From: Greg Kroah-Hartman Date: Sun, 16 Jul 2023 08:40:42 +0000 (+0200) Subject: drop queue-6.1/net-sched-act_ipt-zero-skb-cb-before-calling-target.patch X-Git-Tag: v6.1.39~94 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=a192c4d0fe1fc42fdff98dc2e409654d2f45798a;p=thirdparty%2Fkernel%2Fstable-queue.git drop queue-6.1/net-sched-act_ipt-zero-skb-cb-before-calling-target.patch it didn't apply properly --- diff --git a/queue-6.1/net-sched-act_ipt-zero-skb-cb-before-calling-target.patch b/queue-6.1/net-sched-act_ipt-zero-skb-cb-before-calling-target.patch deleted file mode 100644 index 77e5b84d1b0..00000000000 --- a/queue-6.1/net-sched-act_ipt-zero-skb-cb-before-calling-target.patch +++ /dev/null @@ -1,101 +0,0 @@ -From e30f7714a276eaf155fe312add3e12f7fc38ef61 Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Tue, 27 Jun 2023 14:38:13 +0200 -Subject: net/sched: act_ipt: zero skb->cb before calling target - -From: Florian Westphal - -[ Upstream commit 93d75d475c5dc3404292976147d063ee4d808592 ] - -xtables relies on skb being owned by ip stack, i.e. with ipv4 -check in place skb->cb is supposed to be IPCB. - -I don't see an immediate problem (REJECT target cannot be used anymore -now that PRE/POSTROUTING hook validation has been fixed), but better be -safe than sorry. - -A much better patch would be to either mark act_ipt as -"depends on BROKEN" or remove it altogether. I plan to do this -for -next in the near future. - -This tc extension is broken in the sense that tc lacks an -equivalent of NF_STOLEN verdict. - -With NF_STOLEN, target function takes complete ownership of skb, caller -cannot dereference it anymore. - -ACT_STOLEN cannot be used for this: it has a different meaning, caller -is allowed to dereference the skb. - -At this time NF_STOLEN won't be returned by any targets as far as I can -see, but this may change in the future. - -It might be possible to work around this via list of allowed -target extensions known to only return DROP or ACCEPT verdicts, but this -is error prone/fragile. - -Existing selftest only validates xt_LOG and act_ipt is restricted -to ipv4 so I don't think this action is used widely. - -Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") -Signed-off-by: Florian Westphal -Reviewed-by: Simon Horman -Acked-by: Jamal Hadi Salim -Signed-off-by: Paolo Abeni -Signed-off-by: Sasha Levin ---- - net/sched/act_ipt.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/net/sched/act_ipt.c b/net/sched/act_ipt.c -index a6b522b512dc3..598d6e299152a 100644 ---- a/net/sched/act_ipt.c -+++ b/net/sched/act_ipt.c -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - - #include - -@@ -254,6 +255,7 @@ TC_INDIRECT_SCOPE int tcf_ipt_act(struct sk_buff *skb, - const struct tc_action *a, - struct tcf_result *res) - { -+ char saved_cb[sizeof_field(struct sk_buff, cb)]; - int ret = 0, result = 0; - struct tcf_ipt *ipt = to_ipt(a); - struct xt_action_param par; -@@ -280,6 +282,8 @@ TC_INDIRECT_SCOPE int tcf_ipt_act(struct sk_buff *skb, - state.out = skb->dev; - } - -+ memcpy(saved_cb, skb->cb, sizeof(saved_cb)); -+ - spin_lock(&ipt->tcf_lock); - - tcf_lastuse_update(&ipt->tcf_tm); -@@ -292,6 +296,9 @@ TC_INDIRECT_SCOPE int tcf_ipt_act(struct sk_buff *skb, - par.state = &state; - par.target = ipt->tcfi_t->u.kernel.target; - par.targinfo = ipt->tcfi_t->data; -+ -+ memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); -+ - ret = par.target->target(skb, &par); - - switch (ret) { -@@ -312,6 +319,9 @@ TC_INDIRECT_SCOPE int tcf_ipt_act(struct sk_buff *skb, - break; - } - spin_unlock(&ipt->tcf_lock); -+ -+ memcpy(skb->cb, saved_cb, sizeof(skb->cb)); -+ - return result; - - } --- -2.39.2 - diff --git a/queue-6.1/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch b/queue-6.1/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch index ebe9fed4384..b5b9bd34759 100644 --- a/queue-6.1/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch +++ b/queue-6.1/net-sched-act_pedit-add-size-check-for-tca_pedit_par.patch @@ -37,14 +37,12 @@ Link: https://lore.kernel.org/r/20230703110842.590282-1-linma@zju.edu.cn Signed-off-by: Paolo Abeni Signed-off-by: Sasha Levin --- - net/sched/act_pedit.c | 1 + + net/sched/act_pedit.c | 1 + 1 file changed, 1 insertion(+) -diff --git a/net/sched/act_pedit.c b/net/sched/act_pedit.c -index 613a1d777d5a6..c2aed8b056a1d 100644 --- a/net/sched/act_pedit.c +++ b/net/sched/act_pedit.c -@@ -29,6 +29,7 @@ static struct tc_action_ops act_pedit_ops; +@@ -28,6 +28,7 @@ static struct tc_action_ops act_pedit_op static const struct nla_policy pedit_policy[TCA_PEDIT_MAX + 1] = { [TCA_PEDIT_PARMS] = { .len = sizeof(struct tc_pedit) }, @@ -52,6 +50,3 @@ index 613a1d777d5a6..c2aed8b056a1d 100644 [TCA_PEDIT_KEYS_EX] = { .type = NLA_NESTED }, }; --- -2.39.2 - diff --git a/queue-6.1/series b/queue-6.1/series index 0caf6df3559..4609c43c143 100644 --- a/queue-6.1/series +++ b/queue-6.1/series @@ -485,7 +485,6 @@ sctp-fix-potential-deadlock-on-net-sctp.addr_wq_lock.patch net-sched-act_ipt-add-sanity-checks-on-table-name-an.patch net-add-a-couple-of-helpers-for-iph-tot_len.patch net-sched-act_ipt-add-sanity-checks-on-skb-before-ca.patch -net-sched-act_ipt-zero-skb-cb-before-calling-target.patch spi-spi-geni-qcom-enable-spi_controller_must_tx-for-.patch net-mscc-ocelot-don-t-report-that-rx-timestamping-is.patch net-mscc-ocelot-don-t-keep-ptp-configuration-of-all-.patch