
+
+However, xfrm_input() will still get to the IPCOMP path where skb
+sec_path is set, but never dropped while it should have been done
+in vti_ipcomp4_protocol.cb_handler(vti_rcv_cb), as it's not an
+ipcomp4 packet. This will cause that the packet can never pass
+xfrm4_policy_check() in the upper protocol rcv functions.
+
+So this patch is to call ip_tunnel_rcv() to process IPIP packets
+instead.
+
+Fixes: dd9ee3444014 ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_vti.c | 23 ++++++++++++++++++++++-
+ 1 file changed, 22 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -99,7 +99,28 @@ static int vti_rcv_proto(struct sk_buff
+
+ static int vti_rcv_tunnel(struct sk_buff *skb)
+ {
+- return vti_rcv(skb, ip_hdr(skb)->saddr, true);
++ struct ip_tunnel_net *itn = net_generic(dev_net(skb->dev), vti_net_id);
++ const struct iphdr *iph = ip_hdr(skb);
++ struct ip_tunnel *tunnel;
++
++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
++ iph->saddr, iph->daddr, 0);
++ if (tunnel) {
++ struct tnl_ptk_info tpi = {
++ .proto = htons(ETH_P_IP),
++ };
++
++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
++ goto drop;
++ if (iptunnel_pull_header(skb, 0, tpi.proto, false))
++ goto drop;
++ return ip_tunnel_rcv(tunnel, skb, &tpi, NULL, false);
++ }
++
++ return -EINVAL;
++drop:
++ kfree_skb(skb);
++ return 0;
+ }
+
+ static int vti_rcv_cb(struct sk_buff *skb, int err)
--- /dev/null
+From a164b95ad6055c50612795882f35e0efda1f1390 Mon Sep 17 00:00:00 2001
+From: Phil Sutter <phil@nwl.cc>
+Date: Thu, 14 May 2020 13:31:21 +0200
+Subject: netfilter: ipset: Fix subcounter update skip
+
+From: Phil Sutter <phil@nwl.cc>
+
+commit a164b95ad6055c50612795882f35e0efda1f1390 upstream.
+
+If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not
+update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE
+must be set, not unset.
+
+Fixes: 6e01781d1c80e ("netfilter: ipset: set match: add support to match the counters")
+Signed-off-by: Phil Sutter <phil@nwl.cc>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipset/ip_set_list_set.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/netfilter/ipset/ip_set_list_set.c
++++ b/net/netfilter/ipset/ip_set_list_set.c
+@@ -60,7 +60,7 @@ list_set_ktest(struct ip_set *set, const
+ /* Don't lookup sub-counters at all */
+ opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS;
+ if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE)
+- opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE;
++ opt->cmdflags |= IPSET_FLAG_SKIP_COUNTER_UPDATE;
+ list_for_each_entry_rcu(e, &map->members, list) {
+ if (SET_WITH_TIMEOUT(set) &&
+ ip_set_timeout_expired(ext_timeout(e, set)))
--- /dev/null
+From 4c559f15efcc43b996f4da528cd7f9483aaca36d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 14 May 2020 14:14:23 +0200
+Subject: netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 4c559f15efcc43b996f4da528cd7f9483aaca36d upstream.
+
+Dan Carpenter says: "Smatch complains that the value for "cmd" comes
+from the network and can't be trusted."
+
+Add pptp_msg_name() helper function that checks for the array boundary.
+
+Fixes: f09943fefe6b ("[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port")
+Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter/nf_conntrack_pptp.h | 2
+ net/ipv4/netfilter/nf_nat_pptp.c | 7 ---
+ net/netfilter/nf_conntrack_pptp.c | 62 +++++++++++++++-------------
+ 3 files changed, 38 insertions(+), 33 deletions(-)
+
+--- a/include/linux/netfilter/nf_conntrack_pptp.h
++++ b/include/linux/netfilter/nf_conntrack_pptp.h
+@@ -4,7 +4,7 @@
+
+ #include <linux/netfilter/nf_conntrack_common.h>
+
+-extern const char *const pptp_msg_name[];
++extern const char *const pptp_msg_name(u_int16_t msg);
+
+ /* state of the control session */
+ enum pptp_ctrlsess_state {
+--- a/net/ipv4/netfilter/nf_nat_pptp.c
++++ b/net/ipv4/netfilter/nf_nat_pptp.c
+@@ -156,8 +156,7 @@ pptp_outbound_pkt(struct sk_buff *skb,
+ break;
+ default:
+ pr_debug("unknown outbound packet 0x%04x:%s\n", msg,
+- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] :
+- pptp_msg_name[0]);
++ pptp_msg_name(msg));
+ /* fall through */
+ case PPTP_SET_LINK_INFO:
+ /* only need to NAT in case PAC is behind NAT box */
+@@ -250,9 +249,7 @@ pptp_inbound_pkt(struct sk_buff *skb,
+ pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID);
+ break;
+ default:
+- pr_debug("unknown inbound packet %s\n",
+- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] :
+- pptp_msg_name[0]);
++ pr_debug("unknown inbound packet %s\n", pptp_msg_name(msg));
+ /* fall through */
+ case PPTP_START_SESSION_REQUEST:
+ case PPTP_START_SESSION_REPLY:
+--- a/net/netfilter/nf_conntrack_pptp.c
++++ b/net/netfilter/nf_conntrack_pptp.c
+@@ -71,24 +71,32 @@ EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_expec
+
+ #if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG)
+ /* PptpControlMessageType names */
+-const char *const pptp_msg_name[] = {
+- "UNKNOWN_MESSAGE",
+- "START_SESSION_REQUEST",
+- "START_SESSION_REPLY",
+- "STOP_SESSION_REQUEST",
+- "STOP_SESSION_REPLY",
+- "ECHO_REQUEST",
+- "ECHO_REPLY",
+- "OUT_CALL_REQUEST",
+- "OUT_CALL_REPLY",
+- "IN_CALL_REQUEST",
+- "IN_CALL_REPLY",
+- "IN_CALL_CONNECT",
+- "CALL_CLEAR_REQUEST",
+- "CALL_DISCONNECT_NOTIFY",
+- "WAN_ERROR_NOTIFY",
+- "SET_LINK_INFO"
++static const char *const pptp_msg_name_array[PPTP_MSG_MAX + 1] = {
++ [0] = "UNKNOWN_MESSAGE",
++ [PPTP_START_SESSION_REQUEST] = "START_SESSION_REQUEST",
++ [PPTP_START_SESSION_REPLY] = "START_SESSION_REPLY",
++ [PPTP_STOP_SESSION_REQUEST] = "STOP_SESSION_REQUEST",
++ [PPTP_STOP_SESSION_REPLY] = "STOP_SESSION_REPLY",
++ [PPTP_ECHO_REQUEST] = "ECHO_REQUEST",
++ [PPTP_ECHO_REPLY] = "ECHO_REPLY",
++ [PPTP_OUT_CALL_REQUEST] = "OUT_CALL_REQUEST",
++ [PPTP_OUT_CALL_REPLY] = "OUT_CALL_REPLY",
++ [PPTP_IN_CALL_REQUEST] = "IN_CALL_REQUEST",
++ [PPTP_IN_CALL_REPLY] = "IN_CALL_REPLY",
++ [PPTP_IN_CALL_CONNECT] = "IN_CALL_CONNECT",
++ [PPTP_CALL_CLEAR_REQUEST] = "CALL_CLEAR_REQUEST",
++ [PPTP_CALL_DISCONNECT_NOTIFY] = "CALL_DISCONNECT_NOTIFY",
++ [PPTP_WAN_ERROR_NOTIFY] = "WAN_ERROR_NOTIFY",
++ [PPTP_SET_LINK_INFO] = "SET_LINK_INFO"
+ };
++
++const char *const pptp_msg_name(u_int16_t msg)
++{
++ if (msg > PPTP_MSG_MAX)
++ return pptp_msg_name_array[0];
++
++ return pptp_msg_name_array[msg];
++}
+ EXPORT_SYMBOL(pptp_msg_name);
+ #endif
+
+@@ -278,7 +286,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ typeof(nf_nat_pptp_hook_inbound) nf_nat_pptp_inbound;
+
+ msg = ntohs(ctlh->messageType);
+- pr_debug("inbound control message %s\n", pptp_msg_name[msg]);
++ pr_debug("inbound control message %s\n", pptp_msg_name(msg));
+
+ switch (msg) {
+ case PPTP_START_SESSION_REPLY:
+@@ -313,7 +321,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ pcid = pptpReq->ocack.peersCallID;
+ if (info->pns_call_id != pcid)
+ goto invalid;
+- pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name[msg],
++ pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name(msg),
+ ntohs(cid), ntohs(pcid));
+
+ if (pptpReq->ocack.resultCode == PPTP_OUTCALL_CONNECT) {
+@@ -330,7 +338,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ goto invalid;
+
+ cid = pptpReq->icreq.callID;
+- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
+ info->cstate = PPTP_CALL_IN_REQ;
+ info->pac_call_id = cid;
+ break;
+@@ -349,7 +357,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ if (info->pns_call_id != pcid)
+ goto invalid;
+
+- pr_debug("%s, PCID=%X\n", pptp_msg_name[msg], ntohs(pcid));
++ pr_debug("%s, PCID=%X\n", pptp_msg_name(msg), ntohs(pcid));
+ info->cstate = PPTP_CALL_IN_CONF;
+
+ /* we expect a GRE connection from PAC to PNS */
+@@ -359,7 +367,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ case PPTP_CALL_DISCONNECT_NOTIFY:
+ /* server confirms disconnect */
+ cid = pptpReq->disc.callID;
+- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
+ info->cstate = PPTP_CALL_NONE;
+
+ /* untrack this call id, unexpect GRE packets */
+@@ -386,7 +394,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un
+ invalid:
+ pr_debug("invalid %s: type=%d cid=%u pcid=%u "
+ "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n",
+- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0],
++ pptp_msg_name(msg),
+ msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate,
+ ntohs(info->pns_call_id), ntohs(info->pac_call_id));
+ return NF_ACCEPT;
+@@ -406,7 +414,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u
+ typeof(nf_nat_pptp_hook_outbound) nf_nat_pptp_outbound;
+
+ msg = ntohs(ctlh->messageType);
+- pr_debug("outbound control message %s\n", pptp_msg_name[msg]);
++ pr_debug("outbound control message %s\n", pptp_msg_name(msg));
+
+ switch (msg) {
+ case PPTP_START_SESSION_REQUEST:
+@@ -428,7 +436,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u
+ info->cstate = PPTP_CALL_OUT_REQ;
+ /* track PNS call id */
+ cid = pptpReq->ocreq.callID;
+- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid));
++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid));
+ info->pns_call_id = cid;
+ break;
+
+@@ -442,7 +450,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u
+ pcid = pptpReq->icack.peersCallID;
+ if (info->pac_call_id != pcid)
+ goto invalid;
+- pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name[msg],
++ pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name(msg),
+ ntohs(cid), ntohs(pcid));
+
+ if (pptpReq->icack.resultCode == PPTP_INCALL_ACCEPT) {
+@@ -482,7 +490,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u
+ invalid:
+ pr_debug("invalid %s: type=%d cid=%u pcid=%u "
+ "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n",
+- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0],
++ pptp_msg_name(msg),
+ msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate,
+ ntohs(info->pns_call_id), ntohs(info->pac_call_id));
+ return NF_ACCEPT;
--- /dev/null
+From e9c284ec4b41c827f4369973d2792992849e4fa5 Mon Sep 17 00:00:00 2001
+From: Michael Braun <michael-dev@fami-braun.de>
+Date: Wed, 6 May 2020 11:46:25 +0200
+Subject: netfilter: nft_reject_bridge: enable reject with bridge vlan
+
+From: Michael Braun <michael-dev@fami-braun.de>
+
+commit e9c284ec4b41c827f4369973d2792992849e4fa5 upstream.
+
+Currently, using the bridge reject target with tagged packets
+results in untagged packets being sent back.
+
+Fix this by mirroring the vlan id as well.
+
+Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support")
+Signed-off-by: Michael Braun <michael-dev@fami-braun.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/net/bridge/netfilter/nft_reject_bridge.c
++++ b/net/bridge/netfilter/nft_reject_bridge.c
+@@ -35,6 +35,12 @@ static void nft_reject_br_push_etherhdr(
+ ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source);
+ eth->h_proto = eth_hdr(oldskb)->h_proto;
+ skb_pull(nskb, ETH_HLEN);
++
++ if (skb_vlan_tag_present(oldskb)) {
++ u16 vid = skb_vlan_tag_get(oldskb);
++
++ __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid);
++ }
+ }
+
+ /* We cannot use oldskb->dev, it can be either bridge device (NF_BRIDGE INPUT)
--- /dev/null
+From 15c973858903009e995b2037683de29dfe968621 Mon Sep 17 00:00:00 2001
+From: Qiushi Wu <wu000273@umn.edu>
+Date: Mon, 25 May 2020 03:24:39 -0500
+Subject: qlcnic: fix missing release in qlcnic_83xx_interrupt_test.
+
+From: Qiushi Wu <wu000273@umn.edu>
+
+commit 15c973858903009e995b2037683de29dfe968621 upstream.
+
+In function qlcnic_83xx_interrupt_test(), function
+qlcnic_83xx_diag_alloc_res() is not handled by function
+qlcnic_83xx_diag_free_res() after a call of the function
+qlcnic_alloc_mbx_args() failed. Fix this issue by adding
+a jump target "fail_mbx_args", and jump to this new target
+when qlcnic_alloc_mbx_args() failed.
+
+Fixes: b6b4316c8b2f ("qlcnic: Handle qlcnic_alloc_mbx_args() failure")
+Signed-off-by: Qiushi Wu <wu000273@umn.edu>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c
+@@ -3609,7 +3609,7 @@ int qlcnic_83xx_interrupt_test(struct ne
+ ahw->diag_cnt = 0;
+ ret = qlcnic_alloc_mbx_args(&cmd, adapter, QLCNIC_CMD_INTRPT_TEST);
+ if (ret)
+- goto fail_diag_irq;
++ goto fail_mbx_args;
+
+ if (adapter->flags & QLCNIC_MSIX_ENABLED)
+ intrpt_id = ahw->intr_tbl[0].id;
+@@ -3639,6 +3639,8 @@ int qlcnic_83xx_interrupt_test(struct ne
+
+ done:
+ qlcnic_free_mbx_args(&cmd);
++
++fail_mbx_args:
+ qlcnic_83xx_diag_free_res(netdev, drv_sds_rings);
+
+ fail_diag_irq:
parisc-fix-kernel-panic-in-mem_init.patch
mac80211-mesh-fix-discovery-timer-re-arming-issue-crash.patch
x86-dma-fix-max-pfn-arithmetic-overflow-on-32-bit-systems.patch
+xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch
+xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch
+xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch
+vti4-eliminated-some-duplicate-code.patch
+ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch
+netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch
+netfilter-ipset-fix-subcounter-update-skip.patch
+netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch
+qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch
+bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch
--- /dev/null
+From f981c57ffd2d7cf2dd4b6d6f8fcb3965df42f54c Mon Sep 17 00:00:00 2001
+From: Jeremy Sowden <jeremy@azazel.net>
+Date: Sat, 23 Mar 2019 14:43:02 +0000
+Subject: vti4: eliminated some duplicate code.
+
+From: Jeremy Sowden <jeremy@azazel.net>
+
+commit f981c57ffd2d7cf2dd4b6d6f8fcb3965df42f54c upstream.
+
+The ipip tunnel introduced in commit dd9ee3444014 ("vti4: Fix a ipip
+packet processing bug in 'IPCOMP' virtual tunnel") largely duplicated
+the existing vti_input and vti_recv functions. Refactored to
+deduplicate the common code.
+
+Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/ip_vti.c | 60 +++++++++++++++++++-----------------------------------
+ 1 file changed, 22 insertions(+), 38 deletions(-)
+
+--- a/net/ipv4/ip_vti.c
++++ b/net/ipv4/ip_vti.c
+@@ -51,7 +51,7 @@ static int vti_net_id __read_mostly;
+ static int vti_tunnel_init(struct net_device *dev);
+
+ static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi,
+- int encap_type)
++ int encap_type, bool update_skb_dev)
+ {
+ struct ip_tunnel *tunnel;
+ const struct iphdr *iph = ip_hdr(skb);
+@@ -66,6 +66,9 @@ static int vti_input(struct sk_buff *skb
+
+ XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+
++ if (update_skb_dev)
++ skb->dev = tunnel->dev;
++
+ return xfrm_input(skb, nexthdr, spi, encap_type);
+ }
+
+@@ -75,47 +78,28 @@ drop:
+ return 0;
+ }
+
+-static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi,
+- int encap_type)
++static int vti_input_proto(struct sk_buff *skb, int nexthdr, __be32 spi,
++ int encap_type)
+ {
+- struct ip_tunnel *tunnel;
+- const struct iphdr *iph = ip_hdr(skb);
+- struct net *net = dev_net(skb->dev);
+- struct ip_tunnel_net *itn = net_generic(net, vti_net_id);
+-
+- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY,
+- iph->saddr, iph->daddr, 0);
+- if (tunnel) {
+- if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb))
+- goto drop;
+-
+- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel;
+-
+- skb->dev = tunnel->dev;
+-
+- return xfrm_input(skb, nexthdr, spi, encap_type);
+- }
+-
+- return -EINVAL;
+-drop:
+- kfree_skb(skb);
+- return 0;
++ return vti_input(skb, nexthdr, spi, encap_type, false);
+ }
+
+-static int vti_rcv(struct sk_buff *skb)
++static int vti_rcv(struct sk_buff *skb, __be32 spi, bool update_skb_dev)
+ {
+ XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+ XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
+
+- return vti_input(skb, ip_hdr(skb)->protocol, 0, 0);
++ return vti_input(skb, ip_hdr(skb)->protocol, spi, 0, update_skb_dev);
+ }
+
+-static int vti_rcv_ipip(struct sk_buff *skb)
++static int vti_rcv_proto(struct sk_buff *skb)
+ {
+- XFRM_SPI_SKB_CB(skb)->family = AF_INET;
+- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
++ return vti_rcv(skb, 0, false);
++}
+
+- return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0);
++static int vti_rcv_tunnel(struct sk_buff *skb)
++{
++ return vti_rcv(skb, ip_hdr(skb)->saddr, true);
+ }
+
+ static int vti_rcv_cb(struct sk_buff *skb, int err)
+@@ -452,31 +436,31 @@ static void __net_init vti_fb_tunnel_ini
+ }
+
+ static struct xfrm4_protocol vti_esp4_protocol __read_mostly = {
+- .handler = vti_rcv,
+- .input_handler = vti_input,
++ .handler = vti_rcv_proto,
++ .input_handler = vti_input_proto,
+ .cb_handler = vti_rcv_cb,
+ .err_handler = vti4_err,
+ .priority = 100,
+ };
+
+ static struct xfrm4_protocol vti_ah4_protocol __read_mostly = {
+- .handler = vti_rcv,
+- .input_handler = vti_input,
++ .handler = vti_rcv_proto,
++ .input_handler = vti_input_proto,
+ .cb_handler = vti_rcv_cb,
+ .err_handler = vti4_err,
+ .priority = 100,
+ };
+
+ static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = {
+- .handler = vti_rcv,
+- .input_handler = vti_input,
++ .handler = vti_rcv_proto,
++ .input_handler = vti_input_proto,
+ .cb_handler = vti_rcv_cb,
+ .err_handler = vti4_err,
+ .priority = 100,
+ };
+
+ static struct xfrm_tunnel ipip_handler __read_mostly = {
+- .handler = vti_rcv_ipip,
++ .handler = vti_rcv_tunnel,
+ .err_handler = vti4_err,
+ .priority = 0,
+ };
--- /dev/null
+From afcaf61be9d1dbdee5ec186d1dcc67b6b692180f Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Fri, 10 Apr 2020 17:06:01 +0800
+Subject: xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit afcaf61be9d1dbdee5ec186d1dcc67b6b692180f upstream.
+
+For beet mode, when it's ipv6 inner address with nexthdrs set,
+the packet format might be:
+
+ ----------------------------------------------------
+ | outer | | dest | | | ESP | ESP |
+ | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV |
+ ----------------------------------------------------
+
+The nexthdr from ESP could be NEXTHDR_HOP(0), so it should
+continue processing the packet when nexthdr returns 0 in
+xfrm_input(). Otherwise, when ipv6 nexthdr is set, the
+packet will be dropped.
+
+I don't see any error cases that nexthdr may return 0. So
+fix it by removing the check for nexthdr == 0.
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_input.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_input.c
++++ b/net/xfrm/xfrm_input.c
+@@ -302,7 +302,7 @@ resume:
+ dev_put(skb->dev);
+
+ spin_lock(&x->lock);
+- if (nexthdr <= 0) {
++ if (nexthdr < 0) {
+ if (nexthdr == -EBADMSG) {
+ xfrm_audit_state_icvfail(x, skb,
+ x->type->proto);
--- /dev/null
+From f6a23d85d078c2ffde79c66ca81d0a1dde451649 Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Tue, 26 May 2020 17:41:46 +0800
+Subject: xfrm: fix a NULL-ptr deref in xfrm_local_error
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit f6a23d85d078c2ffde79c66ca81d0a1dde451649 upstream.
+
+This patch is to fix a crash:
+
+ [ ] kasan: GPF could be caused by NULL-ptr deref or user memory access
+ [ ] general protection fault: 0000 [#1] SMP KASAN PTI
+ [ ] RIP: 0010:ipv6_local_error+0xac/0x7a0
+ [ ] Call Trace:
+ [ ] xfrm6_local_error+0x1eb/0x300
+ [ ] xfrm_local_error+0x95/0x130
+ [ ] __xfrm6_output+0x65f/0xb50
+ [ ] xfrm6_output+0x106/0x46f
+ [ ] udp_tunnel6_xmit_skb+0x618/0xbf0 [ip6_udp_tunnel]
+ [ ] vxlan_xmit_one+0xbc6/0x2c60 [vxlan]
+ [ ] vxlan_xmit+0x6a0/0x4276 [vxlan]
+ [ ] dev_hard_start_xmit+0x165/0x820
+ [ ] __dev_queue_xmit+0x1ff0/0x2b90
+ [ ] ip_finish_output2+0xd3e/0x1480
+ [ ] ip_do_fragment+0x182d/0x2210
+ [ ] ip_output+0x1d0/0x510
+ [ ] ip_send_skb+0x37/0xa0
+ [ ] raw_sendmsg+0x1b4c/0x2b80
+ [ ] sock_sendmsg+0xc0/0x110
+
+This occurred when sending a v4 skb over vxlan6 over ipsec, in which case
+skb->protocol == htons(ETH_P_IPV6) while skb->sk->sk_family == AF_INET in
+xfrm_local_error(). Then it will go to xfrm6_local_error() where it tries
+to get ipv6 info from a ipv4 sk.
+
+This issue was actually fixed by Commit 628e341f319f ("xfrm: make local
+error reporting more robust"), but brought back by Commit 844d48746e4b
+("xfrm: choose protocol family by skb protocol").
+
+So to fix it, we should call xfrm6_local_error() only when skb->protocol
+is htons(ETH_P_IPV6) and skb->sk->sk_family is AF_INET6.
+
+Fixes: 844d48746e4b ("xfrm: choose protocol family by skb protocol")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_output.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/xfrm/xfrm_output.c
++++ b/net/xfrm/xfrm_output.c
+@@ -237,7 +237,8 @@ void xfrm_local_error(struct sk_buff *sk
+
+ if (skb->protocol == htons(ETH_P_IP))
+ proto = AF_INET;
+- else if (skb->protocol == htons(ETH_P_IPV6))
++ else if (skb->protocol == htons(ETH_P_IPV6) &&
++ skb->sk->sk_family == AF_INET6)
+ proto = AF_INET6;
+ else
+ return;
--- /dev/null
+From ed17b8d377eaf6b4a01d46942b4c647378a79bdd Mon Sep 17 00:00:00 2001
+From: Xin Long <lucien.xin@gmail.com>
+Date: Mon, 25 May 2020 13:53:37 +0800
+Subject: xfrm: fix a warning in xfrm_policy_insert_list
+
+From: Xin Long <lucien.xin@gmail.com>
+
+commit ed17b8d377eaf6b4a01d46942b4c647378a79bdd upstream.
+
+This waring can be triggered simply by:
+
+ # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
+ priority 1 mark 0 mask 0x10 #[1]
+ # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
+ priority 2 mark 0 mask 0x1 #[2]
+ # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \
+ priority 2 mark 0 mask 0x10 #[3]
+
+Then dmesg shows:
+
+ [ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c:1548
+ [ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x1030
+ [ ] Call Trace:
+ [ ] xfrm_policy_inexact_insert+0x85/0xe50
+ [ ] xfrm_policy_insert+0x4ba/0x680
+ [ ] xfrm_add_policy+0x246/0x4d0
+ [ ] xfrm_user_rcv_msg+0x331/0x5c0
+ [ ] netlink_rcv_skb+0x121/0x350
+ [ ] xfrm_netlink_rcv+0x66/0x80
+ [ ] netlink_unicast+0x439/0x630
+ [ ] netlink_sendmsg+0x714/0xbf0
+ [ ] sock_sendmsg+0xe2/0x110
+
+The issue was introduced by Commit 7cb8a93968e3 ("xfrm: Allow inserting
+policies with matching mark and different priorities"). After that, the
+policies [1] and [2] would be able to be added with different priorities.
+
+However, policy [3] will actually match both [1] and [2]. Policy [1]
+was matched due to the 1st 'return true' in xfrm_policy_mark_match(),
+and policy [2] was matched due to the 2nd 'return true' in there. It
+caused WARN_ON() in xfrm_policy_insert_list().
+
+This patch is to fix it by only (the same value and priority) as the
+same policy in xfrm_policy_mark_match().
+
+Thanks to Yuehaibing, we could make this fix better.
+
+v1->v2:
+ - check policy->mark.v == pol->mark.v only without mask.
+
+Fixes: 7cb8a93968e3 ("xfrm: Allow inserting policies with matching mark and different priorities")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/xfrm/xfrm_policy.c | 7 +------
+ 1 file changed, 1 insertion(+), 6 deletions(-)
+
+--- a/net/xfrm/xfrm_policy.c
++++ b/net/xfrm/xfrm_policy.c
+@@ -740,12 +740,7 @@ static void xfrm_policy_requeue(struct x
+ static bool xfrm_policy_mark_match(struct xfrm_policy *policy,
+ struct xfrm_policy *pol)
+ {
+- u32 mark = policy->mark.v & policy->mark.m;
+-
+- if (policy->mark.v == pol->mark.v && policy->mark.m == pol->mark.m)
+- return true;
+-
+- if ((mark & pol->mark.m) == pol->mark.v &&
++ if (policy->mark.v == pol->mark.v &&
+ policy->priority == pol->priority)
+ return true;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
