From 4a8f5f4260b87d87c682a69fe67b9ad5275edbe1 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Tue, 13 May 2014 16:55:56 -0700
Subject: [PATCH] 3.14-stable patches

added patches:
	netfilter-can-t-fail-and-free-after-table-replacement.patch
	netfilter-nf_conntrack-reserve-two-bytes-for-nf_ct_ext-len.patch
	netfilter-nf_tables-set-names-cannot-be-larger-than-15-bytes.patch
---
 ...ail-and-free-after-table-replacement.patch | 91 +++++++++++++++++++
 ...-reserve-two-bytes-for-nf_ct_ext-len.patch | 54 +++++++++++
 ...names-cannot-be-larger-than-15-bytes.patch | 32 +++++++
 queue-3.14/series                             |  3 +
 4 files changed, 180 insertions(+)
 create mode 100644 queue-3.14/netfilter-can-t-fail-and-free-after-table-replacement.patch
 create mode 100644 queue-3.14/netfilter-nf_conntrack-reserve-two-bytes-for-nf_ct_ext-len.patch
 create mode 100644 queue-3.14/netfilter-nf_tables-set-names-cannot-be-larger-than-15-bytes.patch

diff --git a/queue-3.14/netfilter-can-t-fail-and-free-after-table-replacement.patch b/queue-3.14/netfilter-can-t-fail-and-free-after-table-replacement.patch
new file mode 100644
index 00000000000..8b3f521ca94
--- /dev/null
+++ b/queue-3.14/netfilter-can-t-fail-and-free-after-table-replacement.patch
@@ -0,0 +1,91 @@
+From c58dd2dd443c26d856a168db108a0cd11c285bf3 Mon Sep 17 00:00:00 2001
+From: Thomas Graf <tgraf@suug.ch>
+Date: Fri, 4 Apr 2014 17:57:45 +0200
+Subject: netfilter: Can't fail and free after table replacement
+
+From: Thomas Graf <tgraf@suug.ch>
+
+commit c58dd2dd443c26d856a168db108a0cd11c285bf3 upstream.
+
+All xtables variants suffer from the defect that the copy_to_user()
+to copy the counters to user memory may fail after the table has
+already been exchanged and thus exposed. Return an error at this
+point will result in freeing the already exposed table. Any
+subsequent packet processing will result in a kernel panic.
+
+We can't copy the counters before exposing the new tables as we
+want provide the counter state after the old table has been
+unhooked. Therefore convert this into a silent error.
+
+Cc: Florian Westphal <fw@strlen.de>
+Signed-off-by: Thomas Graf <tgraf@suug.ch>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c |    5 ++---
+ net/ipv4/netfilter/arp_tables.c |    6 ++++--
+ net/ipv4/netfilter/ip_tables.c  |    6 ++++--
+ net/ipv6/netfilter/ip6_tables.c |    6 ++++--
+ 4 files changed, 14 insertions(+), 9 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1044,10 +1044,9 @@ static int do_replace_finish(struct net
+ 	if (repl->num_counters &&
+ 	   copy_to_user(repl->counters, counterstmp,
+ 	   repl->num_counters * sizeof(struct ebt_counter))) {
+-		ret = -EFAULT;
++		/* Silent error, can't fail, new table is already in place */
++		net_warn_ratelimited("ebtables: counters copy to user failed while replacing table\n");
+ 	}
+-	else
+-		ret = 0;
+ 
+ 	/* decrease module count and free resources */
+ 	EBT_ENTRY_ITERATE(table->entries, table->entries_size,
+--- a/net/ipv4/netfilter/arp_tables.c
++++ b/net/ipv4/netfilter/arp_tables.c
+@@ -1044,8 +1044,10 @@ static int __do_replace(struct net *net,
+ 
+ 	xt_free_table_info(oldinfo);
+ 	if (copy_to_user(counters_ptr, counters,
+-			 sizeof(struct xt_counters) * num_counters) != 0)
+-		ret = -EFAULT;
++			 sizeof(struct xt_counters) * num_counters) != 0) {
++		/* Silent error, can't fail, new table is already in place */
++		net_warn_ratelimited("arptables: counters copy to user failed while replacing table\n");
++	}
+ 	vfree(counters);
+ 	xt_table_unlock(t);
+ 	return ret;
+--- a/net/ipv4/netfilter/ip_tables.c
++++ b/net/ipv4/netfilter/ip_tables.c
+@@ -1231,8 +1231,10 @@ __do_replace(struct net *net, const char
+ 
+ 	xt_free_table_info(oldinfo);
+ 	if (copy_to_user(counters_ptr, counters,
+-			 sizeof(struct xt_counters) * num_counters) != 0)
+-		ret = -EFAULT;
++			 sizeof(struct xt_counters) * num_counters) != 0) {
++		/* Silent error, can't fail, new table is already in place */
++		net_warn_ratelimited("iptables: counters copy to user failed while replacing table\n");
++	}
+ 	vfree(counters);
+ 	xt_table_unlock(t);
+ 	return ret;
+--- a/net/ipv6/netfilter/ip6_tables.c
++++ b/net/ipv6/netfilter/ip6_tables.c
+@@ -1241,8 +1241,10 @@ __do_replace(struct net *net, const char
+ 
+ 	xt_free_table_info(oldinfo);
+ 	if (copy_to_user(counters_ptr, counters,
+-			 sizeof(struct xt_counters) * num_counters) != 0)
+-		ret = -EFAULT;
++			 sizeof(struct xt_counters) * num_counters) != 0) {
++		/* Silent error, can't fail, new table is already in place */
++		net_warn_ratelimited("ip6tables: counters copy to user failed while replacing table\n");
++	}
+ 	vfree(counters);
+ 	xt_table_unlock(t);
+ 	return ret;
diff --git a/queue-3.14/netfilter-nf_conntrack-reserve-two-bytes-for-nf_ct_ext-len.patch b/queue-3.14/netfilter-nf_conntrack-reserve-two-bytes-for-nf_ct_ext-len.patch
new file mode 100644
index 00000000000..43dca4782f8
--- /dev/null
+++ b/queue-3.14/netfilter-nf_conntrack-reserve-two-bytes-for-nf_ct_ext-len.patch
@@ -0,0 +1,54 @@
+From 223b02d923ecd7c84cf9780bb3686f455d279279 Mon Sep 17 00:00:00 2001
+From: Andrey Vagin <avagin@openvz.org>
+Date: Fri, 28 Mar 2014 13:54:32 +0400
+Subject: netfilter: nf_conntrack: reserve two bytes for nf_ct_ext->len
+
+From: Andrey Vagin <avagin@openvz.org>
+
+commit 223b02d923ecd7c84cf9780bb3686f455d279279 upstream.
+
+"len" contains sizeof(nf_ct_ext) and size of extensions. In a worst
+case it can contain all extensions. Bellow you can find sizes for all
+types of extensions. Their sum is definitely bigger than 256.
+
+nf_ct_ext_types[0]->len = 24
+nf_ct_ext_types[1]->len = 32
+nf_ct_ext_types[2]->len = 24
+nf_ct_ext_types[3]->len = 32
+nf_ct_ext_types[4]->len = 152
+nf_ct_ext_types[5]->len = 2
+nf_ct_ext_types[6]->len = 16
+nf_ct_ext_types[7]->len = 8
+
+I have seen "len" up to 280 and my host has crashes w/o this patch.
+
+The right way to fix this problem is reducing the size of the ecache
+extension (4) and Florian is going to do this, but these changes will
+be quite large to be appropriate for a stable tree.
+
+Fixes: 5b423f6a40a0 (netfilter: nf_conntrack: fix racy timer handling with reliable)
+Cc: Pablo Neira Ayuso <pablo@netfilter.org>
+Cc: Patrick McHardy <kaber@trash.net>
+Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Cc: "David S. Miller" <davem@davemloft.net>
+Signed-off-by: Andrey Vagin <avagin@openvz.org>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_conntrack_extend.h |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/include/net/netfilter/nf_conntrack_extend.h
++++ b/include/net/netfilter/nf_conntrack_extend.h
+@@ -47,8 +47,8 @@ enum nf_ct_ext_id {
+ /* Extensions: optional stuff which isn't permanently in struct. */
+ struct nf_ct_ext {
+ 	struct rcu_head rcu;
+-	u8 offset[NF_CT_EXT_NUM];
+-	u8 len;
++	u16 offset[NF_CT_EXT_NUM];
++	u16 len;
+ 	char data[0];
+ };
+ 
diff --git a/queue-3.14/netfilter-nf_tables-set-names-cannot-be-larger-than-15-bytes.patch b/queue-3.14/netfilter-nf_tables-set-names-cannot-be-larger-than-15-bytes.patch
new file mode 100644
index 00000000000..6b8431f7bcf
--- /dev/null
+++ b/queue-3.14/netfilter-nf_tables-set-names-cannot-be-larger-than-15-bytes.patch
@@ -0,0 +1,32 @@
+From a9bdd8365684810e3de804f8c51e52c26a5eccbb Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Mon, 24 Mar 2014 15:10:37 +0100
+Subject: netfilter: nf_tables: set names cannot be larger than 15 bytes
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit a9bdd8365684810e3de804f8c51e52c26a5eccbb upstream.
+
+Currently, nf_tables trims off the set name if it exceeeds 15
+bytes, so explicitly reject set names that are too large.
+
+Reported-by: Giuseppe Longo <giuseppelng@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_tables_api.c |    3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -1934,7 +1934,8 @@ static const struct nft_set_ops *nft_sel
+ 
+ static const struct nla_policy nft_set_policy[NFTA_SET_MAX + 1] = {
+ 	[NFTA_SET_TABLE]		= { .type = NLA_STRING },
+-	[NFTA_SET_NAME]			= { .type = NLA_STRING },
++	[NFTA_SET_NAME]			= { .type = NLA_STRING,
++					    .len = IFNAMSIZ - 1 },
+ 	[NFTA_SET_FLAGS]		= { .type = NLA_U32 },
+ 	[NFTA_SET_KEY_TYPE]		= { .type = NLA_U32 },
+ 	[NFTA_SET_KEY_LEN]		= { .type = NLA_U32 },
diff --git a/queue-3.14/series b/queue-3.14/series
index adc0e8b038e..7d01f708991 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -6,4 +6,7 @@ tools-lib-traceevent-fix-memory-leak-in-pretty_print.patch
 pid-get-pid_t-ppid-of-task-in-init_pid_ns.patch
 audit-convert-ppids-to-the-inital-pid-namespace.patch
 netfilter-nf_tables-fix-nft_cmp_fast-failure-on-big-endian-for-size-4.patch
+netfilter-nf_conntrack-reserve-two-bytes-for-nf_ct_ext-len.patch
 blktrace-fix-accounting-of-partially-completed-requests.patch
+netfilter-can-t-fail-and-free-after-table-replacement.patch
+netfilter-nf_tables-set-names-cannot-be-larger-than-15-bytes.patch
-- 
2.47.3