From f88f027aecb9bbf70d82cce28ad3f20c5ffc2894 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 1 Jun 2020 14:36:04 +0200 Subject: [PATCH] 4.14-stable patches added patches: bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch esp6-get-the-right-proto-for-transport-mode-in-esp6_gso_encap.patch ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch netfilter-ipset-fix-subcounter-update-skip.patch netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch netfilter-nfnetlink_cthelper-unbreak-userspace-helper-support.patch netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch vti4-eliminated-some-duplicate-code.patch xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch xfrm-call-xfrm_output_gso-when-inner_protocol-is-set-in-xfrm_output.patch xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch xfrm-fix-error-in-comment.patch --- ...e-count-leak-in-bond_sysfs_slave_add.patch | 38 ++++ ...for-transport-mode-in-esp6_gso_encap.patch | 54 +++++ ...ipip-packet-by-calling-ip_tunnel_rcv.patch | 65 ++++++ ...ter-ipset-fix-subcounter-update-skip.patch | 33 +++ ...event-buffer-overflows-in-debug-code.patch | 201 ++++++++++++++++++ ...per-unbreak-userspace-helper-support.patch | 40 ++++ ...ridge-enable-reject-with-bridge-vlan.patch | 38 ++++ ...elease-in-qlcnic_83xx_interrupt_test.patch | 45 ++++ queue-4.14/series | 14 ++ .../vti4-eliminated-some-duplicate-code.patch | 141 ++++++++++++ ...-with-ipv6-nexthdr_hop-in-xfrm_input.patch | 45 ++++ ...inner_protocol-is-set-in-xfrm_output.patch | 97 +++++++++ ...a-null-ptr-deref-in-xfrm_local_error.patch | 65 ++++++ ...a-warning-in-xfrm_policy_insert_list.patch | 76 +++++++ queue-4.14/xfrm-fix-error-in-comment.patch | 31 +++ 15 files changed, 983 insertions(+) create mode 100644 queue-4.14/bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch create mode 100644 queue-4.14/esp6-get-the-right-proto-for-transport-mode-in-esp6_gso_encap.patch create mode 100644 queue-4.14/ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch create mode 100644 queue-4.14/netfilter-ipset-fix-subcounter-update-skip.patch create mode 100644 queue-4.14/netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch create mode 100644 queue-4.14/netfilter-nfnetlink_cthelper-unbreak-userspace-helper-support.patch create mode 100644 queue-4.14/netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch create mode 100644 queue-4.14/qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch create mode 100644 queue-4.14/vti4-eliminated-some-duplicate-code.patch create mode 100644 queue-4.14/xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch create mode 100644 queue-4.14/xfrm-call-xfrm_output_gso-when-inner_protocol-is-set-in-xfrm_output.patch create mode 100644 queue-4.14/xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch create mode 100644 queue-4.14/xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch create mode 100644 queue-4.14/xfrm-fix-error-in-comment.patch diff --git a/queue-4.14/bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch b/queue-4.14/bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch new file mode 100644 index 00000000000..534373ae45c --- /dev/null +++ b/queue-4.14/bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch @@ -0,0 +1,38 @@ +From a068aab42258e25094bc2c159948d263ed7d7a77 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Wed, 27 May 2020 22:10:29 -0500 +Subject: bonding: Fix reference count leak in bond_sysfs_slave_add. + +From: Qiushi Wu + +commit a068aab42258e25094bc2c159948d263ed7d7a77 upstream. + +kobject_init_and_add() takes reference even when it fails. +If this function returns an error, kobject_put() must be called to +properly clean up the memory associated with the object. Previous +commit "b8eb718348b8" fixed a similar problem. + +Fixes: 07699f9a7c8d ("bonding: add sysfs /slave dir for bond slave devices.") +Signed-off-by: Qiushi Wu +Acked-by: Jay Vosburgh +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bonding/bond_sysfs_slave.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/bonding/bond_sysfs_slave.c ++++ b/drivers/net/bonding/bond_sysfs_slave.c +@@ -153,8 +153,10 @@ int bond_sysfs_slave_add(struct slave *s + + err = kobject_init_and_add(&slave->kobj, &slave_ktype, + &(slave->dev->dev.kobj), "bonding_slave"); +- if (err) ++ if (err) { ++ kobject_put(&slave->kobj); + return err; ++ } + + for (a = slave_attrs; *a; ++a) { + err = sysfs_create_file(&slave->kobj, &((*a)->attr)); diff --git a/queue-4.14/esp6-get-the-right-proto-for-transport-mode-in-esp6_gso_encap.patch b/queue-4.14/esp6-get-the-right-proto-for-transport-mode-in-esp6_gso_encap.patch new file mode 100644 index 00000000000..83607c17461 --- /dev/null +++ b/queue-4.14/esp6-get-the-right-proto-for-transport-mode-in-esp6_gso_encap.patch @@ -0,0 +1,54 @@ +From 3c96ec56828922e3fe5477f75eb3fc02f98f98b5 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 10 Apr 2020 17:06:56 +0800 +Subject: esp6: get the right proto for transport mode in esp6_gso_encap + +From: Xin Long + +commit 3c96ec56828922e3fe5477f75eb3fc02f98f98b5 upstream. + +For transport mode, when ipv6 nexthdr is set, the packet format might +be like: + + ---------------------------------------------------- + | | dest | | | | ESP | ESP | + | IP6 hdr| opts.| ESP | TCP | Data | Trailer | ICV | + ---------------------------------------------------- + +What it wants to get for x-proto in esp6_gso_encap() is the proto that +will be set in ESP nexthdr. So it should skip all ipv6 nexthdrs and +get the real transport protocol. Othersize, the wrong proto number +will be set into ESP nexthdr. + +This patch is to skip all ipv6 nexthdrs by calling ipv6_skip_exthdr() +in esp6_gso_encap(). + +Fixes: 7862b4058b9f ("esp: Add gso handlers for esp4 and esp6") +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/esp6_offload.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/ipv6/esp6_offload.c ++++ b/net/ipv6/esp6_offload.c +@@ -121,9 +121,16 @@ static void esp6_gso_encap(struct xfrm_s + struct ip_esp_hdr *esph; + struct ipv6hdr *iph = ipv6_hdr(skb); + struct xfrm_offload *xo = xfrm_offload(skb); +- int proto = iph->nexthdr; ++ u8 proto = iph->nexthdr; + + skb_push(skb, -skb_network_offset(skb)); ++ ++ if (x->outer_mode.encap == XFRM_MODE_TRANSPORT) { ++ __be16 frag; ++ ++ ipv6_skip_exthdr(skb, sizeof(struct ipv6hdr), &proto, &frag); ++ } ++ + esph = ip_esp_hdr(skb); + *skb_mac_header(skb) = IPPROTO_ESP; + diff --git a/queue-4.14/ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch b/queue-4.14/ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch new file mode 100644 index 00000000000..fef131ef591 --- /dev/null +++ b/queue-4.14/ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch @@ -0,0 +1,65 @@ +From 976eba8ab596bab94b9714cd46d38d5c6a2c660d Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Tue, 21 Apr 2020 20:46:11 +0800 +Subject: ip_vti: receive ipip packet by calling ip_tunnel_rcv + +From: Xin Long + +commit 976eba8ab596bab94b9714cd46d38d5c6a2c660d upstream. + +In Commit dd9ee3444014 ("vti4: Fix a ipip packet processing bug in +'IPCOMP' virtual tunnel"), it tries to receive IPIP packets in vti +by calling xfrm_input(). This case happens when a small packet or +frag sent by peer is too small to get compressed. + +However, xfrm_input() will still get to the IPCOMP path where skb +sec_path is set, but never dropped while it should have been done +in vti_ipcomp4_protocol.cb_handler(vti_rcv_cb), as it's not an +ipcomp4 packet. This will cause that the packet can never pass +xfrm4_policy_check() in the upper protocol rcv functions. + +So this patch is to call ip_tunnel_rcv() to process IPIP packets +instead. + +Fixes: dd9ee3444014 ("vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel") +Reported-by: Xiumei Mu +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_vti.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -98,7 +98,28 @@ static int vti_rcv_proto(struct sk_buff + + static int vti_rcv_tunnel(struct sk_buff *skb) + { +- return vti_rcv(skb, ip_hdr(skb)->saddr, true); ++ struct ip_tunnel_net *itn = net_generic(dev_net(skb->dev), vti_net_id); ++ const struct iphdr *iph = ip_hdr(skb); ++ struct ip_tunnel *tunnel; ++ ++ tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, ++ iph->saddr, iph->daddr, 0); ++ if (tunnel) { ++ struct tnl_ptk_info tpi = { ++ .proto = htons(ETH_P_IP), ++ }; ++ ++ if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) ++ goto drop; ++ if (iptunnel_pull_header(skb, 0, tpi.proto, false)) ++ goto drop; ++ return ip_tunnel_rcv(tunnel, skb, &tpi, NULL, false); ++ } ++ ++ return -EINVAL; ++drop: ++ kfree_skb(skb); ++ return 0; + } + + static int vti_rcv_cb(struct sk_buff *skb, int err) diff --git a/queue-4.14/netfilter-ipset-fix-subcounter-update-skip.patch b/queue-4.14/netfilter-ipset-fix-subcounter-update-skip.patch new file mode 100644 index 00000000000..068771ff8d1 --- /dev/null +++ b/queue-4.14/netfilter-ipset-fix-subcounter-update-skip.patch @@ -0,0 +1,33 @@ +From a164b95ad6055c50612795882f35e0efda1f1390 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Thu, 14 May 2020 13:31:21 +0200 +Subject: netfilter: ipset: Fix subcounter update skip + +From: Phil Sutter + +commit a164b95ad6055c50612795882f35e0efda1f1390 upstream. + +If IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE is set, user requested to not +update counters in sub sets. Therefore IPSET_FLAG_SKIP_COUNTER_UPDATE +must be set, not unset. + +Fixes: 6e01781d1c80e ("netfilter: ipset: set match: add support to match the counters") +Signed-off-by: Phil Sutter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipset/ip_set_list_set.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipset/ip_set_list_set.c ++++ b/net/netfilter/ipset/ip_set_list_set.c +@@ -61,7 +61,7 @@ list_set_ktest(struct ip_set *set, const + /* Don't lookup sub-counters at all */ + opt->cmdflags &= ~IPSET_FLAG_MATCH_COUNTERS; + if (opt->cmdflags & IPSET_FLAG_SKIP_SUBCOUNTER_UPDATE) +- opt->cmdflags &= ~IPSET_FLAG_SKIP_COUNTER_UPDATE; ++ opt->cmdflags |= IPSET_FLAG_SKIP_COUNTER_UPDATE; + list_for_each_entry_rcu(e, &map->members, list) { + if (SET_WITH_TIMEOUT(set) && + ip_set_timeout_expired(ext_timeout(e, set))) diff --git a/queue-4.14/netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch b/queue-4.14/netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch new file mode 100644 index 00000000000..d7e2c235bc5 --- /dev/null +++ b/queue-4.14/netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch @@ -0,0 +1,201 @@ +From 4c559f15efcc43b996f4da528cd7f9483aaca36d Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 14 May 2020 14:14:23 +0200 +Subject: netfilter: nf_conntrack_pptp: prevent buffer overflows in debug code + +From: Pablo Neira Ayuso + +commit 4c559f15efcc43b996f4da528cd7f9483aaca36d upstream. + +Dan Carpenter says: "Smatch complains that the value for "cmd" comes +from the network and can't be trusted." + +Add pptp_msg_name() helper function that checks for the array boundary. + +Fixes: f09943fefe6b ("[NETFILTER]: nf_conntrack/nf_nat: add PPTP helper port") +Reported-by: Dan Carpenter +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/nf_conntrack_pptp.h | 2 + net/ipv4/netfilter/nf_nat_pptp.c | 7 --- + net/netfilter/nf_conntrack_pptp.c | 62 +++++++++++++++------------- + 3 files changed, 38 insertions(+), 33 deletions(-) + +--- a/include/linux/netfilter/nf_conntrack_pptp.h ++++ b/include/linux/netfilter/nf_conntrack_pptp.h +@@ -5,7 +5,7 @@ + + #include + +-extern const char *const pptp_msg_name[]; ++extern const char *const pptp_msg_name(u_int16_t msg); + + /* state of the control session */ + enum pptp_ctrlsess_state { +--- a/net/ipv4/netfilter/nf_nat_pptp.c ++++ b/net/ipv4/netfilter/nf_nat_pptp.c +@@ -165,8 +165,7 @@ pptp_outbound_pkt(struct sk_buff *skb, + break; + default: + pr_debug("unknown outbound packet 0x%04x:%s\n", msg, +- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : +- pptp_msg_name[0]); ++ pptp_msg_name(msg)); + /* fall through */ + case PPTP_SET_LINK_INFO: + /* only need to NAT in case PAC is behind NAT box */ +@@ -267,9 +266,7 @@ pptp_inbound_pkt(struct sk_buff *skb, + pcid_off = offsetof(union pptp_ctrl_union, setlink.peersCallID); + break; + default: +- pr_debug("unknown inbound packet %s\n", +- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : +- pptp_msg_name[0]); ++ pr_debug("unknown inbound packet %s\n", pptp_msg_name(msg)); + /* fall through */ + case PPTP_START_SESSION_REQUEST: + case PPTP_START_SESSION_REPLY: +--- a/net/netfilter/nf_conntrack_pptp.c ++++ b/net/netfilter/nf_conntrack_pptp.c +@@ -71,24 +71,32 @@ EXPORT_SYMBOL_GPL(nf_nat_pptp_hook_expec + + #if defined(DEBUG) || defined(CONFIG_DYNAMIC_DEBUG) + /* PptpControlMessageType names */ +-const char *const pptp_msg_name[] = { +- "UNKNOWN_MESSAGE", +- "START_SESSION_REQUEST", +- "START_SESSION_REPLY", +- "STOP_SESSION_REQUEST", +- "STOP_SESSION_REPLY", +- "ECHO_REQUEST", +- "ECHO_REPLY", +- "OUT_CALL_REQUEST", +- "OUT_CALL_REPLY", +- "IN_CALL_REQUEST", +- "IN_CALL_REPLY", +- "IN_CALL_CONNECT", +- "CALL_CLEAR_REQUEST", +- "CALL_DISCONNECT_NOTIFY", +- "WAN_ERROR_NOTIFY", +- "SET_LINK_INFO" ++static const char *const pptp_msg_name_array[PPTP_MSG_MAX + 1] = { ++ [0] = "UNKNOWN_MESSAGE", ++ [PPTP_START_SESSION_REQUEST] = "START_SESSION_REQUEST", ++ [PPTP_START_SESSION_REPLY] = "START_SESSION_REPLY", ++ [PPTP_STOP_SESSION_REQUEST] = "STOP_SESSION_REQUEST", ++ [PPTP_STOP_SESSION_REPLY] = "STOP_SESSION_REPLY", ++ [PPTP_ECHO_REQUEST] = "ECHO_REQUEST", ++ [PPTP_ECHO_REPLY] = "ECHO_REPLY", ++ [PPTP_OUT_CALL_REQUEST] = "OUT_CALL_REQUEST", ++ [PPTP_OUT_CALL_REPLY] = "OUT_CALL_REPLY", ++ [PPTP_IN_CALL_REQUEST] = "IN_CALL_REQUEST", ++ [PPTP_IN_CALL_REPLY] = "IN_CALL_REPLY", ++ [PPTP_IN_CALL_CONNECT] = "IN_CALL_CONNECT", ++ [PPTP_CALL_CLEAR_REQUEST] = "CALL_CLEAR_REQUEST", ++ [PPTP_CALL_DISCONNECT_NOTIFY] = "CALL_DISCONNECT_NOTIFY", ++ [PPTP_WAN_ERROR_NOTIFY] = "WAN_ERROR_NOTIFY", ++ [PPTP_SET_LINK_INFO] = "SET_LINK_INFO" + }; ++ ++const char *const pptp_msg_name(u_int16_t msg) ++{ ++ if (msg > PPTP_MSG_MAX) ++ return pptp_msg_name_array[0]; ++ ++ return pptp_msg_name_array[msg]; ++} + EXPORT_SYMBOL(pptp_msg_name); + #endif + +@@ -275,7 +283,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + typeof(nf_nat_pptp_hook_inbound) nf_nat_pptp_inbound; + + msg = ntohs(ctlh->messageType); +- pr_debug("inbound control message %s\n", pptp_msg_name[msg]); ++ pr_debug("inbound control message %s\n", pptp_msg_name(msg)); + + switch (msg) { + case PPTP_START_SESSION_REPLY: +@@ -310,7 +318,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + pcid = pptpReq->ocack.peersCallID; + if (info->pns_call_id != pcid) + goto invalid; +- pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name[msg], ++ pr_debug("%s, CID=%X, PCID=%X\n", pptp_msg_name(msg), + ntohs(cid), ntohs(pcid)); + + if (pptpReq->ocack.resultCode == PPTP_OUTCALL_CONNECT) { +@@ -327,7 +335,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + goto invalid; + + cid = pptpReq->icreq.callID; +- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid)); ++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid)); + info->cstate = PPTP_CALL_IN_REQ; + info->pac_call_id = cid; + break; +@@ -346,7 +354,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + if (info->pns_call_id != pcid) + goto invalid; + +- pr_debug("%s, PCID=%X\n", pptp_msg_name[msg], ntohs(pcid)); ++ pr_debug("%s, PCID=%X\n", pptp_msg_name(msg), ntohs(pcid)); + info->cstate = PPTP_CALL_IN_CONF; + + /* we expect a GRE connection from PAC to PNS */ +@@ -356,7 +364,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + case PPTP_CALL_DISCONNECT_NOTIFY: + /* server confirms disconnect */ + cid = pptpReq->disc.callID; +- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid)); ++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid)); + info->cstate = PPTP_CALL_NONE; + + /* untrack this call id, unexpect GRE packets */ +@@ -383,7 +391,7 @@ pptp_inbound_pkt(struct sk_buff *skb, un + invalid: + pr_debug("invalid %s: type=%d cid=%u pcid=%u " + "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n", +- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0], ++ pptp_msg_name(msg), + msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate, + ntohs(info->pns_call_id), ntohs(info->pac_call_id)); + return NF_ACCEPT; +@@ -403,7 +411,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u + typeof(nf_nat_pptp_hook_outbound) nf_nat_pptp_outbound; + + msg = ntohs(ctlh->messageType); +- pr_debug("outbound control message %s\n", pptp_msg_name[msg]); ++ pr_debug("outbound control message %s\n", pptp_msg_name(msg)); + + switch (msg) { + case PPTP_START_SESSION_REQUEST: +@@ -425,7 +433,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u + info->cstate = PPTP_CALL_OUT_REQ; + /* track PNS call id */ + cid = pptpReq->ocreq.callID; +- pr_debug("%s, CID=%X\n", pptp_msg_name[msg], ntohs(cid)); ++ pr_debug("%s, CID=%X\n", pptp_msg_name(msg), ntohs(cid)); + info->pns_call_id = cid; + break; + +@@ -439,7 +447,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u + pcid = pptpReq->icack.peersCallID; + if (info->pac_call_id != pcid) + goto invalid; +- pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name[msg], ++ pr_debug("%s, CID=%X PCID=%X\n", pptp_msg_name(msg), + ntohs(cid), ntohs(pcid)); + + if (pptpReq->icack.resultCode == PPTP_INCALL_ACCEPT) { +@@ -479,7 +487,7 @@ pptp_outbound_pkt(struct sk_buff *skb, u + invalid: + pr_debug("invalid %s: type=%d cid=%u pcid=%u " + "cstate=%d sstate=%d pns_cid=%u pac_cid=%u\n", +- msg <= PPTP_MSG_MAX ? pptp_msg_name[msg] : pptp_msg_name[0], ++ pptp_msg_name(msg), + msg, ntohs(cid), ntohs(pcid), info->cstate, info->sstate, + ntohs(info->pns_call_id), ntohs(info->pac_call_id)); + return NF_ACCEPT; diff --git a/queue-4.14/netfilter-nfnetlink_cthelper-unbreak-userspace-helper-support.patch b/queue-4.14/netfilter-nfnetlink_cthelper-unbreak-userspace-helper-support.patch new file mode 100644 index 00000000000..dfd48d6ec98 --- /dev/null +++ b/queue-4.14/netfilter-nfnetlink_cthelper-unbreak-userspace-helper-support.patch @@ -0,0 +1,40 @@ +From 703acd70f2496537457186211c2f03e792409e68 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Sun, 24 May 2020 21:04:42 +0200 +Subject: netfilter: nfnetlink_cthelper: unbreak userspace helper support + +From: Pablo Neira Ayuso + +commit 703acd70f2496537457186211c2f03e792409e68 upstream. + +Restore helper data size initialization and fix memcopy of the helper +data size. + +Fixes: 157ffffeb5dc ("netfilter: nfnetlink_cthelper: reject too large userspace allocation requests") +Reviewed-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_cthelper.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nfnetlink_cthelper.c ++++ b/net/netfilter/nfnetlink_cthelper.c +@@ -106,7 +106,7 @@ nfnl_cthelper_from_nlattr(struct nlattr + if (help->helper->data_len == 0) + return -EINVAL; + +- nla_memcpy(help->data, nla_data(attr), sizeof(help->data)); ++ nla_memcpy(help->data, attr, sizeof(help->data)); + return 0; + } + +@@ -240,6 +240,7 @@ nfnl_cthelper_create(const struct nlattr + ret = -ENOMEM; + goto err2; + } ++ helper->data_len = size; + + helper->flags |= NF_CT_HELPER_F_USERSPACE; + memcpy(&helper->tuple, tuple, sizeof(struct nf_conntrack_tuple)); diff --git a/queue-4.14/netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch b/queue-4.14/netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch new file mode 100644 index 00000000000..3edbf2d0b68 --- /dev/null +++ b/queue-4.14/netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch @@ -0,0 +1,38 @@ +From e9c284ec4b41c827f4369973d2792992849e4fa5 Mon Sep 17 00:00:00 2001 +From: Michael Braun +Date: Wed, 6 May 2020 11:46:25 +0200 +Subject: netfilter: nft_reject_bridge: enable reject with bridge vlan + +From: Michael Braun + +commit e9c284ec4b41c827f4369973d2792992849e4fa5 upstream. + +Currently, using the bridge reject target with tagged packets +results in untagged packets being sent back. + +Fix this by mirroring the vlan id as well. + +Fixes: 85f5b3086a04 ("netfilter: bridge: add reject support") +Signed-off-by: Michael Braun +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/bridge/netfilter/nft_reject_bridge.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/bridge/netfilter/nft_reject_bridge.c ++++ b/net/bridge/netfilter/nft_reject_bridge.c +@@ -34,6 +34,12 @@ static void nft_reject_br_push_etherhdr( + ether_addr_copy(eth->h_dest, eth_hdr(oldskb)->h_source); + eth->h_proto = eth_hdr(oldskb)->h_proto; + skb_pull(nskb, ETH_HLEN); ++ ++ if (skb_vlan_tag_present(oldskb)) { ++ u16 vid = skb_vlan_tag_get(oldskb); ++ ++ __vlan_hwaccel_put_tag(nskb, oldskb->vlan_proto, vid); ++ } + } + + static int nft_bridge_iphdr_validate(struct sk_buff *skb) diff --git a/queue-4.14/qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch b/queue-4.14/qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch new file mode 100644 index 00000000000..99884a1e8da --- /dev/null +++ b/queue-4.14/qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch @@ -0,0 +1,45 @@ +From 15c973858903009e995b2037683de29dfe968621 Mon Sep 17 00:00:00 2001 +From: Qiushi Wu +Date: Mon, 25 May 2020 03:24:39 -0500 +Subject: qlcnic: fix missing release in qlcnic_83xx_interrupt_test. + +From: Qiushi Wu + +commit 15c973858903009e995b2037683de29dfe968621 upstream. + +In function qlcnic_83xx_interrupt_test(), function +qlcnic_83xx_diag_alloc_res() is not handled by function +qlcnic_83xx_diag_free_res() after a call of the function +qlcnic_alloc_mbx_args() failed. Fix this issue by adding +a jump target "fail_mbx_args", and jump to this new target +when qlcnic_alloc_mbx_args() failed. + +Fixes: b6b4316c8b2f ("qlcnic: Handle qlcnic_alloc_mbx_args() failure") +Signed-off-by: Qiushi Wu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c ++++ b/drivers/net/ethernet/qlogic/qlcnic/qlcnic_83xx_hw.c +@@ -3650,7 +3650,7 @@ int qlcnic_83xx_interrupt_test(struct ne + ahw->diag_cnt = 0; + ret = qlcnic_alloc_mbx_args(&cmd, adapter, QLCNIC_CMD_INTRPT_TEST); + if (ret) +- goto fail_diag_irq; ++ goto fail_mbx_args; + + if (adapter->flags & QLCNIC_MSIX_ENABLED) + intrpt_id = ahw->intr_tbl[0].id; +@@ -3680,6 +3680,8 @@ int qlcnic_83xx_interrupt_test(struct ne + + done: + qlcnic_free_mbx_args(&cmd); ++ ++fail_mbx_args: + qlcnic_83xx_diag_free_res(netdev, drv_sds_rings); + + fail_diag_irq: diff --git a/queue-4.14/series b/queue-4.14/series index c3bd3650146..b2804488070 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -53,3 +53,17 @@ parisc-fix-kernel-panic-in-mem_init.patch mac80211-mesh-fix-discovery-timer-re-arming-issue-crash.patch x86-dma-fix-max-pfn-arithmetic-overflow-on-32-bit-systems.patch copy_xstate_to_kernel-don-t-leave-parts-of-destination-uninitialized.patch +xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch +xfrm-call-xfrm_output_gso-when-inner_protocol-is-set-in-xfrm_output.patch +xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch +xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch +xfrm-fix-error-in-comment.patch +vti4-eliminated-some-duplicate-code.patch +ip_vti-receive-ipip-packet-by-calling-ip_tunnel_rcv.patch +netfilter-nft_reject_bridge-enable-reject-with-bridge-vlan.patch +netfilter-ipset-fix-subcounter-update-skip.patch +netfilter-nfnetlink_cthelper-unbreak-userspace-helper-support.patch +netfilter-nf_conntrack_pptp-prevent-buffer-overflows-in-debug-code.patch +esp6-get-the-right-proto-for-transport-mode-in-esp6_gso_encap.patch +qlcnic-fix-missing-release-in-qlcnic_83xx_interrupt_test.patch +bonding-fix-reference-count-leak-in-bond_sysfs_slave_add.patch diff --git a/queue-4.14/vti4-eliminated-some-duplicate-code.patch b/queue-4.14/vti4-eliminated-some-duplicate-code.patch new file mode 100644 index 00000000000..4896263222c --- /dev/null +++ b/queue-4.14/vti4-eliminated-some-duplicate-code.patch @@ -0,0 +1,141 @@ +From f981c57ffd2d7cf2dd4b6d6f8fcb3965df42f54c Mon Sep 17 00:00:00 2001 +From: Jeremy Sowden +Date: Sat, 23 Mar 2019 14:43:02 +0000 +Subject: vti4: eliminated some duplicate code. + +From: Jeremy Sowden + +commit f981c57ffd2d7cf2dd4b6d6f8fcb3965df42f54c upstream. + +The ipip tunnel introduced in commit dd9ee3444014 ("vti4: Fix a ipip +packet processing bug in 'IPCOMP' virtual tunnel") largely duplicated +the existing vti_input and vti_recv functions. Refactored to +deduplicate the common code. + +Signed-off-by: Jeremy Sowden +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/ip_vti.c | 60 +++++++++++++++++++----------------------------------- + 1 file changed, 22 insertions(+), 38 deletions(-) + +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -50,7 +50,7 @@ static unsigned int vti_net_id __read_mo + static int vti_tunnel_init(struct net_device *dev); + + static int vti_input(struct sk_buff *skb, int nexthdr, __be32 spi, +- int encap_type) ++ int encap_type, bool update_skb_dev) + { + struct ip_tunnel *tunnel; + const struct iphdr *iph = ip_hdr(skb); +@@ -65,6 +65,9 @@ static int vti_input(struct sk_buff *skb + + XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; + ++ if (update_skb_dev) ++ skb->dev = tunnel->dev; ++ + return xfrm_input(skb, nexthdr, spi, encap_type); + } + +@@ -74,47 +77,28 @@ drop: + return 0; + } + +-static int vti_input_ipip(struct sk_buff *skb, int nexthdr, __be32 spi, +- int encap_type) ++static int vti_input_proto(struct sk_buff *skb, int nexthdr, __be32 spi, ++ int encap_type) + { +- struct ip_tunnel *tunnel; +- const struct iphdr *iph = ip_hdr(skb); +- struct net *net = dev_net(skb->dev); +- struct ip_tunnel_net *itn = net_generic(net, vti_net_id); +- +- tunnel = ip_tunnel_lookup(itn, skb->dev->ifindex, TUNNEL_NO_KEY, +- iph->saddr, iph->daddr, 0); +- if (tunnel) { +- if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) +- goto drop; +- +- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = tunnel; +- +- skb->dev = tunnel->dev; +- +- return xfrm_input(skb, nexthdr, spi, encap_type); +- } +- +- return -EINVAL; +-drop: +- kfree_skb(skb); +- return 0; ++ return vti_input(skb, nexthdr, spi, encap_type, false); + } + +-static int vti_rcv(struct sk_buff *skb) ++static int vti_rcv(struct sk_buff *skb, __be32 spi, bool update_skb_dev) + { + XFRM_SPI_SKB_CB(skb)->family = AF_INET; + XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); + +- return vti_input(skb, ip_hdr(skb)->protocol, 0, 0); ++ return vti_input(skb, ip_hdr(skb)->protocol, spi, 0, update_skb_dev); + } + +-static int vti_rcv_ipip(struct sk_buff *skb) ++static int vti_rcv_proto(struct sk_buff *skb) + { +- XFRM_SPI_SKB_CB(skb)->family = AF_INET; +- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr); ++ return vti_rcv(skb, 0, false); ++} + +- return vti_input_ipip(skb, ip_hdr(skb)->protocol, ip_hdr(skb)->saddr, 0); ++static int vti_rcv_tunnel(struct sk_buff *skb) ++{ ++ return vti_rcv(skb, ip_hdr(skb)->saddr, true); + } + + static int vti_rcv_cb(struct sk_buff *skb, int err) +@@ -482,31 +466,31 @@ static void __net_init vti_fb_tunnel_ini + } + + static struct xfrm4_protocol vti_esp4_protocol __read_mostly = { +- .handler = vti_rcv, +- .input_handler = vti_input, ++ .handler = vti_rcv_proto, ++ .input_handler = vti_input_proto, + .cb_handler = vti_rcv_cb, + .err_handler = vti4_err, + .priority = 100, + }; + + static struct xfrm4_protocol vti_ah4_protocol __read_mostly = { +- .handler = vti_rcv, +- .input_handler = vti_input, ++ .handler = vti_rcv_proto, ++ .input_handler = vti_input_proto, + .cb_handler = vti_rcv_cb, + .err_handler = vti4_err, + .priority = 100, + }; + + static struct xfrm4_protocol vti_ipcomp4_protocol __read_mostly = { +- .handler = vti_rcv, +- .input_handler = vti_input, ++ .handler = vti_rcv_proto, ++ .input_handler = vti_input_proto, + .cb_handler = vti_rcv_cb, + .err_handler = vti4_err, + .priority = 100, + }; + + static struct xfrm_tunnel ipip_handler __read_mostly = { +- .handler = vti_rcv_ipip, ++ .handler = vti_rcv_tunnel, + .err_handler = vti4_err, + .priority = 0, + }; diff --git a/queue-4.14/xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch b/queue-4.14/xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch new file mode 100644 index 00000000000..99780b3a82e --- /dev/null +++ b/queue-4.14/xfrm-allow-to-accept-packets-with-ipv6-nexthdr_hop-in-xfrm_input.patch @@ -0,0 +1,45 @@ +From afcaf61be9d1dbdee5ec186d1dcc67b6b692180f Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Fri, 10 Apr 2020 17:06:01 +0800 +Subject: xfrm: allow to accept packets with ipv6 NEXTHDR_HOP in xfrm_input + +From: Xin Long + +commit afcaf61be9d1dbdee5ec186d1dcc67b6b692180f upstream. + +For beet mode, when it's ipv6 inner address with nexthdrs set, +the packet format might be: + + ---------------------------------------------------- + | outer | | dest | | | ESP | ESP | + | IP hdr | ESP | opts.| TCP | Data | Trailer | ICV | + ---------------------------------------------------- + +The nexthdr from ESP could be NEXTHDR_HOP(0), so it should +continue processing the packet when nexthdr returns 0 in +xfrm_input(). Otherwise, when ipv6 nexthdr is set, the +packet will be dropped. + +I don't see any error cases that nexthdr may return 0. So +fix it by removing the check for nexthdr == 0. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_input.c ++++ b/net/xfrm/xfrm_input.c +@@ -402,7 +402,7 @@ resume: + dev_put(skb->dev); + + spin_lock(&x->lock); +- if (nexthdr <= 0) { ++ if (nexthdr < 0) { + if (nexthdr == -EBADMSG) { + xfrm_audit_state_icvfail(x, skb, + x->type->proto); diff --git a/queue-4.14/xfrm-call-xfrm_output_gso-when-inner_protocol-is-set-in-xfrm_output.patch b/queue-4.14/xfrm-call-xfrm_output_gso-when-inner_protocol-is-set-in-xfrm_output.patch new file mode 100644 index 00000000000..fdefd7be801 --- /dev/null +++ b/queue-4.14/xfrm-call-xfrm_output_gso-when-inner_protocol-is-set-in-xfrm_output.patch @@ -0,0 +1,97 @@ +From a204aef9fd77dce1efd9066ca4e44eede99cd858 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 20 Apr 2020 21:51:09 +0800 +Subject: xfrm: call xfrm_output_gso when inner_protocol is set in xfrm_output + +From: Xin Long + +commit a204aef9fd77dce1efd9066ca4e44eede99cd858 upstream. + +An use-after-free crash can be triggered when sending big packets over +vxlan over esp with esp offload enabled: + + [] BUG: KASAN: use-after-free in ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0 + [] Call Trace: + [] dump_stack+0x75/0xa0 + [] kasan_report+0x37/0x50 + [] ipv6_gso_pull_exthdrs.part.8+0x32c/0x4e0 + [] ipv6_gso_segment+0x2c8/0x13c0 + [] skb_mac_gso_segment+0x1cb/0x420 + [] skb_udp_tunnel_segment+0x6b5/0x1c90 + [] inet_gso_segment+0x440/0x1380 + [] skb_mac_gso_segment+0x1cb/0x420 + [] esp4_gso_segment+0xae8/0x1709 [esp4_offload] + [] inet_gso_segment+0x440/0x1380 + [] skb_mac_gso_segment+0x1cb/0x420 + [] __skb_gso_segment+0x2d7/0x5f0 + [] validate_xmit_skb+0x527/0xb10 + [] __dev_queue_xmit+0x10f8/0x2320 <--- + [] ip_finish_output2+0xa2e/0x1b50 + [] ip_output+0x1a8/0x2f0 + [] xfrm_output_resume+0x110e/0x15f0 + [] __xfrm4_output+0xe1/0x1b0 + [] xfrm4_output+0xa0/0x200 + [] iptunnel_xmit+0x5a7/0x920 + [] vxlan_xmit_one+0x1658/0x37a0 [vxlan] + [] vxlan_xmit+0x5e4/0x3ec8 [vxlan] + [] dev_hard_start_xmit+0x125/0x540 + [] __dev_queue_xmit+0x17bd/0x2320 <--- + [] ip6_finish_output2+0xb20/0x1b80 + [] ip6_output+0x1b3/0x390 + [] ip6_xmit+0xb82/0x17e0 + [] inet6_csk_xmit+0x225/0x3d0 + [] __tcp_transmit_skb+0x1763/0x3520 + [] tcp_write_xmit+0xd64/0x5fe0 + [] __tcp_push_pending_frames+0x8c/0x320 + [] tcp_sendmsg_locked+0x2245/0x3500 + [] tcp_sendmsg+0x27/0x40 + +As on the tx path of vxlan over esp, skb->inner_network_header would be +set on vxlan_xmit() and xfrm4_tunnel_encap_add(), and the later one can +overwrite the former one. It causes skb_udp_tunnel_segment() to use a +wrong skb->inner_network_header, then the issue occurs. + +This patch is to fix it by calling xfrm_output_gso() instead when the +inner_protocol is set, in which gso_segment of inner_protocol will be +done first. + +While at it, also improve some code around. + +Fixes: 7862b4058b9f ("esp: Add gso handlers for esp4 and esp6") +Reported-by: Xiumei Mu +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_output.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -236,18 +236,20 @@ int xfrm_output(struct sock *sk, struct + xfrm_state_hold(x); + + if (skb_is_gso(skb)) { +- skb_shinfo(skb)->gso_type |= SKB_GSO_ESP; ++ if (skb->inner_protocol) ++ return xfrm_output_gso(net, sk, skb); + +- return xfrm_output2(net, sk, skb); ++ skb_shinfo(skb)->gso_type |= SKB_GSO_ESP; ++ goto out; + } + + if (x->xso.dev && x->xso.dev->features & NETIF_F_HW_ESP_TX_CSUM) + goto out; ++ } else { ++ if (skb_is_gso(skb)) ++ return xfrm_output_gso(net, sk, skb); + } + +- if (skb_is_gso(skb)) +- return xfrm_output_gso(net, sk, skb); +- + if (skb->ip_summed == CHECKSUM_PARTIAL) { + err = skb_checksum_help(skb); + if (err) { diff --git a/queue-4.14/xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch b/queue-4.14/xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch new file mode 100644 index 00000000000..2506c3aeb84 --- /dev/null +++ b/queue-4.14/xfrm-fix-a-null-ptr-deref-in-xfrm_local_error.patch @@ -0,0 +1,65 @@ +From f6a23d85d078c2ffde79c66ca81d0a1dde451649 Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Tue, 26 May 2020 17:41:46 +0800 +Subject: xfrm: fix a NULL-ptr deref in xfrm_local_error + +From: Xin Long + +commit f6a23d85d078c2ffde79c66ca81d0a1dde451649 upstream. + +This patch is to fix a crash: + + [ ] kasan: GPF could be caused by NULL-ptr deref or user memory access + [ ] general protection fault: 0000 [#1] SMP KASAN PTI + [ ] RIP: 0010:ipv6_local_error+0xac/0x7a0 + [ ] Call Trace: + [ ] xfrm6_local_error+0x1eb/0x300 + [ ] xfrm_local_error+0x95/0x130 + [ ] __xfrm6_output+0x65f/0xb50 + [ ] xfrm6_output+0x106/0x46f + [ ] udp_tunnel6_xmit_skb+0x618/0xbf0 [ip6_udp_tunnel] + [ ] vxlan_xmit_one+0xbc6/0x2c60 [vxlan] + [ ] vxlan_xmit+0x6a0/0x4276 [vxlan] + [ ] dev_hard_start_xmit+0x165/0x820 + [ ] __dev_queue_xmit+0x1ff0/0x2b90 + [ ] ip_finish_output2+0xd3e/0x1480 + [ ] ip_do_fragment+0x182d/0x2210 + [ ] ip_output+0x1d0/0x510 + [ ] ip_send_skb+0x37/0xa0 + [ ] raw_sendmsg+0x1b4c/0x2b80 + [ ] sock_sendmsg+0xc0/0x110 + +This occurred when sending a v4 skb over vxlan6 over ipsec, in which case +skb->protocol == htons(ETH_P_IPV6) while skb->sk->sk_family == AF_INET in +xfrm_local_error(). Then it will go to xfrm6_local_error() where it tries +to get ipv6 info from a ipv4 sk. + +This issue was actually fixed by Commit 628e341f319f ("xfrm: make local +error reporting more robust"), but brought back by Commit 844d48746e4b +("xfrm: choose protocol family by skb protocol"). + +So to fix it, we should call xfrm6_local_error() only when skb->protocol +is htons(ETH_P_IPV6) and skb->sk->sk_family is AF_INET6. + +Fixes: 844d48746e4b ("xfrm: choose protocol family by skb protocol") +Reported-by: Xiumei Mu +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/xfrm/xfrm_output.c ++++ b/net/xfrm/xfrm_output.c +@@ -286,7 +286,8 @@ void xfrm_local_error(struct sk_buff *sk + + if (skb->protocol == htons(ETH_P_IP)) + proto = AF_INET; +- else if (skb->protocol == htons(ETH_P_IPV6)) ++ else if (skb->protocol == htons(ETH_P_IPV6) && ++ skb->sk->sk_family == AF_INET6) + proto = AF_INET6; + else + return; diff --git a/queue-4.14/xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch b/queue-4.14/xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch new file mode 100644 index 00000000000..573ff584557 --- /dev/null +++ b/queue-4.14/xfrm-fix-a-warning-in-xfrm_policy_insert_list.patch @@ -0,0 +1,76 @@ +From ed17b8d377eaf6b4a01d46942b4c647378a79bdd Mon Sep 17 00:00:00 2001 +From: Xin Long +Date: Mon, 25 May 2020 13:53:37 +0800 +Subject: xfrm: fix a warning in xfrm_policy_insert_list + +From: Xin Long + +commit ed17b8d377eaf6b4a01d46942b4c647378a79bdd upstream. + +This waring can be triggered simply by: + + # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ + priority 1 mark 0 mask 0x10 #[1] + # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ + priority 2 mark 0 mask 0x1 #[2] + # ip xfrm policy update src 192.168.1.1/24 dst 192.168.1.2/24 dir in \ + priority 2 mark 0 mask 0x10 #[3] + +Then dmesg shows: + + [ ] WARNING: CPU: 1 PID: 7265 at net/xfrm/xfrm_policy.c:1548 + [ ] RIP: 0010:xfrm_policy_insert_list+0x2f2/0x1030 + [ ] Call Trace: + [ ] xfrm_policy_inexact_insert+0x85/0xe50 + [ ] xfrm_policy_insert+0x4ba/0x680 + [ ] xfrm_add_policy+0x246/0x4d0 + [ ] xfrm_user_rcv_msg+0x331/0x5c0 + [ ] netlink_rcv_skb+0x121/0x350 + [ ] xfrm_netlink_rcv+0x66/0x80 + [ ] netlink_unicast+0x439/0x630 + [ ] netlink_sendmsg+0x714/0xbf0 + [ ] sock_sendmsg+0xe2/0x110 + +The issue was introduced by Commit 7cb8a93968e3 ("xfrm: Allow inserting +policies with matching mark and different priorities"). After that, the +policies [1] and [2] would be able to be added with different priorities. + +However, policy [3] will actually match both [1] and [2]. Policy [1] +was matched due to the 1st 'return true' in xfrm_policy_mark_match(), +and policy [2] was matched due to the 2nd 'return true' in there. It +caused WARN_ON() in xfrm_policy_insert_list(). + +This patch is to fix it by only (the same value and priority) as the +same policy in xfrm_policy_mark_match(). + +Thanks to Yuehaibing, we could make this fix better. + +v1->v2: + - check policy->mark.v == pol->mark.v only without mask. + +Fixes: 7cb8a93968e3 ("xfrm: Allow inserting policies with matching mark and different priorities") +Reported-by: Xiumei Mu +Signed-off-by: Xin Long +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + net/xfrm/xfrm_policy.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/net/xfrm/xfrm_policy.c ++++ b/net/xfrm/xfrm_policy.c +@@ -722,12 +722,7 @@ static void xfrm_policy_requeue(struct x + static bool xfrm_policy_mark_match(struct xfrm_policy *policy, + struct xfrm_policy *pol) + { +- u32 mark = policy->mark.v & policy->mark.m; +- +- if (policy->mark.v == pol->mark.v && policy->mark.m == pol->mark.m) +- return true; +- +- if ((mark & pol->mark.m) == pol->mark.v && ++ if (policy->mark.v == pol->mark.v && + policy->priority == pol->priority) + return true; + diff --git a/queue-4.14/xfrm-fix-error-in-comment.patch b/queue-4.14/xfrm-fix-error-in-comment.patch new file mode 100644 index 00000000000..f7b7b671720 --- /dev/null +++ b/queue-4.14/xfrm-fix-error-in-comment.patch @@ -0,0 +1,31 @@ +From 29e4276667e24ee6b91d9f91064d8fda9a210ea1 Mon Sep 17 00:00:00 2001 +From: Antony Antony +Date: Wed, 15 Apr 2020 21:47:10 +0200 +Subject: xfrm: fix error in comment + +From: Antony Antony + +commit 29e4276667e24ee6b91d9f91064d8fda9a210ea1 upstream. + +s/xfrm_state_offload/xfrm_user_offload/ + +Fixes: d77e38e612a ("xfrm: Add an IPsec hardware offloading API") +Signed-off-by: Antony Antony +Signed-off-by: Steffen Klassert +Signed-off-by: Greg Kroah-Hartman + +--- + include/uapi/linux/xfrm.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/uapi/linux/xfrm.h ++++ b/include/uapi/linux/xfrm.h +@@ -304,7 +304,7 @@ enum xfrm_attr_type_t { + XFRMA_PROTO, /* __u8 */ + XFRMA_ADDRESS_FILTER, /* struct xfrm_address_filter */ + XFRMA_PAD, +- XFRMA_OFFLOAD_DEV, /* struct xfrm_state_offload */ ++ XFRMA_OFFLOAD_DEV, /* struct xfrm_user_offload */ + XFRMA_OUTPUT_MARK, /* __u32 */ + __XFRMA_MAX + -- 2.47.3