From 6fe845e4604f1b13319c02a287a43693f1df2e01 Mon Sep 17 00:00:00 2001
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 26 Apr 2020 11:18:06 +0200
Subject: [PATCH] net: ipv6_stub: use ip6_dst_lookup_flow instead of
 ip6_dst_lookup (CVE-2020-1749)

---
 debian/changelog                              |   2 +
 ...e-ip6_dst_lookup_flow-instead-of-ip6.patch | 267 ++++++++++++++++++
 debian/patches/series                         |   1 +
 3 files changed, 270 insertions(+)
 create mode 100644 debian/patches/bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch

diff --git a/debian/changelog b/debian/changelog
index 917201b70..5419b1037 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1815,6 +1815,8 @@ linux (4.19.118-1) UNRELEASED; urgency=medium
     changes in 4.19.118
   * f2fs: fix to avoid memory leakage in f2fs_listxattr (CVE-2020-0067)
   * net: ipv6: add net argument to ip6_dst_lookup_flow
+  * net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
+    (CVE-2020-1749)
 
   [ Ben Hutchings ]
   * [x86] Drop "Add a SysRq option to lift kernel lockdown" (Closes: #947021)
diff --git a/debian/patches/bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch b/debian/patches/bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch
new file mode 100644
index 000000000..031a7eeac
--- /dev/null
+++ b/debian/patches/bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch
@@ -0,0 +1,267 @@
+From: Sabrina Dubroca <sd@queasysnail.net>
+Date: Wed, 4 Dec 2019 15:35:53 +0100
+Subject: net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup
+Origin: https://git.kernel.org/linus/6c8991f41546c3c472503dff1ea9daaddf9331c2
+Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2020-1749
+
+ipv6_stub uses the ip6_dst_lookup function to allow other modules to
+perform IPv6 lookups. However, this function skips the XFRM layer
+entirely.
+
+All users of ipv6_stub->ip6_dst_lookup use ip_route_output_flow (via the
+ip_route_output_key and ip_route_output helpers) for their IPv4 lookups,
+which calls xfrm_lookup_route(). This patch fixes this inconsistent
+behavior by switching the stub to ip6_dst_lookup_flow, which also calls
+xfrm_lookup_route().
+
+This requires some changes in all the callers, as these two functions
+take different arguments and have different return types.
+
+Fixes: 5f81bd2e5d80 ("ipv6: export a stub for IPv6 symbols used by vxlan")
+Reported-by: Xiumei Mu <xmu@redhat.com>
+Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+[bwh: Backported to 4.19:
+ - Drop change in lwt_bpf.c
+ - Delete now-unused "ret" in mlx5e_route_lookup_ipv6()
+ - Initialise "out_dev" in mlx5e_create_encap_header_ipv6() to avoid
+   introducing a spurious "may be used uninitialised" warning
+ - Adjust filenames, context, indentation]
+Signed-off-by: Ben Hutchings <ben.hutchings@codethink.co.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/infiniband/core/addr.c                  |  7 +++----
+ drivers/infiniband/sw/rxe/rxe_net.c             |  8 +++++---
+ drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 11 +++++------
+ drivers/net/geneve.c                            |  4 +++-
+ drivers/net/vxlan.c                             |  8 +++-----
+ include/net/addrconf.h                          |  6 ++++--
+ net/ipv6/addrconf_core.c                        | 11 ++++++-----
+ net/ipv6/af_inet6.c                             |  2 +-
+ net/mpls/af_mpls.c                              |  7 +++----
+ net/tipc/udp_media.c                            |  9 ++++++---
+ 10 files changed, 39 insertions(+), 34 deletions(-)
+
+diff --git a/drivers/infiniband/core/addr.c b/drivers/infiniband/core/addr.c
+index 6e96a2fb97dc4..df8f5ceea2dd4 100644
+--- a/drivers/infiniband/core/addr.c
++++ b/drivers/infiniband/core/addr.c
+@@ -408,16 +408,15 @@ static int addr6_resolve(struct sockaddr_in6 *src_in,
+ 	struct flowi6 fl6;
+ 	struct dst_entry *dst;
+ 	struct rt6_info *rt;
+-	int ret;
+ 
+ 	memset(&fl6, 0, sizeof fl6);
+ 	fl6.daddr = dst_in->sin6_addr;
+ 	fl6.saddr = src_in->sin6_addr;
+ 	fl6.flowi6_oif = addr->bound_dev_if;
+ 
+-	ret = ipv6_stub->ipv6_dst_lookup(addr->net, NULL, &dst, &fl6);
+-	if (ret < 0)
+-		return ret;
++	dst = ipv6_stub->ipv6_dst_lookup_flow(addr->net, NULL, &fl6, NULL);
++	if (IS_ERR(dst))
++		return PTR_ERR(dst);
+ 
+ 	rt = (struct rt6_info *)dst;
+ 	if (ipv6_addr_any(&src_in->sin6_addr)) {
+diff --git a/drivers/infiniband/sw/rxe/rxe_net.c b/drivers/infiniband/sw/rxe/rxe_net.c
+index 54add70c22b5c..7903bd5c639ea 100644
+--- a/drivers/infiniband/sw/rxe/rxe_net.c
++++ b/drivers/infiniband/sw/rxe/rxe_net.c
+@@ -154,10 +154,12 @@ static struct dst_entry *rxe_find_route6(struct net_device *ndev,
+ 	memcpy(&fl6.daddr, daddr, sizeof(*daddr));
+ 	fl6.flowi6_proto = IPPROTO_UDP;
+ 
+-	if (unlikely(ipv6_stub->ipv6_dst_lookup(sock_net(recv_sockets.sk6->sk),
+-						recv_sockets.sk6->sk, &ndst, &fl6))) {
++	ndst = ipv6_stub->ipv6_dst_lookup_flow(sock_net(recv_sockets.sk6->sk),
++					       recv_sockets.sk6->sk, &fl6,
++					       NULL);
++	if (unlikely(IS_ERR(ndst))) {
+ 		pr_err_ratelimited("no route to %pI6\n", daddr);
+-		goto put;
++		return NULL;
+ 	}
+ 
+ 	if (unlikely(ndst->error)) {
+diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+index c8928ce69185f..3050853774ee0 100644
+--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
++++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+@@ -2217,12 +2217,11 @@ static int mlx5e_route_lookup_ipv6(struct mlx5e_priv *priv,
+ #if IS_ENABLED(CONFIG_INET) && IS_ENABLED(CONFIG_IPV6)
+ 	struct mlx5e_rep_priv *uplink_rpriv;
+ 	struct mlx5_eswitch *esw = priv->mdev->priv.eswitch;
+-	int ret;
+ 
+-	ret = ipv6_stub->ipv6_dst_lookup(dev_net(mirred_dev), NULL, &dst,
+-					 fl6);
+-	if (ret < 0)
+-		return ret;
++	dst = ipv6_stub->ipv6_dst_lookup_flow(dev_net(mirred_dev), NULL, fl6,
++					      NULL);
++	if (IS_ERR(dst))
++		return PTR_ERR(dst);
+ 
+ 	if (!(*out_ttl))
+ 		*out_ttl = ip6_dst_hoplimit(dst);
+@@ -2428,7 +2427,7 @@ static int mlx5e_create_encap_header_ipv6(struct mlx5e_priv *priv,
+ 	int max_encap_size = MLX5_CAP_ESW(priv->mdev, max_encap_header_size);
+ 	int ipv6_encap_size = ETH_HLEN + sizeof(struct ipv6hdr) + VXLAN_HLEN;
+ 	struct ip_tunnel_key *tun_key = &e->tun_info.key;
+-	struct net_device *out_dev;
++	struct net_device *out_dev = NULL;
+ 	struct neighbour *n = NULL;
+ 	struct flowi6 fl6 = {};
+ 	u8 nud_state, tos, ttl;
+diff --git a/drivers/net/geneve.c b/drivers/net/geneve.c
+index ff83408733d45..36444de701cd9 100644
+--- a/drivers/net/geneve.c
++++ b/drivers/net/geneve.c
+@@ -801,7 +801,9 @@ static struct dst_entry *geneve_get_v6_dst(struct sk_buff *skb,
+ 		if (dst)
+ 			return dst;
+ 	}
+-	if (ipv6_stub->ipv6_dst_lookup(geneve->net, gs6->sock->sk, &dst, fl6)) {
++	dst = ipv6_stub->ipv6_dst_lookup_flow(geneve->net, gs6->sock->sk, fl6,
++					      NULL);
++	if (IS_ERR(dst)) {
+ 		netdev_dbg(dev, "no route to %pI6\n", &fl6->daddr);
+ 		return ERR_PTR(-ENETUNREACH);
+ 	}
+diff --git a/drivers/net/vxlan.c b/drivers/net/vxlan.c
+index 64751b089482b..7ee0bad184662 100644
+--- a/drivers/net/vxlan.c
++++ b/drivers/net/vxlan.c
+@@ -1963,7 +1963,6 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
+ 	bool use_cache = ip_tunnel_dst_cache_usable(skb, info);
+ 	struct dst_entry *ndst;
+ 	struct flowi6 fl6;
+-	int err;
+ 
+ 	if (!sock6)
+ 		return ERR_PTR(-EIO);
+@@ -1986,10 +1985,9 @@ static struct dst_entry *vxlan6_get_route(struct vxlan_dev *vxlan,
+ 	fl6.fl6_dport = dport;
+ 	fl6.fl6_sport = sport;
+ 
+-	err = ipv6_stub->ipv6_dst_lookup(vxlan->net,
+-					 sock6->sock->sk,
+-					 &ndst, &fl6);
+-	if (unlikely(err < 0)) {
++	ndst = ipv6_stub->ipv6_dst_lookup_flow(vxlan->net, sock6->sock->sk,
++					       &fl6, NULL);
++	if (unlikely(IS_ERR(ndst))) {
+ 		netdev_dbg(dev, "no route to %pI6\n", daddr);
+ 		return ERR_PTR(-ENETUNREACH);
+ 	}
+diff --git a/include/net/addrconf.h b/include/net/addrconf.h
+index 6def0351bcc33..c8d5bb8b36169 100644
+--- a/include/net/addrconf.h
++++ b/include/net/addrconf.h
+@@ -235,8 +235,10 @@ struct ipv6_stub {
+ 				 const struct in6_addr *addr);
+ 	int (*ipv6_sock_mc_drop)(struct sock *sk, int ifindex,
+ 				 const struct in6_addr *addr);
+-	int (*ipv6_dst_lookup)(struct net *net, struct sock *sk,
+-			       struct dst_entry **dst, struct flowi6 *fl6);
++	struct dst_entry *(*ipv6_dst_lookup_flow)(struct net *net,
++						  const struct sock *sk,
++						  struct flowi6 *fl6,
++						  const struct in6_addr *final_dst);
+ 
+ 	struct fib6_table *(*fib6_get_table)(struct net *net, u32 id);
+ 	struct fib6_info *(*fib6_lookup)(struct net *net, int oif,
+diff --git a/net/ipv6/addrconf_core.c b/net/ipv6/addrconf_core.c
+index 5cd0029d930e2..66a1a0eb2ed05 100644
+--- a/net/ipv6/addrconf_core.c
++++ b/net/ipv6/addrconf_core.c
+@@ -127,11 +127,12 @@ int inet6addr_validator_notifier_call_chain(unsigned long val, void *v)
+ }
+ EXPORT_SYMBOL(inet6addr_validator_notifier_call_chain);
+ 
+-static int eafnosupport_ipv6_dst_lookup(struct net *net, struct sock *u1,
+-					struct dst_entry **u2,
+-					struct flowi6 *u3)
++static struct dst_entry *eafnosupport_ipv6_dst_lookup_flow(struct net *net,
++							   const struct sock *sk,
++							   struct flowi6 *fl6,
++							   const struct in6_addr *final_dst)
+ {
+-	return -EAFNOSUPPORT;
++	return ERR_PTR(-EAFNOSUPPORT);
+ }
+ 
+ static struct fib6_table *eafnosupport_fib6_get_table(struct net *net, u32 id)
+@@ -169,7 +170,7 @@ eafnosupport_ip6_mtu_from_fib6(struct fib6_info *f6i, struct in6_addr *daddr,
+ }
+ 
+ const struct ipv6_stub *ipv6_stub __read_mostly = &(struct ipv6_stub) {
+-	.ipv6_dst_lookup   = eafnosupport_ipv6_dst_lookup,
++	.ipv6_dst_lookup_flow = eafnosupport_ipv6_dst_lookup_flow,
+ 	.fib6_get_table    = eafnosupport_fib6_get_table,
+ 	.fib6_table_lookup = eafnosupport_fib6_table_lookup,
+ 	.fib6_lookup       = eafnosupport_fib6_lookup,
+diff --git a/net/ipv6/af_inet6.c b/net/ipv6/af_inet6.c
+index 5db88be8b6ecb..5c2351deedc8f 100644
+--- a/net/ipv6/af_inet6.c
++++ b/net/ipv6/af_inet6.c
+@@ -904,7 +904,7 @@ static struct pernet_operations inet6_net_ops = {
+ static const struct ipv6_stub ipv6_stub_impl = {
+ 	.ipv6_sock_mc_join = ipv6_sock_mc_join,
+ 	.ipv6_sock_mc_drop = ipv6_sock_mc_drop,
+-	.ipv6_dst_lookup   = ip6_dst_lookup,
++	.ipv6_dst_lookup_flow = ip6_dst_lookup_flow,
+ 	.fib6_get_table	   = fib6_get_table,
+ 	.fib6_table_lookup = fib6_table_lookup,
+ 	.fib6_lookup       = fib6_lookup,
+diff --git a/net/mpls/af_mpls.c b/net/mpls/af_mpls.c
+index d5a4db5b3fe7b..7623d9aec6364 100644
+--- a/net/mpls/af_mpls.c
++++ b/net/mpls/af_mpls.c
+@@ -618,16 +618,15 @@ static struct net_device *inet6_fib_lookup_dev(struct net *net,
+ 	struct net_device *dev;
+ 	struct dst_entry *dst;
+ 	struct flowi6 fl6;
+-	int err;
+ 
+ 	if (!ipv6_stub)
+ 		return ERR_PTR(-EAFNOSUPPORT);
+ 
+ 	memset(&fl6, 0, sizeof(fl6));
+ 	memcpy(&fl6.daddr, addr, sizeof(struct in6_addr));
+-	err = ipv6_stub->ipv6_dst_lookup(net, NULL, &dst, &fl6);
+-	if (err)
+-		return ERR_PTR(err);
++	dst = ipv6_stub->ipv6_dst_lookup_flow(net, NULL, &fl6, NULL);
++	if (IS_ERR(dst))
++		return ERR_CAST(dst);
+ 
+ 	dev = dst->dev;
+ 	dev_hold(dev);
+diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
+index 382c84d9339d6..1d62354797061 100644
+--- a/net/tipc/udp_media.c
++++ b/net/tipc/udp_media.c
+@@ -189,10 +189,13 @@ static int tipc_udp_xmit(struct net *net, struct sk_buff *skb,
+ 			.saddr = src->ipv6,
+ 			.flowi6_proto = IPPROTO_UDP
+ 		};
+-		err = ipv6_stub->ipv6_dst_lookup(net, ub->ubsock->sk, &ndst,
+-						 &fl6);
+-		if (err)
++		ndst = ipv6_stub->ipv6_dst_lookup_flow(net,
++						       ub->ubsock->sk,
++						       &fl6, NULL);
++		if (IS_ERR(ndst)) {
++			err = PTR_ERR(ndst);
+ 			goto tx_error;
++		}
+ 		ttl = ip6_dst_hoplimit(ndst);
+ 		err = udp_tunnel6_xmit_skb(ndst, ub->ubsock->sk, skb, NULL,
+ 					   &src->ipv6, &dst->ipv6, 0, ttl, 0,
+-- 
+2.20.1
+
diff --git a/debian/patches/series b/debian/patches/series
index 97bd9d786..285407d2f 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -296,5 +296,6 @@ debian/i386-686-pae-pci-set-pci-nobios-by-default.patch
 debian/ntfs-mark-it-as-broken.patch
 bugfix/all/f2fs-fix-to-avoid-memory-leakage-in-f2fs_listxattr.patch
 bugfix/all/net-ipv6-add-net-argument-to-ip6_dst_lookup_flow.patch
+bugfix/all/net-ipv6_stub-use-ip6_dst_lookup_flow-instead-of-ip6.patch
 
 # ABI maintenance