From a6d16994c7a45dcee66f4ead659d1f149d2e39a3 Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 10 Apr 2021 16:15:53 +0200
Subject: [PATCH] 4.14-stable patches

added patches:
	batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch
	net-ensure-mac-header-is-set-in-virtio_net_hdr_to_skb.patch
---
 ...adv_tvlv_tt_vlan_data-reserved-field.patch | 48 ++++++++++++
 ...ader-is-set-in-virtio_net_hdr_to_skb.patch | 77 +++++++++++++++++++
 queue-4.14/series                             |  2 +
 3 files changed, 127 insertions(+)
 create mode 100644 queue-4.14/batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch
 create mode 100644 queue-4.14/net-ensure-mac-header-is-set-in-virtio_net_hdr_to_skb.patch

diff --git a/queue-4.14/batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch b/queue-4.14/batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch
new file mode 100644
index 00000000000..c0e700f812a
--- /dev/null
+++ b/queue-4.14/batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch
@@ -0,0 +1,48 @@
+From 08c27f3322fec11950b8f1384aa0f3b11d028528 Mon Sep 17 00:00:00 2001
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Date: Mon, 5 Apr 2021 19:16:50 +0900
+Subject: batman-adv: initialize "struct batadv_tvlv_tt_vlan_data"->reserved field
+
+From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+
+commit 08c27f3322fec11950b8f1384aa0f3b11d028528 upstream.
+
+KMSAN found uninitialized value at batadv_tt_prepare_tvlv_local_data()
+[1], for commit ced72933a5e8ab52 ("batman-adv: use CRC32C instead of CRC16
+in TT code") inserted 'reserved' field into "struct batadv_tvlv_tt_data"
+and commit 7ea7b4a142758dea ("batman-adv: make the TT CRC logic VLAN
+specific") moved that field to "struct batadv_tvlv_tt_vlan_data" but left
+that field uninitialized.
+
+[1] https://syzkaller.appspot.com/bug?id=07f3e6dba96f0eb3cabab986adcd8a58b9bdbe9d
+
+Reported-by: syzbot <syzbot+50ee810676e6a089487b@syzkaller.appspotmail.com>
+Tested-by: syzbot <syzbot+50ee810676e6a089487b@syzkaller.appspotmail.com>
+Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
+Fixes: ced72933a5e8ab52 ("batman-adv: use CRC32C instead of CRC16 in TT code")
+Fixes: 7ea7b4a142758dea ("batman-adv: make the TT CRC logic VLAN specific")
+Acked-by: Sven Eckelmann <sven@narfation.org>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/batman-adv/translation-table.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/net/batman-adv/translation-table.c
++++ b/net/batman-adv/translation-table.c
+@@ -902,6 +902,7 @@ batadv_tt_prepare_tvlv_global_data(struc
+ 	hlist_for_each_entry_rcu(vlan, &orig_node->vlan_list, list) {
+ 		tt_vlan->vid = htons(vlan->vid);
+ 		tt_vlan->crc = htonl(vlan->tt.crc);
++		tt_vlan->reserved = 0;
+ 
+ 		tt_vlan++;
+ 	}
+@@ -985,6 +986,7 @@ batadv_tt_prepare_tvlv_local_data(struct
+ 
+ 		tt_vlan->vid = htons(vlan->vid);
+ 		tt_vlan->crc = htonl(vlan->tt.crc);
++		tt_vlan->reserved = 0;
+ 
+ 		tt_vlan++;
+ 	}
diff --git a/queue-4.14/net-ensure-mac-header-is-set-in-virtio_net_hdr_to_skb.patch b/queue-4.14/net-ensure-mac-header-is-set-in-virtio_net_hdr_to_skb.patch
new file mode 100644
index 00000000000..001b98e2fe8
--- /dev/null
+++ b/queue-4.14/net-ensure-mac-header-is-set-in-virtio_net_hdr_to_skb.patch
@@ -0,0 +1,77 @@
+From 61431a5907fc36d0738e9a547c7e1556349a03e9 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <edumazet@google.com>
+Date: Tue, 30 Mar 2021 16:43:43 -0700
+Subject: net: ensure mac header is set in virtio_net_hdr_to_skb()
+
+From: Eric Dumazet <edumazet@google.com>
+
+commit 61431a5907fc36d0738e9a547c7e1556349a03e9 upstream.
+
+Commit 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct")
+added a call to dev_parse_header_protocol() but mac_header is not yet set.
+
+This means that eth_hdr() reads complete garbage, and syzbot complained about it [1]
+
+This patch resets mac_header earlier, to get more coverage about this change.
+
+Audit of virtio_net_hdr_to_skb() callers shows that this change should be safe.
+
+[1]
+
+BUG: KASAN: use-after-free in eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282
+Read of size 2 at addr ffff888017a6200b by task syz-executor313/8409
+
+CPU: 1 PID: 8409 Comm: syz-executor313 Not tainted 5.12.0-rc2-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+Call Trace:
+ __dump_stack lib/dump_stack.c:79 [inline]
+ dump_stack+0x141/0x1d7 lib/dump_stack.c:120
+ print_address_description.constprop.0.cold+0x5b/0x2f8 mm/kasan/report.c:232
+ __kasan_report mm/kasan/report.c:399 [inline]
+ kasan_report.cold+0x7c/0xd8 mm/kasan/report.c:416
+ eth_header_parse_protocol+0xdc/0xe0 net/ethernet/eth.c:282
+ dev_parse_header_protocol include/linux/netdevice.h:3177 [inline]
+ virtio_net_hdr_to_skb.constprop.0+0x99d/0xcd0 include/linux/virtio_net.h:83
+ packet_snd net/packet/af_packet.c:2994 [inline]
+ packet_sendmsg+0x2325/0x52b0 net/packet/af_packet.c:3031
+ sock_sendmsg_nosec net/socket.c:654 [inline]
+ sock_sendmsg+0xcf/0x120 net/socket.c:674
+ sock_no_sendpage+0xf3/0x130 net/core/sock.c:2860
+ kernel_sendpage.part.0+0x1ab/0x350 net/socket.c:3631
+ kernel_sendpage net/socket.c:3628 [inline]
+ sock_sendpage+0xe5/0x140 net/socket.c:947
+ pipe_to_sendpage+0x2ad/0x380 fs/splice.c:364
+ splice_from_pipe_feed fs/splice.c:418 [inline]
+ __splice_from_pipe+0x43e/0x8a0 fs/splice.c:562
+ splice_from_pipe fs/splice.c:597 [inline]
+ generic_splice_sendpage+0xd4/0x140 fs/splice.c:746
+ do_splice_from fs/splice.c:767 [inline]
+ do_splice+0xb7e/0x1940 fs/splice.c:1079
+ __do_splice+0x134/0x250 fs/splice.c:1144
+ __do_sys_splice fs/splice.c:1350 [inline]
+ __se_sys_splice fs/splice.c:1332 [inline]
+ __x64_sys_splice+0x198/0x250 fs/splice.c:1332
+ do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46
+
+Fixes: 924a9bc362a5 ("net: check if protocol extracted by virtio_net_hdr_set_proto is correct")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: Balazs Nemeth <bnemeth@redhat.com>
+Cc: Willem de Bruijn <willemb@google.com>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ include/linux/virtio_net.h |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/include/linux/virtio_net.h
++++ b/include/linux/virtio_net.h
+@@ -62,6 +62,8 @@ static inline int virtio_net_hdr_to_skb(
+ 			return -EINVAL;
+ 	}
+ 
++	skb_reset_mac_header(skb);
++
+ 	if (hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM) {
+ 		u16 start = __virtio16_to_cpu(little_endian, hdr->csum_start);
+ 		u16 off = __virtio16_to_cpu(little_endian, hdr->csum_offset);
diff --git a/queue-4.14/series b/queue-4.14/series
index 8f018cbde4a..08ad4d5bdcf 100644
--- a/queue-4.14/series
+++ b/queue-4.14/series
@@ -12,3 +12,5 @@ fs-direct-io-fix-missing-sdio-boundary.patch
 parisc-parisc-agp-requires-sba-iommu-driver.patch
 parisc-avoid-a-warning-on-u8-cast-for-cmpxchg-on-u8-pointers.patch
 arm-dts-turris-omnia-configure-led-intn-pin-as-interrupt-pin.patch
+batman-adv-initialize-struct-batadv_tvlv_tt_vlan_data-reserved-field.patch
+net-ensure-mac-header-is-set-in-virtio_net_hdr_to_skb.patch
-- 
2.47.3