[PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[pablo]

From: Pablo Neira Ayuso <pablo@netfilter.org>

Hi!

The following patchset contain fixes for stable 3.4 onwards.

The selected three patches are:

283283c ipvs: fix oops in ip_vs_dst_event on rmmod
66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events
a73f89a netfilter: ipset: timeout fixing bug broke SET target special timeout value [REQUIRES 127f559 netfilter: ipset: fix timeout value overflow bug]

Please, cherry-pick them. Thanks!

[PATCH 1/3] ipvs: fix oops in ip_vs_dst_event on rmmod

[pablo]

From: Julian Anastasov <ja@ssi.bg>

	After commit 39f618b4fd95ae243d940ec64c961009c74e3333 (3.4)
"ipvs: reset ipvs pointer in netns" we can oops in
ip_vs_dst_event on rmmod ip_vs because ip_vs_control_cleanup
is called after the ipvs_core_ops subsys is unregistered and
net->ipvs is NULL. Fix it by exiting early from ip_vs_dst_event
if ipvs is NULL. It is safe because all services and dests
for the net are already freed.

Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipvs/ip_vs_ctl.c |    5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c
index d43e3c1..84444dd 100644
--- a/net/netfilter/ipvs/ip_vs_ctl.c
+++ b/net/netfilter/ipvs/ip_vs_ctl.c
@@ -1521,11 +1521,12 @@ static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
 {
 	struct net_device *dev = ptr;
 	struct net *net = dev_net(dev);
+	struct netns_ipvs *ipvs = net_ipvs(net);
 	struct ip_vs_service *svc;
 	struct ip_vs_dest *dest;
 	unsigned int idx;
 
-	if (event != NETDEV_UNREGISTER)
+	if (event != NETDEV_UNREGISTER || !ipvs)
 		return NOTIFY_DONE;
 	IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
 	EnterFunction(2);
@@ -1551,7 +1552,7 @@ static int ip_vs_dst_event(struct notifier_block *this, unsigned long event,
 		}
 	}
 
-	list_for_each_entry(dest, &net_ipvs(net)->dest_trash, n_list) {
+	list_for_each_entry(dest, &ipvs->dest_trash, n_list) {
 		__ip_vs_dev_reset(dest, dev);
 	}
 	mutex_unlock(&__ip_vs_mutex);
-- 
1.7.10.4

[PATCH 2/3] netfilter: nf_conntrack: fix racy timer handling with reliable events

[pablo]

From: Pablo Neira <pablo@netfilter.org>

Existing code assumes that del_timer returns true for alive conntrack
entries. However, this is not true if reliable events are enabled.
In that case, del_timer may return true for entries that were
just inserted in the dying list. Note that packets / ctnetlink may
hold references to conntrack entries that were just inserted to such
list.

This patch fixes the issue by adding an independent timer for
event delivery. This increases the size of the ecache extension.
Still we can revisit this later and use variable size extensions
to allocate this area on demand.

Tested-by: Oliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 include/net/netfilter/nf_conntrack_ecache.h |    1 +
 net/netfilter/nf_conntrack_core.c           |   16 +++++++++++-----
 2 files changed, 12 insertions(+), 5 deletions(-)

diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h
index e1ce104..4a045cd 100644
--- a/include/net/netfilter/nf_conntrack_ecache.h
+++ b/include/net/netfilter/nf_conntrack_ecache.h
@@ -18,6 +18,7 @@ struct nf_conntrack_ecache {
 	u16 ctmask;		/* bitmask of ct events to be delivered */
 	u16 expmask;		/* bitmask of expect events to be delivered */
 	u32 pid;		/* netlink pid of destroyer */
+	struct timer_list timeout;
 };
 
 static inline struct nf_conntrack_ecache *
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index cf48755..2ceec64 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -249,12 +249,15 @@ static void death_by_event(unsigned long ul_conntrack)
 {
 	struct nf_conn *ct = (void *)ul_conntrack;
 	struct net *net = nf_ct_net(ct);
+	struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
+
+	BUG_ON(ecache == NULL);
 
 	if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) {
 		/* bad luck, let's retry again */
-		ct->timeout.expires = jiffies +
+		ecache->timeout.expires = jiffies +
 			(random32() % net->ct.sysctl_events_retry_timeout);
-		add_timer(&ct->timeout);
+		add_timer(&ecache->timeout);
 		return;
 	}
 	/* we've got the event delivered, now it's dying */
@@ -268,6 +271,9 @@ static void death_by_event(unsigned long ul_conntrack)
 void nf_ct_insert_dying_list(struct nf_conn *ct)
 {
 	struct net *net = nf_ct_net(ct);
+	struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
+
+	BUG_ON(ecache == NULL);
 
 	/* add this conntrack to the dying list */
 	spin_lock_bh(&nf_conntrack_lock);
@@ -275,10 +281,10 @@ void nf_ct_insert_dying_list(struct nf_conn *ct)
 			     &net->ct.dying);
 	spin_unlock_bh(&nf_conntrack_lock);
 	/* set a new timer to retry event delivery */
-	setup_timer(&ct->timeout, death_by_event, (unsigned long)ct);
-	ct->timeout.expires = jiffies +
+	setup_timer(&ecache->timeout, death_by_event, (unsigned long)ct);
+	ecache->timeout.expires = jiffies +
 		(random32() % net->ct.sysctl_events_retry_timeout);
-	add_timer(&ct->timeout);
+	add_timer(&ecache->timeout);
 }
 EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list);
 
-- 
1.7.10.4

[PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

[pablo]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
broke the SET target when no timeout was specified.

Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

This patch requires:

commit 127f559127f5175e4bec3dab725a34845d956591
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date:   Mon May 7 02:35:44 2012 +0000

    netfilter: ipset: fix timeout value overflow bug
    
    Large timeout parameters could result wrong timeout values due to
    an overflow at msec to jiffies conversion (reported by Andreas Herz)

---
 net/netfilter/xt_set.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960e..c6f7db7 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
 		info->del_set.flags, 0, UINT_MAX);
 
 	/* Normalize to fit into jiffies */
-	if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+	if (add_opt.timeout != IPSET_NO_TIMEOUT &&
+	    add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
 		add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
 	if (info->add_set.index != IPSET_INVALID_ID)
 		ip_set_add(info->add_set.index, skb, par, &add_opt);
-- 
1.7.10.4

Re: [PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[David Miller]

From: pablo@netfilter.org
Date: Thu, 11 Oct 2012 12:17:35 +0200

> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> Hi!
> 
> The following patchset contain fixes for stable 3.4 onwards.
> 
> The selected three patches are:
> 
> 283283c ipvs: fix oops in ip_vs_dst_event on rmmod
> 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events
> a73f89a netfilter: ipset: timeout fixing bug broke SET target special timeout value [REQUIRES 127f559 netfilter: ipset: fix timeout value overflow bug]
> 
> Please, cherry-pick them. Thanks!

ACK

Re: [PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[Greg KH]

On Thu, Oct 11, 2012 at 12:17:35PM +0200, pablo@netfilter.org wrote:
> From: Pablo Neira Ayuso <pablo@netfilter.org>
> 
> Hi!
> 
> The following patchset contain fixes for stable 3.4 onwards.
> 
> The selected three patches are:
> 
> 283283c ipvs: fix oops in ip_vs_dst_event on rmmod
> 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events

Where did this git commit id come from?  It's really
5b423f6a40a0327f9d40bc8b97ce9be266f74368 in Linus's tree.

thanks,

greg k-h

Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

[Greg KH]

On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> 
> The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> broke the SET target when no timeout was specified.
> 
> Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> ---
> 
> This patch requires:
> 
> commit 127f559127f5175e4bec3dab725a34845d956591
> Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Date:   Mon May 7 02:35:44 2012 +0000
> 
>     netfilter: ipset: fix timeout value overflow bug
>     
>     Large timeout parameters could result wrong timeout values due to
>     an overflow at msec to jiffies conversion (reported by Andreas Herz)

This patch doesn't apply to the 3.0.y series, care to provide a
backport, and a backported version of the original patch above that
needs it?

thanks,

greg k-h

Re: [PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[Greg KH]

On Thu, Oct 11, 2012 at 06:20:40PM -0400, David Miller wrote:
> From: pablo@netfilter.org
> Date: Thu, 11 Oct 2012 12:17:35 +0200
> 
> > From: Pablo Neira Ayuso <pablo@netfilter.org>
> > 
> > Hi!
> > 
> > The following patchset contain fixes for stable 3.4 onwards.
> > 
> > The selected three patches are:
> > 
> > 283283c ipvs: fix oops in ip_vs_dst_event on rmmod
> > 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events
> > a73f89a netfilter: ipset: timeout fixing bug broke SET target special timeout value [REQUIRES 127f559 netfilter: ipset: fix timeout value overflow bug]
> > 
> > Please, cherry-pick them. Thanks!
> 
> ACK

I've applied all 3 to the 3.4.y tree, and the first 2 to the 3.0.y tree.

thanks,

greg k-h

Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

[Greg KH]

On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > 
> > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > broke the SET target when no timeout was specified.
> > 
> > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > ---
> > 
> > This patch requires:
> > 
> > commit 127f559127f5175e4bec3dab725a34845d956591
> > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > Date:   Mon May 7 02:35:44 2012 +0000
> > 
> >     netfilter: ipset: fix timeout value overflow bug
> >     
> >     Large timeout parameters could result wrong timeout values due to
> >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> 
> This patch doesn't apply to the 3.0.y series, care to provide a
> backport, and a backported version of the original patch above that
> needs it?

Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
that and see if these two then apply here...

thanks,

greg k-h

Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

[Greg KH]

On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote:
> On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > 
> > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > > broke the SET target when no timeout was specified.
> > > 
> > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > ---
> > > 
> > > This patch requires:
> > > 
> > > commit 127f559127f5175e4bec3dab725a34845d956591
> > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > Date:   Mon May 7 02:35:44 2012 +0000
> > > 
> > >     netfilter: ipset: fix timeout value overflow bug
> > >     
> > >     Large timeout parameters could result wrong timeout values due to
> > >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> > 
> > This patch doesn't apply to the 3.0.y series, care to provide a
> > backport, and a backported version of the original patch above that
> > needs it?
> 
> Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
> that and see if these two then apply here...

Nope, doesn't apply.  Care to backport both of these patches for 3.0.y
and send them to us?

thanks,

greg k-h

Re: [PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[Pablo Neira Ayuso]

On Mon, Oct 15, 2012 at 04:18:57PM -0700, Greg KH wrote:
> On Thu, Oct 11, 2012 at 12:17:35PM +0200, pablo@netfilter.org wrote:
> > From: Pablo Neira Ayuso <pablo@netfilter.org>
> > 
> > Hi!
> > 
> > The following patchset contain fixes for stable 3.4 onwards.
> > 
> > The selected three patches are:
> > 
> > 283283c ipvs: fix oops in ip_vs_dst_event on rmmod
> > 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events
> 
> Where did this git commit id come from?  It's really
> 5b423f6a40a0327f9d40bc8b97ce9be266f74368 in Linus's tree.

Indeed, really sorry for the bogus commit id. I don't know how that
commit id has slipped through.

Thanks.

Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

[Pablo Neira Ayuso]

On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote:
> On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote:
> > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > 
> > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > > > broke the SET target when no timeout was specified.
> > > > 
> > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > ---
> > > > 
> > > > This patch requires:
> > > > 
> > > > commit 127f559127f5175e4bec3dab725a34845d956591
> > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > Date:   Mon May 7 02:35:44 2012 +0000
> > > > 
> > > >     netfilter: ipset: fix timeout value overflow bug
> > > >     
> > > >     Large timeout parameters could result wrong timeout values due to
> > > >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> > > 
> > > This patch doesn't apply to the 3.0.y series, care to provide a
> > > backport, and a backported version of the original patch above that
> > > needs it?
> > 
> > Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
> > that and see if these two then apply here...
> 
> Nope, doesn't apply.  Care to backport both of these patches for 3.0.y
> and send them to us?

I can send you the backport for 3.2 but not for 3.0.

That fix is for one feature that was added in 3.1, so no way to make it
for 3.0 :-)

Let me know.

Re: [PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[Pablo Neira Ayuso]

On Tue, Oct 16, 2012 at 11:04:29AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 15, 2012 at 04:18:57PM -0700, Greg KH wrote:
> > On Thu, Oct 11, 2012 at 12:17:35PM +0200, pablo@netfilter.org wrote:
> > > From: Pablo Neira Ayuso <pablo@netfilter.org>
> > > 
> > > Hi!
> > > 
> > > The following patchset contain fixes for stable 3.4 onwards.
> > > 
> > > The selected three patches are:
> > > 
> > > 283283c ipvs: fix oops in ip_vs_dst_event on rmmod
> > > 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events
> > 
> > Where did this git commit id come from?  It's really
> > 5b423f6a40a0327f9d40bc8b97ce9be266f74368 in Linus's tree.
> 
> Indeed, really sorry for the bogus commit id. I don't know how that
> commit id has slipped through.

Should I resubmit or will you pick it?

Let me know. Thanks.

Re: [PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[Greg KH]

On Tue, Oct 16, 2012 at 04:38:34PM +0200, Pablo Neira Ayuso wrote:
> On Tue, Oct 16, 2012 at 11:04:29AM +0200, Pablo Neira Ayuso wrote:
> > On Mon, Oct 15, 2012 at 04:18:57PM -0700, Greg KH wrote:
> > > On Thu, Oct 11, 2012 at 12:17:35PM +0200, pablo@netfilter.org wrote:
> > > > From: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > 
> > > > Hi!
> > > > 
> > > > The following patchset contain fixes for stable 3.4 onwards.
> > > > 
> > > > The selected three patches are:
> > > > 
> > > > 283283c ipvs: fix oops in ip_vs_dst_event on rmmod
> > > > 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events
> > > 
> > > Where did this git commit id come from?  It's really
> > > 5b423f6a40a0327f9d40bc8b97ce9be266f74368 in Linus's tree.
> > 
> > Indeed, really sorry for the bogus commit id. I don't know how that
> > commit id has slipped through.
> 
> Should I resubmit or will you pick it?

I already picked it up and you should have the email saying it was
applied in your inbox, right?

thanks,

greg k-h

Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

[Greg KH]

On Tue, Oct 16, 2012 at 11:36:53AM +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote:
> > On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote:
> > > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> > > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > 
> > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > > > > broke the SET target when no timeout was specified.
> > > > > 
> > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > > ---
> > > > > 
> > > > > This patch requires:
> > > > > 
> > > > > commit 127f559127f5175e4bec3dab725a34845d956591
> > > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > Date:   Mon May 7 02:35:44 2012 +0000
> > > > > 
> > > > >     netfilter: ipset: fix timeout value overflow bug
> > > > >     
> > > > >     Large timeout parameters could result wrong timeout values due to
> > > > >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> > > > 
> > > > This patch doesn't apply to the 3.0.y series, care to provide a
> > > > backport, and a backported version of the original patch above that
> > > > needs it?
> > > 
> > > Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
> > > that and see if these two then apply here...
> > 
> > Nope, doesn't apply.  Care to backport both of these patches for 3.0.y
> > and send them to us?
> 
> I can send you the backport for 3.2 but not for 3.0.
> 
> That fix is for one feature that was added in 3.1, so no way to make it
> for 3.0 :-)

Ah, ok, no worries then.

greg k-h

Re: [PATCH] Netfilter/IPVS updates for stable 3.4 onwards

[Pablo Neira Ayuso]

On Tue, Oct 16, 2012 at 09:31:41AM -0700, Greg KH wrote:
> On Tue, Oct 16, 2012 at 04:38:34PM +0200, Pablo Neira Ayuso wrote:
> > On Tue, Oct 16, 2012 at 11:04:29AM +0200, Pablo Neira Ayuso wrote:
> > > On Mon, Oct 15, 2012 at 04:18:57PM -0700, Greg KH wrote:
> > > > On Thu, Oct 11, 2012 at 12:17:35PM +0200, pablo@netfilter.org wrote:
> > > > > From: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > > 
> > > > > Hi!
> > > > > 
> > > > > The following patchset contain fixes for stable 3.4 onwards.
> > > > > 
> > > > > The selected three patches are:
> > > > > 
> > > > > 283283c ipvs: fix oops in ip_vs_dst_event on rmmod
> > > > > 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events
> > > > 
> > > > Where did this git commit id come from?  It's really
> > > > 5b423f6a40a0327f9d40bc8b97ce9be266f74368 in Linus's tree.
> > > 
> > > Indeed, really sorry for the bogus commit id. I don't know how that
> > > commit id has slipped through.
> > 
> > Should I resubmit or will you pick it?
> 
> I already picked it up and you should have the email saying it was
> applied in your inbox, right?

Right.

Everything's OK, thanks Greg.

Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

[Ben Hutchings]

[-- Attachment #1: Type: text/plain, Size: 2118 bytes --]

On Tue, 2012-10-16 at 11:36 +0200, Pablo Neira Ayuso wrote:
> On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote:
> > On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote:
> > > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote:
> > > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote:
> > > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > 
> > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
> > > > > broke the SET target when no timeout was specified.
> > > > > 
> > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
> > > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> > > > > ---
> > > > > 
> > > > > This patch requires:
> > > > > 
> > > > > commit 127f559127f5175e4bec3dab725a34845d956591
> > > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> > > > > Date:   Mon May 7 02:35:44 2012 +0000
> > > > > 
> > > > >     netfilter: ipset: fix timeout value overflow bug
> > > > >     
> > > > >     Large timeout parameters could result wrong timeout values due to
> > > > >     an overflow at msec to jiffies conversion (reported by Andreas Herz)
> > > > 
> > > > This patch doesn't apply to the 3.0.y series, care to provide a
> > > > backport, and a backported version of the original patch above that
> > > > needs it?
> > > 
> > > Oh wait, should I apply the 3.0.y specific patches first?  I'll go do
> > > that and see if these two then apply here...
> > 
> > Nope, doesn't apply.  Care to backport both of these patches for 3.0.y
> > and send them to us?
> 
> I can send you the backport for 3.2 but not for 3.0.
>
> That fix is for one feature that was added in 3.1, so no way to make it
> for 3.0 :-)
> 
> Let me know.

I look after 3.2.  I don't think the original timeout overflow bug is
important enough for a stable update, so I don't intend to apply either
of these.

Ben.

-- 
Ben Hutchings
No political challenge can be met by shopping. - George Monbiot

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 828 bytes --]

[PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value

[pablo]

From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>

The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
broke the SET target when no timeout was specified.

Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---

This patch requires:

commit 127f559127f5175e4bec3dab725a34845d956591
Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Date:   Mon May 7 02:35:44 2012 +0000

    netfilter: ipset: fix timeout value overflow bug
    
    Large timeout parameters could result wrong timeout values due to
    an overflow at msec to jiffies conversion (reported by Andreas Herz)

---
 net/netfilter/xt_set.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c
index 035960e..c6f7db7 100644
--- a/net/netfilter/xt_set.c
+++ b/net/netfilter/xt_set.c
@@ -16,6 +16,7 @@
 
 #include <linux/netfilter/x_tables.h>
 #include <linux/netfilter/xt_set.h>
+#include <linux/netfilter/ipset/ip_set_timeout.h>
 
 MODULE_LICENSE("GPL");
 MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
 		info->del_set.flags, 0, UINT_MAX);
 
 	/* Normalize to fit into jiffies */
-	if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+	if (add_opt.timeout != IPSET_NO_TIMEOUT &&
+	    add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
 		add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
 	if (info->add_set.index != IPSET_INVALID_ID)
 		ip_set_add(info->add_set.index, skb, par, &add_opt);
-- 
1.7.10.4