From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 1 Jul 2017 14:13:39 +0000 (+0200)
Subject: 4.11-stable patches
X-Git-Tag: v3.18.60~55
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e229367df7faef7d16540b510d5d6a6173cdb5cd;p=thirdparty%2Fkernel%2Fstable-queue.git

4.11-stable patches

added patches:
	netfilter-synproxy-fix-conntrackd-interaction.patch
---

diff --git a/queue-4.11/netfilter-synproxy-fix-conntrackd-interaction.patch b/queue-4.11/netfilter-synproxy-fix-conntrackd-interaction.patch
new file mode 100644
index 00000000000..3232f577406
--- /dev/null
+++ b/queue-4.11/netfilter-synproxy-fix-conntrackd-interaction.patch
@@ -0,0 +1,45 @@
+From 87e94dbc210a720a34be5c1174faee5c84be963e Mon Sep 17 00:00:00 2001
+From: Eric Leblond <eric@regit.org>
+Date: Thu, 11 May 2017 18:56:38 +0200
+Subject: netfilter: synproxy: fix conntrackd interaction
+
+From: Eric Leblond <eric@regit.org>
+
+commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream.
+
+This patch fixes the creation of connection tracking entry from
+netlink when synproxy is used. It was missing the addition of
+the synproxy extension.
+
+This was causing kernel crashes when a conntrack entry created by
+conntrackd was used after the switch of traffic from active node
+to the passive node.
+
+Signed-off-by: Eric Leblond <eric@regit.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_netlink.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/netfilter/nf_conntrack_netlink.c
++++ b/net/netfilter/nf_conntrack_netlink.c
+@@ -45,6 +45,8 @@
+ #include <net/netfilter/nf_conntrack_zones.h>
+ #include <net/netfilter/nf_conntrack_timestamp.h>
+ #include <net/netfilter/nf_conntrack_labels.h>
++#include <net/netfilter/nf_conntrack_seqadj.h>
++#include <net/netfilter/nf_conntrack_synproxy.h>
+ #ifdef CONFIG_NF_NAT_NEEDED
+ #include <net/netfilter/nf_nat_core.h>
+ #include <net/netfilter/nf_nat_l4proto.h>
+@@ -1814,6 +1816,8 @@ ctnetlink_create_conntrack(struct net *n
+ 	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
+ 	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
+ 	nf_ct_labels_ext_add(ct);
++	nfct_seqadj_ext_add(ct);
++	nfct_synproxy_ext_add(ct);
+ 
+ 	/* we must add conntrack extensions before confirmation. */
+ 	ct->status |= IPS_CONFIRMED;
diff --git a/queue-4.11/series b/queue-4.11/series
index dde3dc4fd97..e2d54dc973e 100644
--- a/queue-4.11/series
+++ b/queue-4.11/series
@@ -30,3 +30,4 @@ decnet-always-not-take-dst-__refcnt-when-inserting-dst-into-hash-table.patch
 net-8021q-fix-one-possible-panic-caused-by-bug_on-in-free_netdev.patch
 ipv6-do-not-leak-throw-route-references.patch
 rtnetlink-add-ifla_group-to-ifla_policy.patch
+netfilter-synproxy-fix-conntrackd-interaction.patch