From 057ecf8c3660f06f1fcbf70c2ad975397afe6d64 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Mon, 18 May 2020 14:45:49 +0200
Subject: [PATCH] 4.4-stable patches

added patches:
	net-fix-a-potential-recursive-netdev_feat_change.patch
	net-ipv4-really-enforce-backoff-for-redirects.patch
	netlabel-cope-with-null-catmap.patch
---
 ...tential-recursive-netdev_feat_change.patch | 66 +++++++++++++++++
 ...really-enforce-backoff-for-redirects.patch | 48 +++++++++++++
 .../netlabel-cope-with-null-catmap.patch      | 71 +++++++++++++++++++
 queue-4.4/series                              |  3 +
 4 files changed, 188 insertions(+)
 create mode 100644 queue-4.4/net-fix-a-potential-recursive-netdev_feat_change.patch
 create mode 100644 queue-4.4/net-ipv4-really-enforce-backoff-for-redirects.patch
 create mode 100644 queue-4.4/netlabel-cope-with-null-catmap.patch

diff --git a/queue-4.4/net-fix-a-potential-recursive-netdev_feat_change.patch b/queue-4.4/net-fix-a-potential-recursive-netdev_feat_change.patch
new file mode 100644
index 00000000000..60c30db9d00
--- /dev/null
+++ b/queue-4.4/net-fix-a-potential-recursive-netdev_feat_change.patch
@@ -0,0 +1,66 @@
+From foo@baz Mon 18 May 2020 02:45:04 PM CEST
+From: Cong Wang <xiyou.wangcong@gmail.com>
+Date: Thu, 7 May 2020 12:19:03 -0700
+Subject: net: fix a potential recursive NETDEV_FEAT_CHANGE
+
+From: Cong Wang <xiyou.wangcong@gmail.com>
+
+[ Upstream commit dd912306ff008891c82cd9f63e8181e47a9cb2fb ]
+
+syzbot managed to trigger a recursive NETDEV_FEAT_CHANGE event
+between bonding master and slave. I managed to find a reproducer
+for this:
+
+  ip li set bond0 up
+  ifenslave bond0 eth0
+  brctl addbr br0
+  ethtool -K eth0 lro off
+  brctl addif br0 bond0
+  ip li set br0 up
+
+When a NETDEV_FEAT_CHANGE event is triggered on a bonding slave,
+it captures this and calls bond_compute_features() to fixup its
+master's and other slaves' features. However, when syncing with
+its lower devices by netdev_sync_lower_features() this event is
+triggered again on slaves when the LRO feature fails to change,
+so it goes back and forth recursively until the kernel stack is
+exhausted.
+
+Commit 17b85d29e82c intentionally lets __netdev_update_features()
+return -1 for such a failure case, so we have to just rely on
+the existing check inside netdev_sync_lower_features() and skip
+NETDEV_FEAT_CHANGE event only for this specific failure case.
+
+Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack")
+Reported-by: syzbot+e73ceacfd8560cc8a3ca@syzkaller.appspotmail.com
+Reported-by: syzbot+c2fb6f9ddcea95ba49b5@syzkaller.appspotmail.com
+Cc: Jarod Wilson <jarod@redhat.com>
+Cc: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Jann Horn <jannh@google.com>
+Reviewed-by: Jay Vosburgh <jay.vosburgh@canonical.com>
+Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
+Acked-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/core/dev.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/core/dev.c
++++ b/net/core/dev.c
+@@ -6449,11 +6449,13 @@ static void netdev_sync_lower_features(s
+ 			netdev_dbg(upper, "Disabling feature %pNF on lower dev %s.\n",
+ 				   &feature, lower->name);
+ 			lower->wanted_features &= ~feature;
+-			netdev_update_features(lower);
++			__netdev_update_features(lower);
+ 
+ 			if (unlikely(lower->features & feature))
+ 				netdev_WARN(upper, "failed to disable %pNF on %s!\n",
+ 					    &feature, lower->name);
++			else
++				netdev_features_change(lower);
+ 		}
+ 	}
+ }
diff --git a/queue-4.4/net-ipv4-really-enforce-backoff-for-redirects.patch b/queue-4.4/net-ipv4-really-enforce-backoff-for-redirects.patch
new file mode 100644
index 00000000000..831b3532333
--- /dev/null
+++ b/queue-4.4/net-ipv4-really-enforce-backoff-for-redirects.patch
@@ -0,0 +1,48 @@
+From foo@baz Mon 18 May 2020 02:45:04 PM CEST
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 8 May 2020 19:28:34 +0200
+Subject: net: ipv4: really enforce backoff for redirects
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit 57644431a6c2faac5d754ebd35780cf43a531b1a ]
+
+In commit b406472b5ad7 ("net: ipv4: avoid mixed n_redirects and
+rate_tokens usage") I missed the fact that a 0 'rate_tokens' will
+bypass the backoff algorithm.
+
+Since rate_tokens is cleared after a redirect silence, and never
+incremented on redirects, if the host keeps receiving packets
+requiring redirect it will reply ignoring the backoff.
+
+Additionally, the 'rate_last' field will be updated with the
+cadence of the ingress packet requiring redirect. If that rate is
+high enough, that will prevent the host from generating any
+other kind of ICMP messages
+
+The check for a zero 'rate_tokens' value was likely a shortcut
+to avoid the more complex backoff algorithm after a redirect
+silence period. Address the issue checking for 'n_redirects'
+instead, which is incremented on successful redirect, and
+does not interfere with other ICMP replies.
+
+Fixes: b406472b5ad7 ("net: ipv4: avoid mixed n_redirects and rate_tokens usage")
+Reported-and-tested-by: Colin Walters <walters@redhat.com>
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/route.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/net/ipv4/route.c
++++ b/net/ipv4/route.c
+@@ -898,7 +898,7 @@ void ip_rt_send_redirect(struct sk_buff
+ 	/* Check for load limit; set rate_last to the latest sent
+ 	 * redirect.
+ 	 */
+-	if (peer->rate_tokens == 0 ||
++	if (peer->n_redirects == 0 ||
+ 	    time_after(jiffies,
+ 		       (peer->rate_last +
+ 			(ip_rt_redirect_load << peer->n_redirects)))) {
diff --git a/queue-4.4/netlabel-cope-with-null-catmap.patch b/queue-4.4/netlabel-cope-with-null-catmap.patch
new file mode 100644
index 00000000000..c361bb21258
--- /dev/null
+++ b/queue-4.4/netlabel-cope-with-null-catmap.patch
@@ -0,0 +1,71 @@
+From foo@baz Mon 18 May 2020 02:45:04 PM CEST
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Tue, 12 May 2020 14:43:14 +0200
+Subject: netlabel: cope with NULL catmap
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+[ Upstream commit eead1c2ea2509fd754c6da893a94f0e69e83ebe4 ]
+
+The cipso and calipso code can set the MLS_CAT attribute on
+successful parsing, even if the corresponding catmap has
+not been allocated, as per current configuration and external
+input.
+
+Later, selinux code tries to access the catmap if the MLS_CAT flag
+is present via netlbl_catmap_getlong(). That may cause null ptr
+dereference while processing incoming network traffic.
+
+Address the issue setting the MLS_CAT flag only if the catmap is
+really allocated. Additionally let netlbl_catmap_getlong() cope
+with NULL catmap.
+
+Reported-by: Matthew Sheets <matthew.sheets@gd-ms.com>
+Fixes: 4b8feff251da ("netlabel: fix the horribly broken catmap functions")
+Fixes: ceba1832b1b2 ("calipso: Set the calipso socket label to match the secattr.")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Acked-by: Paul Moore <paul@paul-moore.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/ipv4/cipso_ipv4.c        |    6 ++++--
+ net/netlabel/netlabel_kapi.c |    6 ++++++
+ 2 files changed, 10 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/cipso_ipv4.c
++++ b/net/ipv4/cipso_ipv4.c
+@@ -1343,7 +1343,8 @@ static int cipso_v4_parsetag_rbm(const s
+ 			return ret_val;
+ 		}
+ 
+-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
++		if (secattr->attr.mls.cat)
++			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+ 	}
+ 
+ 	return 0;
+@@ -1524,7 +1525,8 @@ static int cipso_v4_parsetag_rng(const s
+ 			return ret_val;
+ 		}
+ 
+-		secattr->flags |= NETLBL_SECATTR_MLS_CAT;
++		if (secattr->attr.mls.cat)
++			secattr->flags |= NETLBL_SECATTR_MLS_CAT;
+ 	}
+ 
+ 	return 0;
+--- a/net/netlabel/netlabel_kapi.c
++++ b/net/netlabel/netlabel_kapi.c
+@@ -605,6 +605,12 @@ int netlbl_catmap_getlong(struct netlbl_
+ 	if ((off & (BITS_PER_LONG - 1)) != 0)
+ 		return -EINVAL;
+ 
++	/* a null catmap is equivalent to an empty one */
++	if (!catmap) {
++		*offset = (u32)-1;
++		return 0;
++	}
++
+ 	if (off < catmap->startbit) {
+ 		off = catmap->startbit;
+ 		*offset = off;
diff --git a/queue-4.4/series b/queue-4.4/series
index 36ef862e7b9..0cca6da181a 100644
--- a/queue-4.4/series
+++ b/queue-4.4/series
@@ -66,3 +66,6 @@ blk-mq-sync-the-update-nr_hw_queues-with-blk_mq_queue_tag_busy_iter.patch
 blk-mq-allow-blocking-queue-tag-iter-callbacks.patch
 x86-paravirt-remove-the-unused-irq_enable_sysexit-pv-op.patch
 gcc-10-avoid-shadowing-standard-library-free-in-crypto.patch
+net-fix-a-potential-recursive-netdev_feat_change.patch
+net-ipv4-really-enforce-backoff-for-redirects.patch
+netlabel-cope-with-null-catmap.patch
-- 
2.47.3