From 82b35308282f2fc1d0ec7b118d83a018d7bc05f9 Mon Sep 17 00:00:00 2001
From: Sasha Levin <sashal@kernel.org>
Date: Sat, 30 Jul 2022 22:41:31 -0400
Subject: [PATCH] Fixes for 4.9

Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 ...dd-of_node_put-for-reference-returne.patch | 37 +++++++++++++
 ...ue-do-not-allow-packet-truncation-be.patch | 53 +++++++++++++++++++
 queue-4.9/series                              |  2 +
 3 files changed, 92 insertions(+)
 create mode 100644 queue-4.9/net-sungem_phy-add-of_node_put-for-reference-returne.patch
 create mode 100644 queue-4.9/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch

diff --git a/queue-4.9/net-sungem_phy-add-of_node_put-for-reference-returne.patch b/queue-4.9/net-sungem_phy-add-of_node_put-for-reference-returne.patch
new file mode 100644
index 00000000000..7b8f35bf875
--- /dev/null
+++ b/queue-4.9/net-sungem_phy-add-of_node_put-for-reference-returne.patch
@@ -0,0 +1,37 @@
+From 3a682597a5d3abbbe7a73e84afe7faf71ae6c5c1 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Wed, 20 Jul 2022 21:10:03 +0800
+Subject: net: sungem_phy: Add of_node_put() for reference returned by
+ of_get_parent()
+
+From: Liang He <windhl@126.com>
+
+[ Upstream commit ebbbe23fdf6070e31509638df3321688358cc211 ]
+
+In bcm5421_init(), we should call of_node_put() for the reference
+returned by of_get_parent() which has increased the refcount.
+
+Fixes: 3c326fe9cb7a ("[PATCH] ppc64: Add new PHY to sungem")
+Signed-off-by: Liang He <windhl@126.com>
+Link: https://lore.kernel.org/r/20220720131003.1287426-1-windhl@126.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/net/sungem_phy.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/drivers/net/sungem_phy.c b/drivers/net/sungem_phy.c
+index 92578d72e4ee..c5efdde21c2e 100644
+--- a/drivers/net/sungem_phy.c
++++ b/drivers/net/sungem_phy.c
+@@ -453,6 +453,7 @@ static int bcm5421_init(struct mii_phy* phy)
+ 		int can_low_power = 1;
+ 		if (np == NULL || of_get_property(np, "no-autolowpower", NULL))
+ 			can_low_power = 0;
++		of_node_put(np);
+ 		if (can_low_power) {
+ 			/* Enable automatic low-power */
+ 			sungem_phy_write(phy, 0x1c, 0x9002);
+-- 
+2.35.1
+
diff --git a/queue-4.9/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch b/queue-4.9/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch
new file mode 100644
index 00000000000..c59b0cbf40e
--- /dev/null
+++ b/queue-4.9/netfilter-nf_queue-do-not-allow-packet-truncation-be.patch
@@ -0,0 +1,53 @@
+From 3feb1167ad904575cbd5b7df86c43dc6712f09ae Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 26 Jul 2022 12:42:06 +0200
+Subject: netfilter: nf_queue: do not allow packet truncation below transport
+ header offset
+
+From: Florian Westphal <fw@strlen.de>
+
+[ Upstream commit 99a63d36cb3ed5ca3aa6fcb64cffbeaf3b0fb164 ]
+
+Domingo Dirutigliano and Nicola Guerrera report kernel panic when
+sending nf_queue verdict with 1-byte nfta_payload attribute.
+
+The IP/IPv6 stack pulls the IP(v6) header from the packet after the
+input hook.
+
+If user truncates the packet below the header size, this skb_pull() will
+result in a malformed skb (skb->len < 0).
+
+Fixes: 7af4cc3fa158 ("[NETFILTER]: Add "nfnetlink_queue" netfilter queue handler over nfnetlink")
+Reported-by: Domingo Dirutigliano <pwnzer0tt1@proton.me>
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ net/netfilter/nfnetlink_queue.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/net/netfilter/nfnetlink_queue.c b/net/netfilter/nfnetlink_queue.c
+index 66814a9d030c..80715b495d7c 100644
+--- a/net/netfilter/nfnetlink_queue.c
++++ b/net/netfilter/nfnetlink_queue.c
+@@ -807,11 +807,16 @@ nfqnl_enqueue_packet(struct nf_queue_entry *entry, unsigned int queuenum)
+ }
+ 
+ static int
+-nfqnl_mangle(void *data, int data_len, struct nf_queue_entry *e, int diff)
++nfqnl_mangle(void *data, unsigned int data_len, struct nf_queue_entry *e, int diff)
+ {
+ 	struct sk_buff *nskb;
+ 
+ 	if (diff < 0) {
++		unsigned int min_len = skb_transport_offset(e->skb);
++
++		if (data_len < min_len)
++			return -EINVAL;
++
+ 		if (pskb_trim(e->skb, data_len))
+ 			return -ENOMEM;
+ 	} else if (diff > 0) {
+-- 
+2.35.1
+
diff --git a/queue-4.9/series b/queue-4.9/series
index fa1456c5007..2801030bca1 100644
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -2,3 +2,5 @@ bluetooth-l2cap-fix-use-after-free-caused-by-l2cap_chan_put.patch
 ntfs-fix-use-after-free-in-ntfs_ucsncmp.patch
 scsi-ufs-host-hold-reference-returned-by-of_parse_phandle.patch
 net-ping6-fix-memleak-in-ipv6_renew_options.patch
+net-sungem_phy-add-of_node_put-for-reference-returne.patch
+netfilter-nf_queue-do-not-allow-packet-truncation-be.patch
-- 
2.47.3