From: Greg Kroah-Hartman Date: Mon, 1 Jun 2020 12:35:37 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.226~32 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ef07aabcc1ec89fea0ab19ce4cd4ed40c83b0e66;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch netfilter-ipset-fix-subcounter-update-skip.patch netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch vti4-eliminated-some-duplicate-code.patch xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch --- diff --git a/queue-4.4/bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch b/queue-4.4/bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch new file mode 100644 index 00000000000..534373ae45c --- /dev/null +++ b/queue-4.4/bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch @@ -0,0 +1,38 @@ +From a068aab42258e25094bc2c159948d263ed7d7a77 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Wed, 27 May 2020 22:10:29 -0500 +Subject: bonding: Fix reference count leak in bond_sysfs_slave_add. + +From: Qiushi Wu + +commit a068aab42258e25094bc2c159948d263ed7d7a77 upstream. + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. Previous +commit "b8eb718348b8" fixed a similar problem. + +Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.") +Signed-off-by: Qiushi Wu +Acked-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bonding/bond_sysfs_slave.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -153,8 +153,10 @@ int bond_sysfs_slave_add(struct slave *s + + err = kobject_init_and_add(&slave->kobj, &slave_ktype, + &(slave->dev->dev.kobj), "bonding_slave"); +- if (err) ++ if (err) { ++ kobject_put(&slave->kobj); + return err; ++ } + + for (a = slave_attrs; *a; ++a) { + err = sysfs_create_file(&slave->kobj, &((*a)->attr)); diff --git a/queue-4.4/ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch b/queue-4.4/ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch new file mode 100644 index 00000000000..00189087ba6 --- /dev/null +++ b/queue-4.4/ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch @@ -0,0 +1,65 @@ +From 976eba8ab596bab94b9714cd46d38d5c6a2c660d Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Tue, 21 Apr 2020 20:46:11 +0800 +Subject: ip_vti: receive ipip packet by calling ip_tunnel_rcv + +From: Xin Long + +commit 976eba8ab596bab94b9714cd46d38d5c6a2c660d upstream. + +In Commit dd9ee3444014 ("vti4: Fix a ipip packet processing bug in +'IPCOMP' virtual tunnel"), it tries to receive IPIP packets in vti +by calling xfrm_input(). This case happens when a small packet or +frag sent by peer is too small to get compressed. + +However, xfrm_input() will still get to the IPCOMP path where skb +sec_path is set, but never dropped while it should have been done +in vti_ipcomp4_protocol.cb_handler(vti_rcv_cb), as it's not an +ipcomp4 packet. This will cause that the packet can never pass +xfrm4_policy_check() in the upper protocol rcv functions. + +So this patch is to call ip_tunnel_rcv() to process IPIP packets +instead. + +Fixes: dd9ee3444014 ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel") +Reported-by: Xiumei Mu +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_vti.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -99,7 +99,28 @@ static int vti_rcv_proto(struct sk_buff + + static int vti_rcv_tunnel(struct sk_buff *skb) + { +- return vti_rcv(skb, ip_hdr(skb)->saddr, true); ++ struct ip_tunnel_net *itn = net_generic(dev_net(skb->dev), vti_net_id); ++ const struct iphdr *iph = ip_hdr(skb); ++ struct ip_tunnel *tunnel; ++ ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, ++ iph->saddr, iph->daddr, 0); ++ if (tunnel) { ++ struct tnl_ptk_info tpi = { ++ .proto = htons(ETH_P_IP), ++ }; ++ ++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) ++ goto drop; ++ if (iptunnel_pull_header(skb, 0, tpi.proto, false)) ++ goto drop; ++ return ip_tunnel_rcv(tunnel, skb, &tpi, NULL, false); ++ } ++ ++ return -EINVAL; ++drop: ++ kfree_skb(skb); ++ return 0; + } + + static int vti_rcv_cb(struct sk_buff *skb, int err) diff --git a/queue-4.4/netfilter-ipset-fix-subcounter-update-skip.patch b/queue-4.4/netfilter-ipset-fix-subcounter-update-skip.patch new file mode 100644 index 00000000000..f55f9d30264 --- /dev/null +++ b/queue-4.4/netfilter-ipset-fix-subcounter-update-skip.patch @@ -0,0 +1,33 @@ +From a164b95ad6055c50612795882f35e0efda1f1390 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 14 May 2020 13:31:21 +0200 +Subject: netfilter: ipset: Fix subcounter update skip + +From: Phil Sutter + +commit a164b95ad6055c50612795882f35e0efda1f1390 upstream. + +If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not +update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE +must be set, not unset. + +Fixes: 6e01781d1c80e ("netfilter: ipset: set match: add support to match the counters") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_list_set.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_list_set.c ++++ b/net/netfilter/ipset/ip_set_list_set.c +@@ -60,7 +60,7 @@ list_set_ktest(struct ip_set *set, const + /* Don't lookup sub-counters at all */ + opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS; + if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE) +- opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE; ++ opt->cmdflags |= IPSET_FLAG_SKIP_COUNTER_UPDATE; + list_for_each_entry_rcu(e, &map->members, list) { + if (SET_WITH_TIMEOUT(set) && + ip_set_timeout_expired(ext_timeout(e, set))) diff --git a/queue-4.4/netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch b/queue-4.4/netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch new file mode 100644 index 00000000000..33e60ca8a8d --- /dev/null +++ b/queue-4.4/netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch @@ -0,0 +1,201 @@ +From 4c559f15efcc43b996f4da528cd7f9483aaca36d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 14 May 2020 14:14:23 +0200 +Subject: netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code + +From: Pablo Neira Ayuso + +commit 4c559f15efcc43b996f4da528cd7f9483aaca36d upstream. + +Dan Carpenter says: "Smatch complains that the value for "cmd" comes +from the network and can't be trusted." + +Add pptp_msg_name() helper function that checks for the array boundary. + +Fixes: f09943fefe6b ("[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port") +Reported-by: Dan Carpenter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/nf_conntrack_pptp.h | 2 + net/ipv4/netfilter/nf_nat_pptp.c | 7 --- + net/netfilter/nf_conntrack_pptp.c | 62 +++++++++++++++------------- + 3 files changed, 38 insertions(+), 33 deletions(-) + +--- a/include/linux/netfilter/nf_conntrack_pptp.h ++++ b/include/linux/netfilter/nf_conntrack_pptp.h +@@ -4,7 +4,7 @@ + + #include + +-extern const char *const pptp_msg_name[]; ++extern const char *const pptp_msg_name(u_int16_t msg); + + /* state of the control session */ + enum pptp_ctrlsess_state { +--- a/net/ipv4/netfilter/nf_nat_pptp.c ++++ b/net/ipv4/netfilter/nf_nat_pptp.c +@@ -156,8 +156,7 @@ pptp_outbound_pkt(struct sk_buff *skb, + break; + default: + pr_debug("unknown outbound packet 0x%04x:%s\n", msg, +- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : +- pptp_msg_name[0]); ++ pptp_msg_name(msg)); + /* fall through */ + case PPTP_SET_LINK_INFO: + /* only need to NAT in case PAC is behind NAT box */ +@@ -250,9 +249,7 @@ pptp_inbound_pkt(struct sk_buff *skb, + pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID); + break; + default: +- pr_debug("unknown inbound packet %s\n", +- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : +- pptp_msg_name[0]); ++ pr_debug("unknown inbound packet %s\n", pptp_msg_name(msg)); + /* fall through */ + case PPTP_START_SESSION_REQUEST: + case PPTP_START_SESSION_REPLY: +--- a/net/netfilter/nf_conntrack_pptp.c ++++ b/net/netfilter/nf_conntrack_pptp.c +@@ -71,24 +71,32 @@ EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_expec + + #if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG) + /* PptpControlMessageType names */ +-const char *const pptp_msg_name[] = { +- "UNKNOWN_MESSAGE", +- "START_SESSION_REQUEST", +- "START_SESSION_REPLY", +- "STOP_SESSION_REQUEST", +- "STOP_SESSION_REPLY", +- "ECHO_REQUEST", +- "ECHO_REPLY", +- "OUT_CALL_REQUEST", +- "OUT_CALL_REPLY", +- "IN_CALL_REQUEST", +- "IN_CALL_REPLY", +- "IN_CALL_CONNECT", +- "CALL_CLEAR_REQUEST", +- "CALL_DISCONNECT_NOTIFY", +- "WAN_ERROR_NOTIFY", +- "SET_LINK_INFO" ++static const char *const pptp_msg_name_array[PPTP_MSG_MAX + 1] = { ++ [0] = "UNKNOWN_MESSAGE", ++ [PPTP_START_SESSION_REQUEST] = "START_SESSION_REQUEST", ++ [PPTP_START_SESSION_REPLY] = "START_SESSION_REPLY", ++ [PPTP_STOP_SESSION_REQUEST] = "STOP_SESSION_REQUEST", ++ [PPTP_STOP_SESSION_REPLY] = "STOP_SESSION_REPLY", ++ [PPTP_ECHO_REQUEST] = "ECHO_REQUEST", ++ [PPTP_ECHO_REPLY] = "ECHO_REPLY", ++ [PPTP_OUT_CALL_REQUEST] = "OUT_CALL_REQUEST", ++ [PPTP_OUT_CALL_REPLY] = "OUT_CALL_REPLY", ++ [PPTP_IN_CALL_REQUEST] = "IN_CALL_REQUEST", ++ [PPTP_IN_CALL_REPLY] = "IN_CALL_REPLY", ++ [PPTP_IN_CALL_CONNECT] = "IN_CALL_CONNECT", ++ [PPTP_CALL_CLEAR_REQUEST] = "CALL_CLEAR_REQUEST", ++ [PPTP_CALL_DISCONNECT_NOTIFY] = "CALL_DISCONNECT_NOTIFY", ++ [PPTP_WAN_ERROR_NOTIFY] = "WAN_ERROR_NOTIFY", ++ [PPTP_SET_LINK_INFO] = "SET_LINK_INFO" + }; ++ ++const char *const pptp_msg_name(u_int16_t msg) ++{ ++ if (msg > PPTP_MSG_MAX) ++ return pptp_msg_name_array[0]; ++ ++ return pptp_msg_name_array[msg]; ++} + EXPORT_SYMBOL(pptp_msg_name); + #endif + +@@ -278,7 +286,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + typeof(nf_nat_pptp_hook_inbound) nf_nat_pptp_inbound; + + msg = ntohs(ctlh->messageType); +- pr_debug("inbound control message %s\n", pptp_msg_name[msg]); ++ pr_debug("inbound control message %s\n", pptp_msg_name(msg)); + + switch (msg) { + case PPTP_START_SESSION_REPLY: +@@ -313,7 +321,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + pcid = pptpReq->ocack.peersCallID; + if (info->pns_call_id != pcid) + goto invalid; +- pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name[msg], ++ pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name(msg), + ntohs(cid), ntohs(pcid)); + + if (pptpReq->ocack.resultCode == PPTP_OUTCALL_CONNECT) { +@@ -330,7 +338,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + goto invalid; + + cid = pptpReq->icreq.callID; +- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid)); ++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid)); + info->cstate = PPTP_CALL_IN_REQ; + info->pac_call_id = cid; + break; +@@ -349,7 +357,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + if (info->pns_call_id != pcid) + goto invalid; + +- pr_debug("%s, PCID=%X\n", pptp_msg_name[msg], ntohs(pcid)); ++ pr_debug("%s, PCID=%X\n", pptp_msg_name(msg), ntohs(pcid)); + info->cstate = PPTP_CALL_IN_CONF; + + /* we expect a GRE connection from PAC to PNS */ +@@ -359,7 +367,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + case PPTP_CALL_DISCONNECT_NOTIFY: + /* server confirms disconnect */ + cid = pptpReq->disc.callID; +- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid)); ++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid)); + info->cstate = PPTP_CALL_NONE; + + /* untrack this call id, unexpect GRE packets */ +@@ -386,7 +394,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + invalid: + pr_debug("invalid %s: type=%d cid=%u pcid=%u " + "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n", +- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0], ++ pptp_msg_name(msg), + msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate, + ntohs(info->pns_call_id), ntohs(info->pac_call_id)); + return NF_ACCEPT; +@@ -406,7 +414,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u + typeof(nf_nat_pptp_hook_outbound) nf_nat_pptp_outbound; + + msg = ntohs(ctlh->messageType); +- pr_debug("outbound control message %s\n", pptp_msg_name[msg]); ++ pr_debug("outbound control message %s\n", pptp_msg_name(msg)); + + switch (msg) { + case PPTP_START_SESSION_REQUEST: +@@ -428,7 +436,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u + info->cstate = PPTP_CALL_OUT_REQ; + /* track PNS call id */ + cid = pptpReq->ocreq.callID; +- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid)); ++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid)); + info->pns_call_id = cid; + break; + +@@ -442,7 +450,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u + pcid = pptpReq->icack.peersCallID; + if (info->pac_call_id != pcid) + goto invalid; +- pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name[msg], ++ pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name(msg), + ntohs(cid), ntohs(pcid)); + + if (pptpReq->icack.resultCode == PPTP_INCALL_ACCEPT) { +@@ -482,7 +490,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u + invalid: + pr_debug("invalid %s: type=%d cid=%u pcid=%u " + "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n", +- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0], ++ pptp_msg_name(msg), + msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate, + ntohs(info->pns_call_id), ntohs(info->pac_call_id)); + return NF_ACCEPT; diff --git a/queue-4.4/netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch b/queue-4.4/netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch new file mode 100644 index 00000000000..b257b6d9a13 --- /dev/null +++ b/queue-4.4/netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch @@ -0,0 +1,38 @@ +From e9c284ec4b41c827f4369973d2792992849e4fa5 Mon Sep 17 00:00:00 2001 +From: Michael Braun +Date: Wed, 6 May 2020 11:46:25 +0200 +Subject: netfilter: nft_reject_bridge: enable reject with bridge vlan + +From: Michael Braun + +commit e9c284ec4b41c827f4369973d2792992849e4fa5 upstream. + +Currently, using the bridge reject target with tagged packets +results in untagged packets being sent back. + +Fix this by mirroring the vlan id as well. + +Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support") +Signed-off-by: Michael Braun +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/bridge/netfilter/nft_reject_bridge.c ++++ b/net/bridge/netfilter/nft_reject_bridge.c +@@ -35,6 +35,12 @@ static void nft_reject_br_push_etherhdr( + ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source); + eth->h_proto = eth_hdr(oldskb)->h_proto; + skb_pull(nskb, ETH_HLEN); ++ ++ if (skb_vlan_tag_present(oldskb)) { ++ u16 vid = skb_vlan_tag_get(oldskb); ++ ++ __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid); ++ } + } + + /* We cannot use oldskb->dev, it can be either bridge device (NF_BRIDGE INPUT) diff --git a/queue-4.4/qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch b/queue-4.4/qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch new file mode 100644 index 00000000000..0af52a2a88b --- /dev/null +++ b/queue-4.4/qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch @@ -0,0 +1,45 @@ +From 15c973858903009e995b2037683de29dfe968621 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Mon, 25 May 2020 03:24:39 -0500 +Subject: qlcnic: fix missing release in qlcnic_83xx_interrupt_test. + +From: Qiushi Wu + +commit 15c973858903009e995b2037683de29dfe968621 upstream. + +In function qlcnic_83xx_interrupt_test(), function +qlcnic_83xx_diag_alloc_res() is not handled by function +qlcnic_83xx_diag_free_res() after a call of the function +qlcnic_alloc_mbx_args() failed. Fix this issue by adding +a jump target "fail_mbx_args", and jump to this new target +when qlcnic_alloc_mbx_args() failed. + +Fixes: b6b4316c8b2f ("qlcnic: Handle qlcnic_alloc_mbx_args() failure") +Signed-off-by: Qiushi Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -3609,7 +3609,7 @@ int qlcnic_83xx_interrupt_test(struct ne + ahw->diag_cnt = 0; + ret = qlcnic_alloc_mbx_args(&cmd, adapter, QLCNIC_CMD_INTRPT_TEST); + if (ret) +- goto fail_diag_irq; ++ goto fail_mbx_args; + + if (adapter->flags & QLCNIC_MSIX_ENABLED) + intrpt_id = ahw->intr_tbl[0].id; +@@ -3639,6 +3639,8 @@ int qlcnic_83xx_interrupt_test(struct ne + + done: + qlcnic_free_mbx_args(&cmd); ++ ++fail_mbx_args: + qlcnic_83xx_diag_free_res(netdev, drv_sds_rings); + + fail_diag_irq: diff --git a/queue-4.4/series b/queue-4.4/series index 9fef5a770f1..eaaf859b36d 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -25,3 +25,13 @@ iommu-fix-reference-count-leak-in-iommu_group_alloc.patch parisc-fix-kernel-panic-in-mem_init.patch mac80211-mesh-fix-discovery-timer-re-arming-issue-crash.patch x86-dma-fix-max-pfn-arithmetic-overflow-on-32-bit-systems.patch +xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch +xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch +xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch +vti4-eliminated-some-duplicate-code.patch +ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch +netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch +netfilter-ipset-fix-subcounter-update-skip.patch +netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch +qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch +bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch diff --git a/queue-4.4/vti4-eliminated-some-duplicate-code.patch b/queue-4.4/vti4-eliminated-some-duplicate-code.patch new file mode 100644 index 00000000000..5b415959e2d --- /dev/null +++ b/queue-4.4/vti4-eliminated-some-duplicate-code.patch @@ -0,0 +1,141 @@ +From f981c57ffd2d7cf2dd4b6d6f8fcb3965df42f54c Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 23 Mar 2019 14:43:02 +0000 +Subject: vti4: eliminated some duplicate code. + +From: Jeremy Sowden + +commit f981c57ffd2d7cf2dd4b6d6f8fcb3965df42f54c upstream. + +The ipip tunnel introduced in commit dd9ee3444014 ("vti4: Fix a ipip +packet processing bug in 'IPCOMP' virtual tunnel") largely duplicated +the existing vti_input and vti_recv functions. Refactored to +deduplicate the common code. + +Signed-off-by: Jeremy Sowden +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_vti.c | 60 +++++++++++++++++++----------------------------------- + 1 file changed, 22 insertions(+), 38 deletions(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -51,7 +51,7 @@ static int vti_net_id __read_mostly; + static int vti_tunnel_init(struct net_device *dev); + + static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi, +- int encap_type) ++ int encap_type, bool update_skb_dev) + { + struct ip_tunnel *tunnel; + const struct iphdr *iph = ip_hdr(skb); +@@ -66,6 +66,9 @@ static int vti_input(struct sk_buff *skb + + XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; + ++ if (update_skb_dev) ++ skb->dev = tunnel->dev; ++ + return xfrm_input(skb, nexthdr, spi, encap_type); + } + +@@ -75,47 +78,28 @@ drop: + return 0; + } + +-static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi, +- int encap_type) ++static int vti_input_proto(struct sk_buff *skb, int nexthdr, __be32 spi, ++ int encap_type) + { +- struct ip_tunnel *tunnel; +- const struct iphdr *iph = ip_hdr(skb); +- struct net *net = dev_net(skb->dev); +- struct ip_tunnel_net *itn = net_generic(net, vti_net_id); +- +- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, +- iph->saddr, iph->daddr, 0); +- if (tunnel) { +- if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) +- goto drop; +- +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; +- +- skb->dev = tunnel->dev; +- +- return xfrm_input(skb, nexthdr, spi, encap_type); +- } +- +- return -EINVAL; +-drop: +- kfree_skb(skb); +- return 0; ++ return vti_input(skb, nexthdr, spi, encap_type, false); + } + +-static int vti_rcv(struct sk_buff *skb) ++static int vti_rcv(struct sk_buff *skb, __be32 spi, bool update_skb_dev) + { + XFRM_SPI_SKB_CB(skb)->family = AF_INET; + XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); + +- return vti_input(skb, ip_hdr(skb)->protocol, 0, 0); ++ return vti_input(skb, ip_hdr(skb)->protocol, spi, 0, update_skb_dev); + } + +-static int vti_rcv_ipip(struct sk_buff *skb) ++static int vti_rcv_proto(struct sk_buff *skb) + { +- XFRM_SPI_SKB_CB(skb)->family = AF_INET; +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); ++ return vti_rcv(skb, 0, false); ++} + +- return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0); ++static int vti_rcv_tunnel(struct sk_buff *skb) ++{ ++ return vti_rcv(skb, ip_hdr(skb)->saddr, true); + } + + static int vti_rcv_cb(struct sk_buff *skb, int err) +@@ -452,31 +436,31 @@ static void __net_init vti_fb_tunnel_ini + } + + static struct xfrm4_protocol vti_esp4_protocol __read_mostly = { +- .handler = vti_rcv, +- .input_handler = vti_input, ++ .handler = vti_rcv_proto, ++ .input_handler = vti_input_proto, + .cb_handler = vti_rcv_cb, + .err_handler = vti4_err, + .priority = 100, + }; + + static struct xfrm4_protocol vti_ah4_protocol __read_mostly = { +- .handler = vti_rcv, +- .input_handler = vti_input, ++ .handler = vti_rcv_proto, ++ .input_handler = vti_input_proto, + .cb_handler = vti_rcv_cb, + .err_handler = vti4_err, + .priority = 100, + }; + + static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = { +- .handler = vti_rcv, +- .input_handler = vti_input, ++ .handler = vti_rcv_proto, ++ .input_handler = vti_input_proto, + .cb_handler = vti_rcv_cb, + .err_handler = vti4_err, + .priority = 100, + }; + + static struct xfrm_tunnel ipip_handler __read_mostly = { +- .handler = vti_rcv_ipip, ++ .handler = vti_rcv_tunnel, + .err_handler = vti4_err, + .priority = 0, + }; diff --git a/queue-4.4/xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch b/queue-4.4/xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch new file mode 100644 index 00000000000..1ed7ba2e6cd --- /dev/null +++ b/queue-4.4/xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch @@ -0,0 +1,45 @@ +From afcaf61be9d1dbdee5ec186d1dcc67b6b692180f Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 10 Apr 2020 17:06:01 +0800 +Subject: xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input + +From: Xin Long + +commit afcaf61be9d1dbdee5ec186d1dcc67b6b692180f upstream. + +For beet mode, when it's ipv6 inner address with nexthdrs set, +the packet format might be: + + ---------------------------------------------------- + | outer | | dest | | | ESP | ESP | + | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV | + ---------------------------------------------------- + +The nexthdr from ESP could be NEXTHDR_HOP(0), so it should +continue processing the packet when nexthdr returns 0 in +xfrm_input(). Otherwise, when ipv6 nexthdr is set, the +packet will be dropped. + +I don't see any error cases that nexthdr may return 0. So +fix it by removing the check for nexthdr == 0. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -302,7 +302,7 @@ resume: + dev_put(skb->dev); + + spin_lock(&x->lock); +- if (nexthdr <= 0) { ++ if (nexthdr < 0) { + if (nexthdr == -EBADMSG) { + xfrm_audit_state_icvfail(x, skb, + x->type->proto); diff --git a/queue-4.4/xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch b/queue-4.4/xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch new file mode 100644 index 00000000000..3ce8e7f7007 --- /dev/null +++ b/queue-4.4/xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch @@ -0,0 +1,65 @@ +From f6a23d85d078c2ffde79c66ca81d0a1dde451649 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Tue, 26 May 2020 17:41:46 +0800 +Subject: xfrm: fix a NULL-ptr deref in xfrm_local_error + +From: Xin Long + +commit f6a23d85d078c2ffde79c66ca81d0a1dde451649 upstream. + +This patch is to fix a crash: + + [ ] kasan: GPF could be caused by NULL-ptr deref or user memory access + [ ] general protection fault: 0000 [#1] SMP KASAN PTI + [ ] RIP: 0010:ipv6_local_error+0xac/0x7a0 + [ ] Call Trace: + [ ] xfrm6_local_error+0x1eb/0x300 + [ ] xfrm_local_error+0x95/0x130 + [ ] __xfrm6_output+0x65f/0xb50 + [ ] xfrm6_output+0x106/0x46f + [ ] udp_tunnel6_xmit_skb+0x618/0xbf0 [ip6_udp_tunnel] + [ ] vxlan_xmit_one+0xbc6/0x2c60 [vxlan] + [ ] vxlan_xmit+0x6a0/0x4276 [vxlan] + [ ] dev_hard_start_xmit+0x165/0x820 + [ ] __dev_queue_xmit+0x1ff0/0x2b90 + [ ] ip_finish_output2+0xd3e/0x1480 + [ ] ip_do_fragment+0x182d/0x2210 + [ ] ip_output+0x1d0/0x510 + [ ] ip_send_skb+0x37/0xa0 + [ ] raw_sendmsg+0x1b4c/0x2b80 + [ ] sock_sendmsg+0xc0/0x110 + +This occurred when sending a v4 skb over vxlan6 over ipsec, in which case +skb->protocol == htons(ETH_P_IPV6) while skb->sk->sk_family == AF_INET in +xfrm_local_error(). Then it will go to xfrm6_local_error() where it tries +to get ipv6 info from a ipv4 sk. + +This issue was actually fixed by Commit 628e341f319f ("xfrm: make local +error reporting more robust"), but brought back by Commit 844d48746e4b +("xfrm: choose protocol family by skb protocol"). + +So to fix it, we should call xfrm6_local_error() only when skb->protocol +is htons(ETH_P_IPV6) and skb->sk->sk_family is AF_INET6. + +Fixes: 844d48746e4b ("xfrm: choose protocol family by skb protocol") +Reported-by: Xiumei Mu +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -237,7 +237,8 @@ void xfrm_local_error(struct sk_buff *sk + + if (skb->protocol == htons(ETH_P_IP)) + proto = AF_INET; +- else if (skb->protocol == htons(ETH_P_IPV6)) ++ else if (skb->protocol == htons(ETH_P_IPV6) && ++ skb->sk->sk_family == AF_INET6) + proto = AF_INET6; + else + return; diff --git a/queue-4.4/xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch b/queue-4.4/xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch new file mode 100644 index 00000000000..539b3a83367 --- /dev/null +++ b/queue-4.4/xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch @@ -0,0 +1,76 @@ +From ed17b8d377eaf6b4a01d46942b4c647378a79bdd Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 25 May 2020 13:53:37 +0800 +Subject: xfrm: fix a warning in xfrm_policy_insert_list + +From: Xin Long + +commit ed17b8d377eaf6b4a01d46942b4c647378a79bdd upstream. + +This waring can be triggered simply by: + + # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ + priority 1 mark 0 mask 0x10 #[1] + # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ + priority 2 mark 0 mask 0x1 #[2] + # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ + priority 2 mark 0 mask 0x10 #[3] + +Then dmesg shows: + + [ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c:1548 + [ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x1030 + [ ] Call Trace: + [ ] xfrm_policy_inexact_insert+0x85/0xe50 + [ ] xfrm_policy_insert+0x4ba/0x680 + [ ] xfrm_add_policy+0x246/0x4d0 + [ ] xfrm_user_rcv_msg+0x331/0x5c0 + [ ] netlink_rcv_skb+0x121/0x350 + [ ] xfrm_netlink_rcv+0x66/0x80 + [ ] netlink_unicast+0x439/0x630 + [ ] netlink_sendmsg+0x714/0xbf0 + [ ] sock_sendmsg+0xe2/0x110 + +The issue was introduced by Commit 7cb8a93968e3 ("xfrm: Allow inserting +policies with matching mark and different priorities"). After that, the +policies [1] and [2] would be able to be added with different priorities. + +However, policy [3] will actually match both [1] and [2]. Policy [1] +was matched due to the 1st 'return true' in xfrm_policy_mark_match(), +and policy [2] was matched due to the 2nd 'return true' in there. It +caused WARN_ON() in xfrm_policy_insert_list(). + +This patch is to fix it by only (the same value and priority) as the +same policy in xfrm_policy_mark_match(). + +Thanks to Yuehaibing, we could make this fix better. + +v1->v2: + - check policy->mark.v == pol->mark.v only without mask. + +Fixes: 7cb8a93968e3 ("xfrm: Allow inserting policies with matching mark and different priorities") +Reported-by: Xiumei Mu +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_policy.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -740,12 +740,7 @@ static void xfrm_policy_requeue(struct x + static bool xfrm_policy_mark_match(struct xfrm_policy *policy, + struct xfrm_policy *pol) + { +- u32 mark = policy->mark.v & policy->mark.m; +- +- if (policy->mark.v == pol->mark.v && policy->mark.m == pol->mark.m) +- return true; +- +- if ((mark & pol->mark.m) == pol->mark.v && ++ if (policy->mark.v == pol->mark.v && + policy->priority == pol->priority) + return true; +