* [PATCH 0/6] Netfilter fixes for net
@ 2018-02-01 18:02 Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 1/6] netfilter: x_tables: fix int overflow in xt_alloc_table_info() Pablo Neira Ayuso
` (6 more replies)
0 siblings, 7 replies; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-02-01 18:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix OOM that syskaller triggers with ipt_replace.size = -1 and
IPT_SO_SET_REPLACE socket option, from Dmitry Vyukov.
2) Check for too long extension name in xt_request_find_{match|target}
that result in out-of-bound reads, from Eric Dumazet.
3) Fix memory exhaustion bug in ipset hash:*net* types when adding ranges
that look like x.x.x.x-255.255.255.255, from Jozsef Kadlecsik.
4) Fix pointer leaks to userspace in x_tables, from Dmitry Vyukov.
5) Insufficient sanity checks in clusterip_tg_check(), also from Dmitry.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
P.S: Another batch is following up soon, there are more fixes cooking on
the mailing list.
----------------------------------------------------------------
The following changes since commit d1616f07e8f1a4a490d1791316d4a68906b284aa:
net: fec: free/restore resource in related probe error pathes (2018-01-05 11:19:11 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 3f34cfae1238848fd53f25e5c8fd59da57901f4b:
netfilter: on sockopt() acquire sock lock only in the required scope (2018-01-31 16:37:47 +0100)
----------------------------------------------------------------
Dmitry Vyukov (3):
netfilter: x_tables: fix int overflow in xt_alloc_table_info()
netfilter: x_tables: fix pointer leaks to userspace
netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
Eric Dumazet (1):
netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
Jozsef Kadlecsik (1):
netfilter: ipset: Fix wraparound in hash:*net* types
Paolo Abeni (1):
netfilter: on sockopt() acquire sock lock only in the required scope
net/ipv4/ip_sockglue.c | 14 +++--------
net/ipv4/netfilter/ipt_CLUSTERIP.c | 16 +++++++++---
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 ++++-
net/ipv6/ipv6_sockglue.c | 17 ++++---------
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 ++++++++-----
net/netfilter/ipset/ip_set_hash_ipportnet.c | 26 +++++++++----------
net/netfilter/ipset/ip_set_hash_net.c | 9 +++----
net/netfilter/ipset/ip_set_hash_netiface.c | 9 +++----
net/netfilter/ipset/ip_set_hash_netnet.c | 28 ++++++++++-----------
net/netfilter/ipset/ip_set_hash_netport.c | 19 +++++++-------
net/netfilter/ipset/ip_set_hash_netportnet.c | 35 +++++++++++++-------------
net/netfilter/x_tables.c | 9 +++++--
net/netfilter/xt_IDLETIMER.c | 1 +
net/netfilter/xt_LED.c | 1 +
net/netfilter/xt_limit.c | 3 +--
net/netfilter/xt_nfacct.c | 1 +
net/netfilter/xt_statistic.c | 1 +
17 files changed, 114 insertions(+), 99 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 1/6] netfilter: x_tables: fix int overflow in xt_alloc_table_info()
2018-02-01 18:02 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
@ 2018-02-01 18:02 ` Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 2/6] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} Pablo Neira Ayuso
` (5 subsequent siblings)
6 siblings, 0 replies; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-02-01 18:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Dmitry Vyukov <dvyukov@google.com>
syzkaller triggered OOM kills by passing ipt_replace.size = -1
to IPT_SO_SET_REPLACE. The root cause is that SMP_ALIGN() in
xt_alloc_table_info() causes int overflow and the size check passes
when it should not. SMP_ALIGN() is no longer needed leftover.
Remove SMP_ALIGN() call in xt_alloc_table_info().
Reported-by: syzbot+4396883fa8c4f64e0175@syzkaller.appspotmail.com
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/x_tables.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index 55802e97f906..e02a21549c99 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -39,7 +39,6 @@ MODULE_LICENSE("GPL");
MODULE_AUTHOR("Harald Welte <laforge@netfilter.org>");
MODULE_DESCRIPTION("{ip,ip6,arp,eb}_tables backend module");
-#define SMP_ALIGN(x) (((x) + SMP_CACHE_BYTES-1) & ~(SMP_CACHE_BYTES-1))
#define XT_PCPU_BLOCK_SIZE 4096
struct compat_delta {
@@ -1000,7 +999,7 @@ struct xt_table_info *xt_alloc_table_info(unsigned int size)
return NULL;
/* Pedantry: prevent them from hitting BUG() in vmalloc.c --RR */
- if ((SMP_ALIGN(size) >> PAGE_SHIFT) + 2 > totalram_pages)
+ if ((size >> PAGE_SHIFT) + 2 > totalram_pages)
return NULL;
info = kvmalloc(sz, GFP_KERNEL);
--
2.11.0
^ permalink raw reply related [flat|nested] 44+ messages in thread
* [PATCH 2/6] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target}
2018-02-01 18:02 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 1/6] netfilter: x_tables: fix int overflow in xt_alloc_table_info() Pablo Neira Ayuso
@ 2018-02-01 18:02 ` Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 3/6] netfilter: ipset: Fix wraparound in hash:*net* types Pablo Neira Ayuso
` (4 subsequent siblings)
6 siblings, 0 replies; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-02-01 18:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Eric Dumazet <edumazet@google.com>
It looks like syzbot found its way into netfilter territory.
Issue here is that @name comes from user space and might
not be null terminated.
Out-of-bound reads happen, KASAN is not happy.
v2 added similar fix for xt_request_find_target(),
as Florian advised.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Acked-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/x_tables.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/netfilter/x_tables.c b/net/netfilter/x_tables.c
index e02a21549c99..d7070d18db20 100644
--- a/net/netfilter/x_tables.c
+++ b/net/netfilter/x_tables.c
@@ -209,6 +209,9 @@ xt_request_find_match(uint8_t nfproto, const char *name, uint8_t revision)
{
struct xt_match *match;
+ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+ return ERR_PTR(-EINVAL);
+
match = xt_find_match(nfproto, name, revision);
if (IS_ERR(match)) {
request_module("%st_%s", xt_prefix[nfproto], name);
@@ -251,6 +254,9 @@ struct xt_target *xt_request_find_target(u8 af, const char *name, u8 revision)
{
struct xt_target *target;
+ if (strnlen(name, XT_EXTENSION_MAXNAMELEN) == XT_EXTENSION_MAXNAMELEN)
+ return ERR_PTR(-EINVAL);
+
target = xt_find_target(af, name, revision);
if (IS_ERR(target)) {
request_module("%st_%s", xt_prefix[af], name);
--
2.11.0
^ permalink raw reply related [flat|nested] 44+ messages in thread
* [PATCH 3/6] netfilter: ipset: Fix wraparound in hash:*net* types
2018-02-01 18:02 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 1/6] netfilter: x_tables: fix int overflow in xt_alloc_table_info() Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 2/6] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} Pablo Neira Ayuso
@ 2018-02-01 18:02 ` Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 4/6] netfilter: x_tables: fix pointer leaks to userspace Pablo Neira Ayuso
` (3 subsequent siblings)
6 siblings, 0 replies; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-02-01 18:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Fix wraparound bug which could lead to memory exhaustion when adding an
x.x.x.x-255.255.255.255 range to any hash:*net* types.
Fixes Netfilter's bugzilla id #1212, reported by Thomas Schwark.
Fixes: 48596a8ddc46 ("netfilter: ipset: Fix adding an IPv4 range containing more than 2^31 addresses")
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/ipset/ip_set_hash_ipportnet.c | 26 ++++++++++-----------
net/netfilter/ipset/ip_set_hash_net.c | 9 ++++---
net/netfilter/ipset/ip_set_hash_netiface.c | 9 ++++---
net/netfilter/ipset/ip_set_hash_netnet.c | 28 +++++++++++-----------
net/netfilter/ipset/ip_set_hash_netport.c | 19 ++++++++-------
net/netfilter/ipset/ip_set_hash_netportnet.c | 35 ++++++++++++++--------------
6 files changed, 63 insertions(+), 63 deletions(-)
diff --git a/net/netfilter/ipset/ip_set_hash_ipportnet.c b/net/netfilter/ipset/ip_set_hash_ipportnet.c
index 0f164e986bf1..88b83d6d3084 100644
--- a/net/netfilter/ipset/ip_set_hash_ipportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_ipportnet.c
@@ -168,7 +168,7 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
struct hash_ipportnet4_elem e = { .cidr = HOST_MASK - 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
u32 ip = 0, ip_to = 0, p = 0, port, port_to;
- u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2;
+ u32 ip2_from = 0, ip2_to = 0, ip2;
bool with_ports = false;
u8 cidr;
int ret;
@@ -269,22 +269,21 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr + 1);
}
- if (retried)
+ if (retried) {
ip = ntohl(h->next.ip);
+ p = ntohs(h->next.port);
+ ip2 = ntohl(h->next.ip2);
+ } else {
+ p = port;
+ ip2 = ip2_from;
+ }
for (; ip <= ip_to; ip++) {
e.ip = htonl(ip);
- p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
- : port;
for (; p <= port_to; p++) {
e.port = htons(p);
- ip2 = retried &&
- ip == ntohl(h->next.ip) &&
- p == ntohs(h->next.port)
- ? ntohl(h->next.ip2) : ip2_from;
- while (ip2 <= ip2_to) {
+ do {
e.ip2 = htonl(ip2);
- ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
- &cidr);
+ ip2 = ip_set_range_to_cidr(ip2, ip2_to, &cidr);
e.cidr = cidr - 1;
ret = adtfn(set, &e, &ext, &ext, flags);
@@ -292,9 +291,10 @@ hash_ipportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
return ret;
ret = 0;
- ip2 = ip2_last + 1;
- }
+ } while (ip2++ < ip2_to);
+ ip2 = ip2_from;
}
+ p = port;
}
return ret;
}
diff --git a/net/netfilter/ipset/ip_set_hash_net.c b/net/netfilter/ipset/ip_set_hash_net.c
index 1c67a1761e45..5449e23af13a 100644
--- a/net/netfilter/ipset/ip_set_hash_net.c
+++ b/net/netfilter/ipset/ip_set_hash_net.c
@@ -143,7 +143,7 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_net4_elem e = { .cidr = HOST_MASK };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip = 0, ip_to = 0, last;
+ u32 ip = 0, ip_to = 0;
int ret;
if (tb[IPSET_ATTR_LINENO])
@@ -193,16 +193,15 @@ hash_net4_uadt(struct ip_set *set, struct nlattr *tb[],
}
if (retried)
ip = ntohl(h->next.ip);
- while (ip <= ip_to) {
+ do {
e.ip = htonl(ip);
- last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
+ ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
ret = 0;
- ip = last + 1;
- }
+ } while (ip++ < ip_to);
return ret;
}
diff --git a/net/netfilter/ipset/ip_set_hash_netiface.c b/net/netfilter/ipset/ip_set_hash_netiface.c
index d417074f1c1a..f5164c1efce2 100644
--- a/net/netfilter/ipset/ip_set_hash_netiface.c
+++ b/net/netfilter/ipset/ip_set_hash_netiface.c
@@ -200,7 +200,7 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netiface4_elem e = { .cidr = HOST_MASK, .elem = 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip = 0, ip_to = 0, last;
+ u32 ip = 0, ip_to = 0;
int ret;
if (tb[IPSET_ATTR_LINENO])
@@ -255,17 +255,16 @@ hash_netiface4_uadt(struct ip_set *set, struct nlattr *tb[],
if (retried)
ip = ntohl(h->next.ip);
- while (ip <= ip_to) {
+ do {
e.ip = htonl(ip);
- last = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
+ ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr);
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
ret = 0;
- ip = last + 1;
- }
+ } while (ip++ < ip_to);
return ret;
}
diff --git a/net/netfilter/ipset/ip_set_hash_netnet.c b/net/netfilter/ipset/ip_set_hash_netnet.c
index 7f9ae2e9645b..5a2b923bd81f 100644
--- a/net/netfilter/ipset/ip_set_hash_netnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netnet.c
@@ -169,8 +169,8 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netnet4_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip = 0, ip_to = 0, last;
- u32 ip2 = 0, ip2_from = 0, ip2_to = 0, last2;
+ u32 ip = 0, ip_to = 0;
+ u32 ip2 = 0, ip2_from = 0, ip2_to = 0;
int ret;
if (tb[IPSET_ATTR_LINENO])
@@ -247,27 +247,27 @@ hash_netnet4_uadt(struct ip_set *set, struct nlattr *tb[],
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
}
- if (retried)
+ if (retried) {
ip = ntohl(h->next.ip[0]);
+ ip2 = ntohl(h->next.ip[1]);
+ } else {
+ ip2 = ip2_from;
+ }
- while (ip <= ip_to) {
+ do {
e.ip[0] = htonl(ip);
- last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
- ip2 = (retried &&
- ip == ntohl(h->next.ip[0])) ? ntohl(h->next.ip[1])
- : ip2_from;
- while (ip2 <= ip2_to) {
+ ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
+ do {
e.ip[1] = htonl(ip2);
- last2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
+ ip2 = ip_set_range_to_cidr(ip2, ip2_to, &e.cidr[1]);
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
ret = 0;
- ip2 = last2 + 1;
- }
- ip = last + 1;
- }
+ } while (ip2++ < ip2_to);
+ ip2 = ip2_from;
+ } while (ip++ < ip_to);
return ret;
}
diff --git a/net/netfilter/ipset/ip_set_hash_netport.c b/net/netfilter/ipset/ip_set_hash_netport.c
index e6ef382febe4..1a187be9ebc8 100644
--- a/net/netfilter/ipset/ip_set_hash_netport.c
+++ b/net/netfilter/ipset/ip_set_hash_netport.c
@@ -161,7 +161,7 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netport4_elem e = { .cidr = HOST_MASK - 1 };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 port, port_to, p = 0, ip = 0, ip_to = 0, last;
+ u32 port, port_to, p = 0, ip = 0, ip_to = 0;
bool with_ports = false;
u8 cidr;
int ret;
@@ -239,25 +239,26 @@ hash_netport4_uadt(struct ip_set *set, struct nlattr *tb[],
ip_set_mask_from_to(ip, ip_to, e.cidr + 1);
}
- if (retried)
+ if (retried) {
ip = ntohl(h->next.ip);
- while (ip <= ip_to) {
+ p = ntohs(h->next.port);
+ } else {
+ p = port;
+ }
+ do {
e.ip = htonl(ip);
- last = ip_set_range_to_cidr(ip, ip_to, &cidr);
+ ip = ip_set_range_to_cidr(ip, ip_to, &cidr);
e.cidr = cidr - 1;
- p = retried && ip == ntohl(h->next.ip) ? ntohs(h->next.port)
- : port;
for (; p <= port_to; p++) {
e.port = htons(p);
ret = adtfn(set, &e, &ext, &ext, flags);
-
if (ret && !ip_set_eexist(ret, flags))
return ret;
ret = 0;
}
- ip = last + 1;
- }
+ p = port;
+ } while (ip++ < ip_to);
return ret;
}
diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index 8602f2595a1a..d391485a6acd 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -184,8 +184,8 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
ipset_adtfn adtfn = set->variant->adt[adt];
struct hash_netportnet4_elem e = { };
struct ip_set_ext ext = IP_SET_INIT_UEXT(set);
- u32 ip = 0, ip_to = 0, ip_last, p = 0, port, port_to;
- u32 ip2_from = 0, ip2_to = 0, ip2_last, ip2;
+ u32 ip = 0, ip_to = 0, p = 0, port, port_to;
+ u32 ip2_from = 0, ip2_to = 0, ip2;
bool with_ports = false;
int ret;
@@ -288,33 +288,34 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
ip_set_mask_from_to(ip2_from, ip2_to, e.cidr[1]);
}
- if (retried)
+ if (retried) {
ip = ntohl(h->next.ip[0]);
+ p = ntohs(h->next.port);
+ ip2 = ntohl(h->next.ip[1]);
+ } else {
+ p = port;
+ ip2 = ip2_from;
+ }
- while (ip <= ip_to) {
+ do {
e.ip[0] = htonl(ip);
- ip_last = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
- p = retried && ip == ntohl(h->next.ip[0]) ? ntohs(h->next.port)
- : port;
+ ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
for (; p <= port_to; p++) {
e.port = htons(p);
- ip2 = (retried && ip == ntohl(h->next.ip[0]) &&
- p == ntohs(h->next.port)) ? ntohl(h->next.ip[1])
- : ip2_from;
- while (ip2 <= ip2_to) {
+ do {
e.ip[1] = htonl(ip2);
- ip2_last = ip_set_range_to_cidr(ip2, ip2_to,
- &e.cidr[1]);
+ ip2 = ip_set_range_to_cidr(ip2, ip2_to,
+ &e.cidr[1]);
ret = adtfn(set, &e, &ext, &ext, flags);
if (ret && !ip_set_eexist(ret, flags))
return ret;
ret = 0;
- ip2 = ip2_last + 1;
- }
+ } while (ip2++ < ip2_to);
+ ip2 = ip2_from;
}
- ip = ip_last + 1;
- }
+ p = port;
+ } while (ip++ < ip_to);
return ret;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 44+ messages in thread
* [PATCH 4/6] netfilter: x_tables: fix pointer leaks to userspace
2018-02-01 18:02 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2018-02-01 18:02 ` [PATCH 3/6] netfilter: ipset: Fix wraparound in hash:*net* types Pablo Neira Ayuso
@ 2018-02-01 18:02 ` Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 5/6] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() Pablo Neira Ayuso
` (2 subsequent siblings)
6 siblings, 0 replies; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-02-01 18:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Dmitry Vyukov <dvyukov@google.com>
Several netfilter matches and targets put kernel pointers into
info objects, but don't set usersize in descriptors.
This leads to kernel pointer leaks if a match/target is set
and then read back to userspace.
Properly set usersize for these matches/targets.
Found with manual code inspection.
Fixes: ec2318904965 ("xtables: extend matches and targets with .usersize")
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/xt_IDLETIMER.c | 1 +
net/netfilter/xt_LED.c | 1 +
net/netfilter/xt_limit.c | 3 +--
net/netfilter/xt_nfacct.c | 1 +
net/netfilter/xt_statistic.c | 1 +
5 files changed, 5 insertions(+), 2 deletions(-)
diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index ee3421ad108d..6c2482b709b1 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -252,6 +252,7 @@ static struct xt_target idletimer_tg __read_mostly = {
.family = NFPROTO_UNSPEC,
.target = idletimer_tg_target,
.targetsize = sizeof(struct idletimer_tg_info),
+ .usersize = offsetof(struct idletimer_tg_info, timer),
.checkentry = idletimer_tg_checkentry,
.destroy = idletimer_tg_destroy,
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_LED.c b/net/netfilter/xt_LED.c
index 0971634e5444..1dcad893df78 100644
--- a/net/netfilter/xt_LED.c
+++ b/net/netfilter/xt_LED.c
@@ -198,6 +198,7 @@ static struct xt_target led_tg_reg __read_mostly = {
.family = NFPROTO_UNSPEC,
.target = led_tg,
.targetsize = sizeof(struct xt_led_info),
+ .usersize = offsetof(struct xt_led_info, internal_data),
.checkentry = led_tg_check,
.destroy = led_tg_destroy,
.me = THIS_MODULE,
diff --git a/net/netfilter/xt_limit.c b/net/netfilter/xt_limit.c
index d27b5f1ea619..61403b77361c 100644
--- a/net/netfilter/xt_limit.c
+++ b/net/netfilter/xt_limit.c
@@ -193,9 +193,8 @@ static struct xt_match limit_mt_reg __read_mostly = {
.compatsize = sizeof(struct compat_xt_rateinfo),
.compat_from_user = limit_mt_compat_from_user,
.compat_to_user = limit_mt_compat_to_user,
-#else
- .usersize = offsetof(struct xt_rateinfo, prev),
#endif
+ .usersize = offsetof(struct xt_rateinfo, prev),
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_nfacct.c b/net/netfilter/xt_nfacct.c
index cc0518fe598e..6f92d25590a8 100644
--- a/net/netfilter/xt_nfacct.c
+++ b/net/netfilter/xt_nfacct.c
@@ -62,6 +62,7 @@ static struct xt_match nfacct_mt_reg __read_mostly = {
.match = nfacct_mt,
.destroy = nfacct_mt_destroy,
.matchsize = sizeof(struct xt_nfacct_match_info),
+ .usersize = offsetof(struct xt_nfacct_match_info, nfacct),
.me = THIS_MODULE,
};
diff --git a/net/netfilter/xt_statistic.c b/net/netfilter/xt_statistic.c
index 11de55e7a868..8710fdba2ae2 100644
--- a/net/netfilter/xt_statistic.c
+++ b/net/netfilter/xt_statistic.c
@@ -84,6 +84,7 @@ static struct xt_match xt_statistic_mt_reg __read_mostly = {
.checkentry = statistic_mt_check,
.destroy = statistic_mt_destroy,
.matchsize = sizeof(struct xt_statistic_info),
+ .usersize = offsetof(struct xt_statistic_info, master),
.me = THIS_MODULE,
};
--
2.11.0
^ permalink raw reply related [flat|nested] 44+ messages in thread
* [PATCH 5/6] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check()
2018-02-01 18:02 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2018-02-01 18:02 ` [PATCH 4/6] netfilter: x_tables: fix pointer leaks to userspace Pablo Neira Ayuso
@ 2018-02-01 18:02 ` Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 6/6] netfilter: on sockopt() acquire sock lock only in the required scope Pablo Neira Ayuso
2018-02-01 19:45 ` [PATCH 0/6] Netfilter fixes for net David Miller
6 siblings, 0 replies; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-02-01 18:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Dmitry Vyukov <dvyukov@google.com>
Commit 136e92bbec0a switched local_nodes from an array to a bitmask
but did not add proper bounds checks. As the result
clusterip_config_init_nodelist() can both over-read
ipt_clusterip_tgt_info.local_nodes and over-write
clusterip_config.local_nodes.
Add bounds checks for both.
Fixes: 136e92bbec0a ("[NETFILTER] CLUSTERIP: use a bitmap to store node responsibility data")
Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 69060e3abe85..1e4a7209a3d2 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -431,7 +431,7 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
struct ipt_clusterip_tgt_info *cipinfo = par->targinfo;
const struct ipt_entry *e = par->entryinfo;
struct clusterip_config *config;
- int ret;
+ int ret, i;
if (par->nft_compat) {
pr_err("cannot use CLUSTERIP target from nftables compat\n");
@@ -450,8 +450,18 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
pr_info("Please specify destination IP\n");
return -EINVAL;
}
-
- /* FIXME: further sanity checks */
+ if (cipinfo->num_local_nodes > ARRAY_SIZE(cipinfo->local_nodes)) {
+ pr_info("bad num_local_nodes %u\n", cipinfo->num_local_nodes);
+ return -EINVAL;
+ }
+ for (i = 0; i < cipinfo->num_local_nodes; i++) {
+ if (cipinfo->local_nodes[i] - 1 >=
+ sizeof(config->local_nodes) * 8) {
+ pr_info("bad local_nodes[%d] %u\n",
+ i, cipinfo->local_nodes[i]);
+ return -EINVAL;
+ }
+ }
config = clusterip_config_find_get(par->net, e->ip.dst.s_addr, 1);
if (!config) {
--
2.11.0
^ permalink raw reply related [flat|nested] 44+ messages in thread
* [PATCH 6/6] netfilter: on sockopt() acquire sock lock only in the required scope
2018-02-01 18:02 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2018-02-01 18:02 ` [PATCH 5/6] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() Pablo Neira Ayuso
@ 2018-02-01 18:02 ` Pablo Neira Ayuso
2018-02-01 19:45 ` [PATCH 0/6] Netfilter fixes for net David Miller
6 siblings, 0 replies; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-02-01 18:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
From: Paolo Abeni <pabeni@redhat.com>
Syzbot reported several deadlocks in the netfilter area caused by
rtnl lock and socket lock being acquired with a different order on
different code paths, leading to backtraces like the following one:
======================================================
WARNING: possible circular locking dependency detected
4.15.0-rc9+ #212 Not tainted
------------------------------------------------------
syzkaller041579/3682 is trying to acquire lock:
(sk_lock-AF_INET6){+.+.}, at: [<000000008775e4dd>] lock_sock
include/net/sock.h:1463 [inline]
(sk_lock-AF_INET6){+.+.}, at: [<000000008775e4dd>]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
but task is already holding lock:
(rtnl_mutex){+.+.}, at: [<000000004342eaa9>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (rtnl_mutex){+.+.}:
__mutex_lock_common kernel/locking/mutex.c:756 [inline]
__mutex_lock+0x16f/0x1a80 kernel/locking/mutex.c:893
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:908
rtnl_lock+0x17/0x20 net/core/rtnetlink.c:74
register_netdevice_notifier+0xad/0x860 net/core/dev.c:1607
tee_tg_check+0x1a0/0x280 net/netfilter/xt_TEE.c:106
xt_check_target+0x22c/0x7d0 net/netfilter/x_tables.c:845
check_target net/ipv6/netfilter/ip6_tables.c:538 [inline]
find_check_entry.isra.7+0x935/0xcf0
net/ipv6/netfilter/ip6_tables.c:580
translate_table+0xf52/0x1690 net/ipv6/netfilter/ip6_tables.c:749
do_replace net/ipv6/netfilter/ip6_tables.c:1165 [inline]
do_ip6t_set_ctl+0x370/0x5f0 net/ipv6/netfilter/ip6_tables.c:1691
nf_sockopt net/netfilter/nf_sockopt.c:106 [inline]
nf_setsockopt+0x67/0xc0 net/netfilter/nf_sockopt.c:115
ipv6_setsockopt+0x115/0x150 net/ipv6/ipv6_sockglue.c:928
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
entry_SYSCALL_64_fastpath+0x29/0xa0
-> #0 (sk_lock-AF_INET6){+.+.}:
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:3914
lock_sock_nested+0xc2/0x110 net/core/sock.c:2780
lock_sock include/net/sock.h:1463 [inline]
do_ipv6_setsockopt.isra.8+0x3c5/0x39d0 net/ipv6/ipv6_sockglue.c:167
ipv6_setsockopt+0xd7/0x150 net/ipv6/ipv6_sockglue.c:922
udpv6_setsockopt+0x45/0x80 net/ipv6/udp.c:1422
sock_common_setsockopt+0x95/0xd0 net/core/sock.c:2978
SYSC_setsockopt net/socket.c:1849 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1828
entry_SYSCALL_64_fastpath+0x29/0xa0
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
lock(rtnl_mutex);
lock(sk_lock-AF_INET6);
*** DEADLOCK ***
1 lock held by syzkaller041579/3682:
#0: (rtnl_mutex){+.+.}, at: [<000000004342eaa9>] rtnl_lock+0x17/0x20
net/core/rtnetlink.c:74
The problem, as Florian noted, is that nf_setsockopt() is always
called with the socket held, even if the lock itself is required only
for very tight scopes and only for some operation.
This patch addresses the issues moving the lock_sock() call only
where really needed, namely in ipv*_getorigdst(), so that nf_setsockopt()
does not need anymore to acquire both locks.
Fixes: 22265a5c3c10 ("netfilter: xt_TEE: resolve oif using netdevice notifiers")
Reported-by: syzbot+a4c2dc980ac1af699b36@syzkaller.appspotmail.com
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/ipv4/ip_sockglue.c | 14 ++++----------
net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 6 +++++-
net/ipv6/ipv6_sockglue.c | 17 +++++------------
net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 18 ++++++++++++------
4 files changed, 26 insertions(+), 29 deletions(-)
diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c
index 60fb1eb7d7d8..c7df4969f80a 100644
--- a/net/ipv4/ip_sockglue.c
+++ b/net/ipv4/ip_sockglue.c
@@ -1251,11 +1251,8 @@ int ip_setsockopt(struct sock *sk, int level,
if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
optname != IP_IPSEC_POLICY &&
optname != IP_XFRM_POLICY &&
- !ip_mroute_opt(optname)) {
- lock_sock(sk);
+ !ip_mroute_opt(optname))
err = nf_setsockopt(sk, PF_INET, optname, optval, optlen);
- release_sock(sk);
- }
#endif
return err;
}
@@ -1280,12 +1277,9 @@ int compat_ip_setsockopt(struct sock *sk, int level, int optname,
if (err == -ENOPROTOOPT && optname != IP_HDRINCL &&
optname != IP_IPSEC_POLICY &&
optname != IP_XFRM_POLICY &&
- !ip_mroute_opt(optname)) {
- lock_sock(sk);
- err = compat_nf_setsockopt(sk, PF_INET, optname,
- optval, optlen);
- release_sock(sk);
- }
+ !ip_mroute_opt(optname))
+ err = compat_nf_setsockopt(sk, PF_INET, optname, optval,
+ optlen);
#endif
return err;
}
diff --git a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
index 89af9d88ca21..a5727036a8a8 100644
--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
@@ -218,15 +218,19 @@ getorigdst(struct sock *sk, int optval, void __user *user, int *len)
struct nf_conntrack_tuple tuple;
memset(&tuple, 0, sizeof(tuple));
+
+ lock_sock(sk);
tuple.src.u3.ip = inet->inet_rcv_saddr;
tuple.src.u.tcp.port = inet->inet_sport;
tuple.dst.u3.ip = inet->inet_daddr;
tuple.dst.u.tcp.port = inet->inet_dport;
tuple.src.l3num = PF_INET;
tuple.dst.protonum = sk->sk_protocol;
+ release_sock(sk);
/* We only do TCP and SCTP at the moment: is there a better way? */
- if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP) {
+ if (tuple.dst.protonum != IPPROTO_TCP &&
+ tuple.dst.protonum != IPPROTO_SCTP) {
pr_debug("SO_ORIGINAL_DST: Not a TCP/SCTP socket\n");
return -ENOPROTOOPT;
}
diff --git a/net/ipv6/ipv6_sockglue.c b/net/ipv6/ipv6_sockglue.c
index 2d4680e0376f..4b16c6dede4f 100644
--- a/net/ipv6/ipv6_sockglue.c
+++ b/net/ipv6/ipv6_sockglue.c
@@ -923,12 +923,8 @@ int ipv6_setsockopt(struct sock *sk, int level, int optname,
#ifdef CONFIG_NETFILTER
/* we need to exclude all possible ENOPROTOOPTs except default case */
if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
- optname != IPV6_XFRM_POLICY) {
- lock_sock(sk);
- err = nf_setsockopt(sk, PF_INET6, optname, optval,
- optlen);
- release_sock(sk);
- }
+ optname != IPV6_XFRM_POLICY)
+ err = nf_setsockopt(sk, PF_INET6, optname, optval, optlen);
#endif
return err;
}
@@ -958,12 +954,9 @@ int compat_ipv6_setsockopt(struct sock *sk, int level, int optname,
#ifdef CONFIG_NETFILTER
/* we need to exclude all possible ENOPROTOOPTs except default case */
if (err == -ENOPROTOOPT && optname != IPV6_IPSEC_POLICY &&
- optname != IPV6_XFRM_POLICY) {
- lock_sock(sk);
- err = compat_nf_setsockopt(sk, PF_INET6, optname,
- optval, optlen);
- release_sock(sk);
- }
+ optname != IPV6_XFRM_POLICY)
+ err = compat_nf_setsockopt(sk, PF_INET6, optname, optval,
+ optlen);
#endif
return err;
}
diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index 3b80a38f62b8..5863579800c1 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -226,20 +226,27 @@ static const struct nf_hook_ops ipv6_conntrack_ops[] = {
static int
ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
{
- const struct inet_sock *inet = inet_sk(sk);
+ struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
const struct ipv6_pinfo *inet6 = inet6_sk(sk);
+ const struct inet_sock *inet = inet_sk(sk);
const struct nf_conntrack_tuple_hash *h;
struct sockaddr_in6 sin6;
- struct nf_conntrack_tuple tuple = { .src.l3num = NFPROTO_IPV6 };
struct nf_conn *ct;
+ __be32 flow_label;
+ int bound_dev_if;
+ lock_sock(sk);
tuple.src.u3.in6 = sk->sk_v6_rcv_saddr;
tuple.src.u.tcp.port = inet->inet_sport;
tuple.dst.u3.in6 = sk->sk_v6_daddr;
tuple.dst.u.tcp.port = inet->inet_dport;
tuple.dst.protonum = sk->sk_protocol;
+ bound_dev_if = sk->sk_bound_dev_if;
+ flow_label = inet6->flow_label;
+ release_sock(sk);
- if (sk->sk_protocol != IPPROTO_TCP && sk->sk_protocol != IPPROTO_SCTP)
+ if (tuple.dst.protonum != IPPROTO_TCP &&
+ tuple.dst.protonum != IPPROTO_SCTP)
return -ENOPROTOOPT;
if (*len < 0 || (unsigned int) *len < sizeof(sin6))
@@ -257,14 +264,13 @@ ipv6_getorigdst(struct sock *sk, int optval, void __user *user, int *len)
sin6.sin6_family = AF_INET6;
sin6.sin6_port = ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u.tcp.port;
- sin6.sin6_flowinfo = inet6->flow_label & IPV6_FLOWINFO_MASK;
+ sin6.sin6_flowinfo = flow_label & IPV6_FLOWINFO_MASK;
memcpy(&sin6.sin6_addr,
&ct->tuplehash[IP_CT_DIR_ORIGINAL].tuple.dst.u3.in6,
sizeof(sin6.sin6_addr));
nf_ct_put(ct);
- sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr,
- sk->sk_bound_dev_if);
+ sin6.sin6_scope_id = ipv6_iface_scope_id(&sin6.sin6_addr, bound_dev_if);
return copy_to_user(user, &sin6, sizeof(sin6)) ? -EFAULT : 0;
}
--
2.11.0
^ permalink raw reply related [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2018-02-01 18:02 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (5 preceding siblings ...)
2018-02-01 18:02 ` [PATCH 6/6] netfilter: on sockopt() acquire sock lock only in the required scope Pablo Neira Ayuso
@ 2018-02-01 19:45 ` David Miller
6 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2018-02-01 19:45 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 1 Feb 2018 19:02:11 +0100
> The following patchset contains Netfilter fixes for your net tree,
> they are:
>
> 1) Fix OOM that syskaller triggers with ipt_replace.size = -1 and
> IPT_SO_SET_REPLACE socket option, from Dmitry Vyukov.
>
> 2) Check for too long extension name in xt_request_find_{match|target}
> that result in out-of-bound reads, from Eric Dumazet.
>
> 3) Fix memory exhaustion bug in ipset hash:*net* types when adding ranges
> that look like x.x.x.x-255.255.255.255, from Jozsef Kadlecsik.
>
> 4) Fix pointer leaks to userspace in x_tables, from Dmitry Vyukov.
>
> 5) Insufficient sanity checks in clusterip_tg_check(), also from Dmitry.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2020-08-24 11:39 Pablo Neira Ayuso
@ 2020-08-24 13:37 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2020-08-24 13:37 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev, kuba
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 24 Aug 2020 13:39:35 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Don't flag SCTP heartbeat as invalid for re-used connections,
> from Florian Westphal.
>
> 2) Bogus overlap report due to rbtree tree rotations, from Stefano Brivio.
>
> 3) Detect partial overlap with start end point match, also from Stefano.
>
> 4) Skip netlink dump of NFTA_SET_USERDATA is unset.
>
> 5) Incorrect nft_list_attributes enumeration definition.
>
> 6) Missing zeroing before memcpy to destination register, also
> from Florian.
>
> Please, pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thank you.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2020-08-24 11:39 Pablo Neira Ayuso
2020-08-24 13:37 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2020-08-24 11:39 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Don't flag SCTP heartbeat as invalid for re-used connections,
from Florian Westphal.
2) Bogus overlap report due to rbtree tree rotations, from Stefano Brivio.
3) Detect partial overlap with start end point match, also from Stefano.
4) Skip netlink dump of NFTA_SET_USERDATA is unset.
5) Incorrect nft_list_attributes enumeration definition.
6) Missing zeroing before memcpy to destination register, also
from Florian.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit cf96d977381d4a23957bade2ddf1c420b74a26b6:
net: gemini: Fix missing free_netdev() in error path of gemini_ethernet_port_probe() (2020-08-19 16:37:18 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 1e105e6afa6c3d32bfb52c00ffa393894a525c27:
netfilter: nf_tables: fix destination register zeroing (2020-08-21 19:00:33 +0200)
----------------------------------------------------------------
Florian Westphal (2):
netfilter: conntrack: allow sctp hearbeat after connection re-use
netfilter: nf_tables: fix destination register zeroing
Pablo Neira Ayuso (2):
netfilter: nf_tables: add NFTA_SET_USERDATA if not null
netfilter: nf_tables: incorrect enum nft_list_attributes definition
Stefano Brivio (2):
netfilter: nft_set_rbtree: Handle outcomes of tree rotations in overlap detection
netfilter: nft_set_rbtree: Detect partial overlap with start endpoint match
include/linux/netfilter/nf_conntrack_sctp.h | 2 +
include/net/netfilter/nf_tables.h | 2 +
include/uapi/linux/netfilter/nf_tables.h | 2 +-
net/netfilter/nf_conntrack_proto_sctp.c | 39 ++++++++++++++++++--
net/netfilter/nf_tables_api.c | 3 +-
net/netfilter/nft_payload.c | 4 +-
net/netfilter/nft_set_rbtree.c | 57 ++++++++++++++++++++++++-----
7 files changed, 92 insertions(+), 17 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2020-05-14 12:19 Pablo Neira Ayuso
@ 2020-05-14 20:15 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2020-05-14 20:15 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 14 May 2020 14:19:07 +0200
> The following patchset contains Netfilter fixes for net:
>
> 1) Fix gcc-10 compilation warning in nf_conntrack, from Arnd Bergmann.
>
> 2) Add NF_FLOW_HW_PENDING to avoid races between stats and deletion
> commands, from Paul Blakey.
>
> 3) Remove WQ_MEM_RECLAIM from the offload workqueue, from Roi Dayan.
>
> 4) Infinite loop when removing nf_conntrack module, from Florian Westphal.
>
> 5) Set NF_FLOW_TEARDOWN bit on expiration to avoid races when refreshing
> the timeout from the software path.
>
> 6) Missing nft_set_elem_expired() check in the rbtree, from Phil Sutter.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thank you.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2020-05-14 12:19 Pablo Neira Ayuso
2020-05-14 20:15 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2020-05-14 12:19 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix gcc-10 compilation warning in nf_conntrack, from Arnd Bergmann.
2) Add NF_FLOW_HW_PENDING to avoid races between stats and deletion
commands, from Paul Blakey.
3) Remove WQ_MEM_RECLAIM from the offload workqueue, from Roi Dayan.
4) Infinite loop when removing nf_conntrack module, from Florian Westphal.
5) Set NF_FLOW_TEARDOWN bit on expiration to avoid races when refreshing
the timeout from the software path.
6) Missing nft_set_elem_expired() check in the rbtree, from Phil Sutter.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 3047211ca11bf77b3ecbce045c0aa544d934b945:
net: dsa: loop: Add module soft dependency (2020-05-10 11:24:20 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 340eaff651160234bdbce07ef34b92a8e45cd540:
netfilter: nft_set_rbtree: Add missing expired checks (2020-05-12 13:19:34 +0200)
----------------------------------------------------------------
Arnd Bergmann (1):
netfilter: conntrack: avoid gcc-10 zero-length-bounds warning
Florian Westphal (1):
netfilter: conntrack: fix infinite loop on rmmod
Pablo Neira Ayuso (1):
netfilter: flowtable: set NF_FLOW_TEARDOWN flag on entry expiration
Paul Blakey (1):
netfilter: flowtable: Add pending bit for offload work
Phil Sutter (1):
netfilter: nft_set_rbtree: Add missing expired checks
Roi Dayan (1):
netfilter: flowtable: Remove WQ_MEM_RECLAIM from workqueue
include/net/netfilter/nf_conntrack.h | 2 +-
include/net/netfilter/nf_flow_table.h | 1 +
net/netfilter/nf_conntrack_core.c | 17 ++++++++++++++---
net/netfilter/nf_flow_table_core.c | 8 +++++---
net/netfilter/nf_flow_table_offload.c | 10 ++++++++--
net/netfilter/nft_set_rbtree.c | 11 +++++++++++
6 files changed, 40 insertions(+), 9 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2020-02-26 22:54 Pablo Neira Ayuso
@ 2020-02-27 0:32 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2020-02-27 0:32 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 26 Feb 2020 23:54:36 +0100
> The following patchset contains Netfilter fixes:
>
> 1) Perform garbage collection from workqueue to fix rcu detected
> stall in ipset hash set types, from Jozsef Kadlecsik.
>
> 2) Fix the forceadd evaluation path, also from Jozsef.
>
> 3) Fix nft_set_pipapo selftest, from Stefano Brivio.
>
> 4) Crash when add-flush-add element in pipapo set, also from Stefano.
> Add test to cover this crash.
>
> 5) Remove sysctl entry under mutex in hashlimit, from Cong Wang.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2020-02-26 22:54 Pablo Neira Ayuso
2020-02-27 0:32 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2020-02-26 22:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes:
1) Perform garbage collection from workqueue to fix rcu detected
stall in ipset hash set types, from Jozsef Kadlecsik.
2) Fix the forceadd evaluation path, also from Jozsef.
3) Fix nft_set_pipapo selftest, from Stefano Brivio.
4) Crash when add-flush-add element in pipapo set, also from Stefano.
Add test to cover this crash.
5) Remove sysctl entry under mutex in hashlimit, from Cong Wang.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 3614d05b5e6baf487e88fb114d884da172edd61a:
Merge tag 'mac80211-for-net-2020-02-24' of git://git.kernel.org/pub/scm/linux/kernel/git/jberg/mac80211 (2020-02-24 15:43:38 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 99b79c3900d4627672c85d9f344b5b0f06bc2a4d:
netfilter: xt_hashlimit: unregister proc file before releasing mutex (2020-02-26 23:25:07 +0100)
----------------------------------------------------------------
Cong Wang (1):
netfilter: xt_hashlimit: unregister proc file before releasing mutex
Jozsef Kadlecsik (2):
netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports
netfilter: ipset: Fix forceadd evaluation path
Pablo Neira Ayuso (1):
Merge branch 'master' of git://blackhole.kfki.hu/nf
Stefano Brivio (3):
selftests: nft_concat_range: Move option for 'list ruleset' before command
nft_set_pipapo: Actually fetch key data in nft_pipapo_remove()
selftests: nft_concat_range: Add test for reported add/flush/add issue
include/linux/netfilter/ipset/ip_set.h | 11 +-
net/netfilter/ipset/ip_set_core.c | 34 +-
net/netfilter/ipset/ip_set_hash_gen.h | 635 ++++++++++++++-------
net/netfilter/nft_set_pipapo.c | 6 +-
net/netfilter/xt_hashlimit.c | 16 +-
.../selftests/netfilter/nft_concat_range.sh | 55 +-
6 files changed, 529 insertions(+), 228 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2020-01-31 19:24 Pablo Neira Ayuso
@ 2020-02-01 20:59 ` Jakub Kicinski
0 siblings, 0 replies; 44+ messages in thread
From: Jakub Kicinski @ 2020-02-01 20:59 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev
On Fri, 31 Jan 2020 20:24:22 +0100, Pablo Neira Ayuso wrote:
> Hi,
>
> The following patchset contains Netfilter fixes for net:
>
> 1) Fix suspicious RCU usage in ipset, from Jozsef Kadlecsik.
>
> 2) Use kvcalloc, from Joe Perches.
>
> 3) Flush flowtable hardware workqueue after garbage collection run,
> from Paul Blakey.
>
> 4) Missing flowtable hardware workqueue flush from nf_flow_table_free(),
> also from Paul.
>
> 5) Restore NF_FLOW_HW_DEAD in flow_offload_work_del(), from Paul.
>
> 6) Flowtable documentation fixes, from Matteo Croce.
Pulled, thanks!
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2020-01-31 19:24 Pablo Neira Ayuso
2020-02-01 20:59 ` Jakub Kicinski
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2020-01-31 19:24 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix suspicious RCU usage in ipset, from Jozsef Kadlecsik.
2) Use kvcalloc, from Joe Perches.
3) Flush flowtable hardware workqueue after garbage collection run,
from Paul Blakey.
4) Missing flowtable hardware workqueue flush from nf_flow_table_free(),
also from Paul.
5) Restore NF_FLOW_HW_DEAD in flow_offload_work_del(), from Paul.
6) Flowtable documentation fixes, from Matteo Croce.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 44efc78d0e464ce70b45b165c005f8bedc17952e:
net: mvneta: fix XDP support if sw bm is used as fallback (2020-01-29 13:57:59 +0100)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 78e06cf430934fc3768c342cbebdd1013dcd6fa7:
netfilter: nf_flowtable: fix documentation (2020-01-31 19:31:42 +0100)
----------------------------------------------------------------
Joe Perches (1):
netfilter: Use kvcalloc
Kadlecsik József (1):
netfilter: ipset: fix suspicious RCU usage in find_set_and_id
Matteo Croce (1):
netfilter: nf_flowtable: fix documentation
Paul Blakey (3):
netfilter: flowtable: Fix hardware flush order on nf_flow_table_cleanup
netfilter: flowtable: Fix missing flush hardware on table free
netfilter: flowtable: Fix setting forgotten NF_FLOW_HW_DEAD flag
Documentation/networking/nf_flowtable.txt | 2 +-
net/netfilter/ipset/ip_set_core.c | 41 ++++++++++++++++---------------
net/netfilter/nf_conntrack_core.c | 3 +--
net/netfilter/nf_flow_table_core.c | 3 ++-
net/netfilter/nf_flow_table_offload.c | 1 +
net/netfilter/x_tables.c | 4 +--
6 files changed, 28 insertions(+), 26 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2019-02-05 19:04 Pablo Neira Ayuso
@ 2019-02-05 19:23 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2019-02-05 19:23 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 5 Feb 2019 20:04:09 +0100
> The following patchset contains Netfilter fixes for net:
...
> Diffstat look rather larger than usual because of the new selftest, but
> Florian and I consider that having tests soon into the tree is good to
> improve coverage. If there's a different policy in this regard, please,
> let me know.
Adding a test case like this fine and in fact encouraged.
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2019-02-05 19:04 Pablo Neira Ayuso
2019-02-05 19:23 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2019-02-05 19:04 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for net:
1) Use CONFIG_NF_TABLES_INET from seltests, not NF_TABLES_INET.
From Naresh Kamboju.
2) Add a test to cover masquerading and redirect case, from Florian
Westphal.
3) Two packets coming from the same socket may race to set up NAT,
ending up with different tuples and the packet losing race being
dropped. Update nf_conntrack_tuple_taken() to exercise clash
resolution for this case. From Martynas Pumputis and Florian
Westphal.
4) Unbind anonymous sets from the commit and abort path, this fixes
a splat due to double set list removal/release in case that the
transaction needs to be aborted.
5) Do not preserve original output interface for packets that are
redirected in the output chain when ip6_route_me_harder() is
called. Otherwise packets end up going not going to the loopback
device. From Eli Cooper.
6) Fix bogus splat in nft_compat with CONFIG_REFCOUNT_FULL=y, this
also simplifies the existing logic to deal with the list insertions
of the xtables extensions. From Florian Westphal.
Diffstat look rather larger than usual because of the new selftest, but
Florian and I consider that having tests soon into the tree is good to
improve coverage. If there's a different policy in this regard, please,
let me know.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit cfe4bd7a257f6d6f81d3458d8c9d9ec4957539e6:
sctp: check and update stream->out_curr when allocating stream_out (2019-02-03 14:27:47 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 947e492c0fc2132ae5fca081a9c2952ccaab0404:
netfilter: nft_compat: don't use refcount_inc on newly allocated entry (2019-02-05 14:10:33 +0100)
----------------------------------------------------------------
Eli Cooper (1):
netfilter: ipv6: Don't preserve original oif for loopback address
Florian Westphal (2):
selftests: netfilter: add simple masq/redirect test cases
netfilter: nft_compat: don't use refcount_inc on newly allocated entry
Martynas Pumputis (1):
netfilter: nf_nat: skip nat clash resolution for same-origin entries
Naresh Kamboju (1):
selftests: netfilter: fix config fragment CONFIG_NF_TABLES_INET
Pablo Neira Ayuso (1):
netfilter: nf_tables: unbind set in rule from commit path
include/net/netfilter/nf_tables.h | 17 +-
net/ipv6/netfilter.c | 4 +-
net/netfilter/nf_conntrack_core.c | 16 +
net/netfilter/nf_tables_api.c | 85 ++-
net/netfilter/nft_compat.c | 62 +--
net/netfilter/nft_dynset.c | 18 +-
net/netfilter/nft_immediate.c | 6 +-
net/netfilter/nft_lookup.c | 18 +-
net/netfilter/nft_objref.c | 18 +-
tools/testing/selftests/netfilter/Makefile | 2 +-
tools/testing/selftests/netfilter/config | 2 +-
tools/testing/selftests/netfilter/nft_nat.sh | 762 +++++++++++++++++++++++++++
12 files changed, 888 insertions(+), 122 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nft_nat.sh
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2018-10-01 22:37 Pablo Neira Ayuso
@ 2018-10-01 22:41 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2018-10-01 22:41 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 2 Oct 2018 00:37:39 +0200
> The following patchset contains Netfilter fixes for your net tree:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2018-10-01 22:37 Pablo Neira Ayuso
2018-10-01 22:41 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-10-01 22:37 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree:
1) Skip ip_sabotage_in() for packet making into the VRF driver,
otherwise packets are dropped, from David Ahern.
2) Clang compilation warning uncovering typo in the
nft_validate_register_store() call from nft_osf, from Stefan Agner.
3) Double sizeof netlink message length calculations in ctnetlink,
from zhong jiang.
4) Missing rb_erase() on batch full in rbtree garbage collector,
from Taehee Yoo.
5) Calm down compilation warning in nf_hook(), from Florian Westphal.
6) Missing check for non-null sk in xt_socket before validating
netns procedence, from Flavio Leitner.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 56ce3c5a50f4d8cc95361b1ec7f152006c6320d8:
smc: generic netlink family should be __ro_after_init (2018-09-20 07:49:55 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 40e4f26e6a14fc1496eabb8b0004a547303114e6:
netfilter: xt_socket: check sk before checking for netns. (2018-09-28 14:47:41 +0200)
----------------------------------------------------------------
David Ahern (1):
netfilter: bridge: Don't sabotage nf_hook calls from an l3mdev
Flavio Leitner (1):
netfilter: xt_socket: check sk before checking for netns.
Florian Westphal (1):
netfilter: avoid erronous array bounds warning
Stefan Agner (1):
netfilter: nft_osf: use enum nft_data_types for nft_validate_register_store
Taehee Yoo (1):
netfilter: nft_set_rbtree: add missing rb_erase() in GC routine
zhong jiang (1):
netfilter: conntrack: get rid of double sizeof
include/linux/netfilter.h | 2 ++
net/bridge/br_netfilter_hooks.c | 3 ++-
net/netfilter/nf_conntrack_proto_tcp.c | 4 ++--
net/netfilter/nft_osf.c | 2 +-
net/netfilter/nft_set_rbtree.c | 28 ++++++++++++++--------------
net/netfilter/xt_socket.c | 4 ++--
6 files changed, 23 insertions(+), 20 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2018-07-09 17:18 Pablo Neira Ayuso
@ 2018-07-09 21:24 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2018-07-09 21:24 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 9 Jul 2018 19:18:58 +0200
> The following patchset contains Netfilter fixes for your net tree:
>
> 1) Missing module autoloadfor icmp and icmpv6 x_tables matches,
> from Florian Westphal.
>
> 2) Possible non-linear access to TCP header from tproxy, from
> Mate Eckl.
>
> 3) Do not allow rbtree to be used for single elements, this patch
> moves all set backend into one single module since such thing
> can only happen if hashtable module is explicitly blacklisted,
> which should not ever be done.
>
> 4) Reject error and standard targets from nft_compat for sanity
> reasons, they are never used from there.
>
> 5) Don't crash on double hashsize module parameter, from Andrey
> Ryabinin.
>
> 6) Drop dst on skb before placing it in the fragmentation
> reassembly queue, from Florian Westphal.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2018-07-09 17:18 Pablo Neira Ayuso
2018-07-09 21:24 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-07-09 17:18 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree:
1) Missing module autoloadfor icmp and icmpv6 x_tables matches,
from Florian Westphal.
2) Possible non-linear access to TCP header from tproxy, from
Mate Eckl.
3) Do not allow rbtree to be used for single elements, this patch
moves all set backend into one single module since such thing
can only happen if hashtable module is explicitly blacklisted,
which should not ever be done.
4) Reject error and standard targets from nft_compat for sanity
reasons, they are never used from there.
5) Don't crash on double hashsize module parameter, from Andrey
Ryabinin.
6) Drop dst on skb before placing it in the fragmentation
reassembly queue, from Florian Westphal.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit d461e3da905332189aad546b2ad9adbe6071c7cc:
smsc75xx: Add workaround for gigabit link up hardware errata. (2018-07-04 22:12:59 +0900)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 84379c9afe011020e797e3f50a662b08a6355dcf:
netfilter: ipv6: nf_defrag: drop skb dst before queueing (2018-07-09 18:04:12 +0200)
----------------------------------------------------------------
Andrey Ryabinin (1):
netfilter: nf_conntrack: Fix possible possible crash on module loading.
Florian Westphal (3):
netfilter: x_tables: set module owner for icmp(6) matches
netfilter: nft_compat: explicitly reject ERROR and standard target
netfilter: ipv6: nf_defrag: drop skb dst before queueing
Máté Eckl (1):
netfilter: nf_tproxy: fix possible non-linear access to transport header
Pablo Neira Ayuso (1):
netfilter: nf_tables: place all set backends in one single module
include/net/netfilter/nf_tables_core.h | 6 ++++++
include/net/netfilter/nf_tproxy.h | 4 ++--
net/ipv4/netfilter/ip_tables.c | 1 +
net/ipv4/netfilter/nf_tproxy_ipv4.c | 18 ++++++++++++------
net/ipv6/netfilter/ip6_tables.c | 1 +
net/ipv6/netfilter/nf_conntrack_reasm.c | 2 ++
net/ipv6/netfilter/nf_tproxy_ipv6.c | 18 ++++++++++++------
net/netfilter/Kconfig | 25 +++++++------------------
net/netfilter/Makefile | 7 ++++---
net/netfilter/nf_conntrack_core.c | 2 +-
net/netfilter/nf_tables_set_core.c | 28 ++++++++++++++++++++++++++++
net/netfilter/nft_compat.c | 13 +++++++++++++
net/netfilter/nft_set_bitmap.c | 19 +------------------
net/netfilter/nft_set_hash.c | 29 +++--------------------------
net/netfilter/nft_set_rbtree.c | 19 +------------------
net/netfilter/xt_TPROXY.c | 8 ++++----
16 files changed, 98 insertions(+), 102 deletions(-)
create mode 100644 net/netfilter/nf_tables_set_core.c
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2018-06-27 15:22 Pablo Neira Ayuso
@ 2018-06-28 4:33 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2018-06-28 4:33 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 27 Jun 2018 17:22:17 +0200
> The following patchset contains Netfilter fixes for your net tree:
>
> 1) Missing netlink attribute validation in nf_queue, uncovered by KASAN,
> from Eric Dumazet.
>
> 2) Use pointer to sysctl table, save us 192 bytes of memory per netns.
> Also from Eric.
>
> 3) Possible use-after-free when removing conntrack helper modules due
> to missing synchronize RCU call. From Taehee Yoo.
>
> 4) Fix corner case in systcl writes to nf_log that lead to appending
> data to uninitialized buffer, from Jann Horn.
>
> 5) Jann Horn says we may indefinitely block other users of nf_log_mutex
> if a userspace access in proc_dostring() blocked e.g. due to a
> userfaultfd.
>
> 6) Fix garbage collection race for unconfirmed conntrack entries,
> from Florian Westphal.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thank you.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2018-06-27 15:22 Pablo Neira Ayuso
2018-06-28 4:33 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2018-06-27 15:22 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree:
1) Missing netlink attribute validation in nf_queue, uncovered by KASAN,
from Eric Dumazet.
2) Use pointer to sysctl table, save us 192 bytes of memory per netns.
Also from Eric.
3) Possible use-after-free when removing conntrack helper modules due
to missing synchronize RCU call. From Taehee Yoo.
4) Fix corner case in systcl writes to nf_log that lead to appending
data to uninitialized buffer, from Jann Horn.
5) Jann Horn says we may indefinitely block other users of nf_log_mutex
if a userspace access in proc_dostring() blocked e.g. due to a
userfaultfd.
6) Fix garbage collection race for unconfirmed conntrack entries,
from Florian Westphal.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 7e85dc8cb35abf16455f1511f0670b57c1a84608:
net_sched: blackhole: tell upper qdisc about dropped packets (2018-06-17 08:42:33 +0900)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452:
netfilter: nf_conncount: fix garbage collection confirm race (2018-06-26 18:28:57 +0200)
----------------------------------------------------------------
Eric Dumazet (2):
netfilter: nf_queue: augment nfqa_cfg_policy
netfilter: ipv6: nf_defrag: reduce struct net memory waste
Florian Westphal (1):
netfilter: nf_conncount: fix garbage collection confirm race
Gao Feng (1):
netfilter: nf_ct_helper: Fix possible panic after nf_conntrack_helper_unregister
Jann Horn (2):
netfilter: nf_log: fix uninit read in nf_log_proc_dostring
netfilter: nf_log: don't hold nf_log_mutex during user access
include/net/net_namespace.h | 1 +
include/net/netns/ipv6.h | 1 -
net/ipv6/netfilter/nf_conntrack_reasm.c | 6 ++--
net/netfilter/nf_conncount.c | 52 +++++++++++++++++++++++++++++----
net/netfilter/nf_conntrack_helper.c | 5 ++++
net/netfilter/nf_log.c | 13 +++++++--
net/netfilter/nfnetlink_queue.c | 3 ++
7 files changed, 69 insertions(+), 12 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2017-02-27 11:35 Pablo Neira Ayuso
@ 2017-02-27 14:19 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2017-02-27 14:19 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 27 Feb 2017 12:35:36 +0100
> The following patchset contains netfilter fixes for you net tree,
> they are:
>
> 1) Missing ct zone size in the nft_ct initialization path, patch
> from Florian Westphal.
>
> 2) Two patches for netfilter uapi headers, one to remove unnecessary
> sysctl.h inclusion and another to fix compilation of xt_hashlimit.h
> in userspace, from Dmitry V. Levin.
>
> 3) Patch to fix a sloppy change in nf_ct_expect that incorrectly
> simplified nf_ct_expect_related_report() in the previous nf-next
> batch. This also includes another patch for __nf_ct_expect_check()
> to report success by returning 0 to keep it consistent with other
> existing functions. From Jarno Rajahalme.
>
> 4) The ->walk() iterator of the new bitmap set type goes over the real
> bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA
> is used.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2017-02-27 11:35 Pablo Neira Ayuso
2017-02-27 14:19 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2017-02-27 11:35 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains netfilter fixes for you net tree,
they are:
1) Missing ct zone size in the nft_ct initialization path, patch
from Florian Westphal.
2) Two patches for netfilter uapi headers, one to remove unnecessary
sysctl.h inclusion and another to fix compilation of xt_hashlimit.h
in userspace, from Dmitry V. Levin.
3) Patch to fix a sloppy change in nf_ct_expect that incorrectly
simplified nf_ct_expect_related_report() in the previous nf-next
batch. This also includes another patch for __nf_ct_expect_check()
to report success by returning 0 to keep it consistent with other
existing functions. From Jarno Rajahalme.
4) The ->walk() iterator of the new bitmap set type goes over the real
bitmap size, this results in incorrect dumps when NFTA_SET_USERDATA
is used.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 9c4713701c01e4cef6e2315c2818abc919ffb0de:
bpf: Fix bpf_xdp_event_output (2017-02-23 13:53:42 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 13aa5a8f498dacd5f1a8e35be72af47e630fb8c6:
netfilter: nft_set_bitmap: incorrect bitmap size (2017-02-26 21:00:19 +0100)
----------------------------------------------------------------
Dmitry V. Levin (2):
uapi: stop including linux/sysctl.h in uapi/linux/netfilter.h
uapi: fix linux/netfilter/xt_hashlimit.h userspace compilation error
Florian Westphal (1):
netfilter: nft_ct: fix random validation errors for zone set support
Jarno Rajahalme (2):
netfilter: nf_ct_expect: nf_ct_expect_related_report(): Return zero on success.
netfilter: nf_ct_expect: Change __nf_ct_expect_check() return value.
Pablo Neira Ayuso (1):
netfilter: nft_set_bitmap: incorrect bitmap size
include/uapi/linux/netfilter.h | 1 -
include/uapi/linux/netfilter/xt_hashlimit.h | 1 +
net/netfilter/nf_conntrack_expect.c | 6 +++---
net/netfilter/nft_ct.c | 1 +
net/netfilter/nft_set_bitmap.c | 2 +-
5 files changed, 6 insertions(+), 5 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2017-01-05 11:19 Pablo Neira Ayuso
@ 2017-01-05 16:52 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2017-01-05 16:52 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 5 Jan 2017 12:19:47 +0100
> The following patchset contains accumulated Netfilter fixes for your
> net tree:
>
> 1) Ensure quota dump and reset happens iff we can deliver numbers to
> userspace.
>
> 2) Silence splat on incorrect use of smp_processor_id() from nft_queue.
>
> 3) Fix an out-of-bound access reported by KASAN in
> nf_tables_rule_destroy(), patch from Florian Westphal.
>
> 4) Fix layer 4 checksum mangling in the nf_tables payload expression
> with IPv6.
>
> 5) Fix a race in the CLUSTERIP target from control plane path when two
> threads run to add a new configuration object. Serialize invocations
> of clusterip_config_init() using spin_lock. From Xin Long.
>
> 6) Call br_nf_pre_routing_finish_bridge_finish() once we are done with
> the br_nf_pre_routing_finish() hook. From Artur Molchanov.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
And a happy new year to you too!
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2017-01-05 11:19 Pablo Neira Ayuso
2017-01-05 16:52 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2017-01-05 11:19 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains accumulated Netfilter fixes for your
net tree:
1) Ensure quota dump and reset happens iff we can deliver numbers to
userspace.
2) Silence splat on incorrect use of smp_processor_id() from nft_queue.
3) Fix an out-of-bound access reported by KASAN in
nf_tables_rule_destroy(), patch from Florian Westphal.
4) Fix layer 4 checksum mangling in the nf_tables payload expression
with IPv6.
5) Fix a race in the CLUSTERIP target from control plane path when two
threads run to add a new configuration object. Serialize invocations
of clusterip_config_init() using spin_lock. From Xin Long.
6) Call br_nf_pre_routing_finish_bridge_finish() once we are done with
the br_nf_pre_routing_finish() hook. From Artur Molchanov.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Wish you a nice new year btw, thanks!
----------------------------------------------------------------
The following changes since commit a220871be66f99d8957c693cf22ec67ecbd9c23a:
virtio-net: correctly enable multiqueue (2016-12-13 10:37:38 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 14221cc45caad2fcab3a8543234bb7eda9b540d5:
bridge: netfilter: Fix dropping packets that moving through bridge interface (2016-12-30 18:22:50 +0100)
----------------------------------------------------------------
Artur Molchanov (1):
bridge: netfilter: Fix dropping packets that moving through bridge interface
Florian Westphal (1):
netfilter: nf_tables: fix oob access
Pablo Neira Ayuso (3):
netfilter: nft_quota: reset quota after dump
netfilter: nft_queue: use raw_smp_processor_id()
netfilter: nft_payload: mangle ckecksum if NFT_PAYLOAD_L4CSUM_PSEUDOHDR is set
Xin Long (1):
netfilter: ipt_CLUSTERIP: check duplicate config when initializing
net/bridge/br_netfilter_hooks.c | 2 +-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 34 +++++++++++++++++++++++-----------
net/netfilter/nf_tables_api.c | 2 +-
net/netfilter/nft_payload.c | 27 +++++++++++++++++++--------
net/netfilter/nft_queue.c | 2 +-
net/netfilter/nft_quota.c | 26 ++++++++++++++------------
6 files changed, 59 insertions(+), 34 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2016-08-18 17:29 Pablo Neira Ayuso
@ 2016-08-19 1:49 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2016-08-19 1:49 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 18 Aug 2016 19:29:02 +0200
> The following patchset contains Netfilter updates for your net tree,
> they are:
...
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2016-08-18 17:29 Pablo Neira Ayuso
2016-08-19 1:49 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2016-08-18 17:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter updates for your net tree,
they are:
1) Dump only conntrack that belong to this namespace via /proc file.
This is some fallout from the conversion to single conntrack table
for all netns, patch from Liping Zhang.
2) Missing MODULE_ALIAS_NF_LOGGER() for the ARP family that prevents
module autoloading, also from Liping Zhang.
3) Report overquota event to the right netnamespace, again from Liping.
4) Fix tproxy listener sk refcount that leads to crash, from
Eric Dumazet.
5) Fix racy refcounting on object deletion from nfnetlink and rule
removal both for nfacct and cttimeout, from Liping Zhang.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit a1560dd7a47f983419760aa7f6a481e3b910b54b:
Merge branch 'mediatek-fixes' (2016-08-15 23:02:45 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to b75911b66ad508a3c3f006ce37d9f9ebee34da43:
netfilter: cttimeout: fix use after free error when delete netns (2016-08-18 15:17:00 +0200)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: tproxy: properly refcount tcp listeners
Liping Zhang (5):
netfilter: conntrack: do not dump other netns's conntrack entries via proc
netfilter: nfnetlink_log: add "nf-logger-3-1" module alias name
netfilter: nfnetlink_acct: report overquota to the right netns
netfilter: nfnetlink_acct: fix race between nfacct del and xt_nfacct destroy
netfilter: cttimeout: fix use after free error when delete netns
include/linux/netfilter/nfnetlink_acct.h | 4 ++--
net/netfilter/nf_conntrack_standalone.c | 4 ++++
net/netfilter/nfnetlink_acct.c | 17 +++++++++--------
net/netfilter/nfnetlink_cttimeout.c | 16 ++++++++++------
net/netfilter/nfnetlink_log.c | 1 +
net/netfilter/xt_TPROXY.c | 4 ++++
net/netfilter/xt_nfacct.c | 2 +-
7 files changed, 31 insertions(+), 17 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2016-02-16 17:02 Pablo Neira Ayuso
@ 2016-02-16 17:56 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2016-02-16 17:56 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 16 Feb 2016 18:02:31 +0100
> The following patchset contain a rather large batch for your net that
> includes accumulated bugfixes, they are:
...
> Due to the NetDev 1.1 organization burden, I had no chance to pass up
> this to you any sooner in this release cycle, sorry about that.
Understood :)
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2016-02-16 17:02 Pablo Neira Ayuso
2016-02-16 17:56 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2016-02-16 17:02 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contain a rather large batch for your net that
includes accumulated bugfixes, they are:
1) Run conntrack cleanup from workqueue process context to avoid hitting
soft lockup via watchdog for large tables. This is required by the
IPv6 masquerading extension. From Florian Westphal.
2) Use original skbuff from nfnetlink batch when calling netlink_ack()
on error since this needs to access the skb->sk pointer.
3) Incremental fix on top of recent Sasha Levin's lock fix for conntrack
resizing.
4) Fix several problems in nfnetlink batch message header sanitization
and error handling, from Phil Turnbull.
5) Select NF_DUP_IPV6 based on CONFIG_IPV6, from Arnd Bergmann.
6) Fix wrong signess in return values on nf_tables counter expression,
from Anton Protopopov.
Due to the NetDev 1.1 organization burden, I had no chance to pass up
this to you any sooner in this release cycle, sorry about that.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 53729eb174c1589f9185340ffe8c10b3f39f3ef3:
Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth (2016-01-30 15:32:42 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 5cc6ce9ff27565949a1001a2889a8dd9fd09e772:
netfilter: nft_counter: fix erroneous return values (2016-02-08 13:05:02 +0100)
----------------------------------------------------------------
Anton Protopopov (1):
netfilter: nft_counter: fix erroneous return values
Arnd Bergmann (1):
netfilter: tee: select NF_DUP_IPV6 unconditionally
Florian Westphal (2):
netfilter: conntrack: resched in nf_ct_iterate_cleanup
netfilter: cttimeout: fix deadlock due to erroneous unlock/lock conversion
Pablo Neira Ayuso (1):
netfilter: nfnetlink: use original skbuff when acking batches
Phil Turnbull (1):
netfilter: nfnetlink: correctly validate length of batch messages
net/ipv6/netfilter/nf_nat_masquerade_ipv6.c | 74 +++++++++++++++++++++++++++--
net/netfilter/Kconfig | 2 +-
net/netfilter/nf_conntrack_core.c | 5 ++
net/netfilter/nfnetlink.c | 16 ++++---
net/netfilter/nfnetlink_cttimeout.c | 2 +-
net/netfilter/nft_counter.c | 4 +-
net/netfilter/xt_TEE.c | 4 +-
7 files changed, 91 insertions(+), 16 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2016-01-20 17:03 Pablo Neira Ayuso
@ 2016-01-21 2:57 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2016-01-21 2:57 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 20 Jan 2016 18:03:58 +0100
> The following patchset contains Netfilter fixes for your net tree, they
> are:
>
> 1) Fix accidental 3-times le/be conversion for 64-bits in nft_byteorder,
> from Florian Westphal.
>
> 2) Get rid of defensive cidr = 0 check in the ipset hash:netiface set
> type which doesn't allow valid 0.0.0.0/0 elements, also from Florian.
>
> 3) Relocate #endif in nft_ct counter support, this doesn't have any
> relation with labels.
>
> 4) Fix TCPMSS target for IPv6 when skb has CHECKSUM_COMPLETE, from
> Eric Dumazet.
>
> 5) Fix netdevice notifier leak from the error path of nf_tables_netdev.
>
> 6) Safe conntrack hashtable resizing by introducing a global lock and
> synchronize all buckets to avoid going over the maximum number of
> preemption levels, from Sasha Levin.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2016-01-20 17:03 Pablo Neira Ayuso
2016-01-21 2:57 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2016-01-20 17:03 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree, they
are:
1) Fix accidental 3-times le/be conversion for 64-bits in nft_byteorder,
from Florian Westphal.
2) Get rid of defensive cidr = 0 check in the ipset hash:netiface set
type which doesn't allow valid 0.0.0.0/0 elements, also from Florian.
3) Relocate #endif in nft_ct counter support, this doesn't have any
relation with labels.
4) Fix TCPMSS target for IPv6 when skb has CHECKSUM_COMPLETE, from
Eric Dumazet.
5) Fix netdevice notifier leak from the error path of nf_tables_netdev.
6) Safe conntrack hashtable resizing by introducing a global lock and
synchronize all buckets to avoid going over the maximum number of
preemption levels, from Sasha Levin.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit f1640c3ddeec12804bc9a21feee85fc15aca95f6:
bgmac: fix a missing check for build_skb (2016-01-13 00:24:14 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to b16c29191dc89bd877af99a7b04ce4866728a3e0:
netfilter: nf_conntrack: use safer way to lock all buckets (2016-01-20 14:15:31 +0100)
----------------------------------------------------------------
Eric Dumazet (1):
netfilter: xt_TCPMSS: handle CHECKSUM_COMPLETE in tcpmss_tg6()
Florian Westphal (2):
netfilter: nft_byteorder: avoid unneeded le/be conversion steps
netfilter: ipset: allow a 0 netmask with hash_netiface type
Pablo Neira Ayuso (2):
netfilter: nft_ct: keep counters away from CONFIG_NF_CONNTRACK_LABELS
netfilter: nf_tables_netdev: fix error path in module initialization
Sasha Levin (1):
netfilter: nf_conntrack: use safer way to lock all buckets
include/net/netfilter/nf_conntrack_core.h | 8 +++----
net/netfilter/ipset/ip_set_hash_netiface.c | 4 ----
net/netfilter/nf_conntrack_core.c | 38 ++++++++++++++++++++++--------
net/netfilter/nf_conntrack_helper.c | 2 +-
net/netfilter/nf_conntrack_netlink.c | 2 +-
net/netfilter/nf_tables_netdev.c | 8 +++----
net/netfilter/nfnetlink_cttimeout.c | 4 ++--
net/netfilter/nft_byteorder.c | 6 ++---
net/netfilter/nft_ct.c | 2 +-
net/netfilter/xt_TCPMSS.c | 9 +++++--
10 files changed, 49 insertions(+), 34 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] netfilter fixes for net
2015-12-14 11:25 [PATCH 0/6] netfilter " Pablo Neira Ayuso
@ 2015-12-14 16:09 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2015-12-14 16:09 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon, 14 Dec 2015 12:25:40 +0100
> The following patchset contains Netfilter fixes for you net tree,
> specifically for nf_tables and nfnetlink_queue, they are:
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] netfilter fixes for net
@ 2015-12-14 11:25 Pablo Neira Ayuso
2015-12-14 16:09 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2015-12-14 11:25 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for you net tree,
specifically for nf_tables and nfnetlink_queue, they are:
1) Avoid a compilation warning in nfnetlink_queue that was introduced
in the previous merge window with the simplification of the conntrack
integration, from Arnd Bergmann.
2) nfnetlink_queue is leaking the pernet subsystem registration from
a failure path, patch from Nikolay Borisov.
3) Pass down netns pointer to batch callback in nfnetlink, this is the
largest patch and it is not a bugfix but it is a dependency to
resolve a splat in the correct way.
4) Fix a splat due to incorrect socket memory accounting with nfnetlink
skbuff clones.
5) Add missing conntrack dependencies to NFT_DUP_IPV4 and NFT_DUP_IPV6.
6) Traverse the nftables commit list in reverse order from the commit
path, otherwise we crash when the user applies an incremental update
via 'nft -f' that deletes an object that was just introduced in this
batch, from Xin Long.
Regarding the compilation warning fix, many people have sent us (and
keep sending us) patches to address this, that's why I'm including this
batch even if this is not critical.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 4c6980462f32b4f282c5d8e5f7ea8070e2937725:
net: ip6mr: fix static mfc/dev leaks on table destruction (2015-11-22 20:44:47 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to a907e36d54e0ff836e55e04531be201bf6b4d8c8:
netfilter: nf_tables: use reverse traversal commit_list in nf_tables_abort (2015-12-13 22:47:32 +0100)
----------------------------------------------------------------
Arnd Bergmann (1):
netfilter: nfnetlink_queue: avoid harmless unnitialized variable warnings
Nikolay Borisov (1):
netfilter: nfnetlink_queue: Unregister pernet subsys in case of init failure
Pablo Neira Ayuso (3):
netfilter: nfnetlink: avoid recurrent netns lookups in call_batch
netfilter: nfnetlink: fix splat due to incorrect socket memory accounting in skbuff clones
netfilter: nf_dup: add missing dependencies with NF_CONNTRACK
Xin Long (1):
netfilter: nf_tables: use reverse traversal commit_list in nf_tables_abort
include/linux/netfilter/nfnetlink.h | 2 +-
net/ipv4/netfilter/Kconfig | 1 +
net/ipv6/netfilter/Kconfig | 1 +
net/netfilter/nf_tables_api.c | 99 ++++++++++++++++++-------------------
net/netfilter/nfnetlink.c | 4 +-
net/netfilter/nfnetlink_queue.c | 9 ++--
6 files changed, 57 insertions(+), 59 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2015-09-03 9:50 [PATCH 0/6] Netfilter " Pablo Neira Ayuso
@ 2015-09-06 4:59 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2015-09-06 4:59 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 3 Sep 2015 11:50:55 +0200
> The following patchset contains Netfilter fixes for net, they are:
>
> 1) Oneliner to restore maps in nf_tables since we support addressing registers
> at 32 bits level.
>
> 2) Restore previous default behaviour in bridge netfilter when CONFIG_IPV6=n,
> oneliner from Bernhard Thaler.
>
> 3) Out of bound access in ipset hash:net* set types, reported by Dave Jones'
> KASan utility, patch from Jozsef Kadlecsik.
>
> 4) Fix ipset compilation with gcc 4.4.7 related to C99 initialization of
> unnamed unions, patch from Elad Raz.
>
> 5) Add a workaround to address inconsistent endianess in the res_id field of
> nfnetlink batch messages, reported by Florian Westphal.
>
> 6) Fix error paths of CT/synproxy since the conntrack template was moved to use
> kmalloc, patch from Daniel Borkmann.
>
> All of them look good to me to reach 4.2, I can route this to -stable myself
> too, just let me know what you prefer.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Pulled, there was a merge conflict, please verify that I resolved it
correctly.
Thanks.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2015-09-03 9:50 Pablo Neira Ayuso
2015-09-06 4:59 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2015-09-03 9:50 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for net, they are:
1) Oneliner to restore maps in nf_tables since we support addressing registers
at 32 bits level.
2) Restore previous default behaviour in bridge netfilter when CONFIG_IPV6=n,
oneliner from Bernhard Thaler.
3) Out of bound access in ipset hash:net* set types, reported by Dave Jones'
KASan utility, patch from Jozsef Kadlecsik.
4) Fix ipset compilation with gcc 4.4.7 related to C99 initialization of
unnamed unions, patch from Elad Raz.
5) Add a workaround to address inconsistent endianess in the res_id field of
nfnetlink batch messages, reported by Florian Westphal.
6) Fix error paths of CT/synproxy since the conntrack template was moved to use
kmalloc, patch from Daniel Borkmann.
All of them look good to me to reach 4.2, I can route this to -stable myself
too, just let me know what you prefer.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit fd7dec25a18f495e50d2040398fd263836ff3b28:
batman-adv: Fix memory leak on tt add with invalid vlan (2015-08-18 19:08:23 -0700)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 9cf94eab8b309e8bcc78b41dd1561c75b537dd0b:
netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths (2015-09-01 12:15:08 +0200)
----------------------------------------------------------------
Bernhard Thaler (1):
netfilter: bridge: fix IPv6 packets not being bridged with CONFIG_IPV6=n
Daniel Borkmann (1):
netfilter: conntrack: use nf_ct_tmpl_free in CT/synproxy error paths
Elad Raz (1):
netfilter: ipset: Fixing unnamed union init
Jozsef Kadlecsik (1):
netfilter: ipset: Out of bound access in hash:net* types fixed
Pablo Neira Ayuso (2):
netfilter: nf_tables: Use 32 bit addressing register from nft_type_to_reg()
netfilter: nfnetlink: work around wrong endianess in res_id field
include/net/netfilter/br_netfilter.h | 2 +-
include/net/netfilter/nf_conntrack.h | 1 +
include/net/netfilter/nf_tables.h | 2 +-
net/netfilter/ipset/ip_set_hash_gen.h | 12 ++++++++----
net/netfilter/ipset/ip_set_hash_netnet.c | 20 ++++++++++++++++++--
net/netfilter/ipset/ip_set_hash_netportnet.c | 20 ++++++++++++++++++--
net/netfilter/nf_conntrack_core.c | 3 ++-
net/netfilter/nf_synproxy_core.c | 2 +-
net/netfilter/nfnetlink.c | 8 +++++++-
net/netfilter/xt_CT.c | 2 +-
10 files changed, 58 insertions(+), 14 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2015-03-22 18:46 Pablo Neira Ayuso
@ 2015-03-22 20:57 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2015-03-22 20:57 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Sun, 22 Mar 2015 19:46:32 +0100
> The following patchset contains Netfilter fixes for your net tree,
> they are:
>
> 1) Fix missing initialization of tuple structure in nfnetlink_cthelper
> to avoid mismatches when looking up to attach userspace helpers to
> flows, from Ian Wilson.
>
> 2) Fix potential crash in nft_hash when we hit -EAGAIN in
> nft_hash_walk(), from Herbert Xu.
>
> 3) We don't need to indicate the hook information to update the
> basechain default policy in nf_tables.
>
> 4) Restore tracing over nfnetlink_log due to recent rework to
> accomodate logging infrastructure into nf_tables.
>
> 5) Fix wrong IP6T_INV_PROTO check in xt_TPROXY.
>
> 6) Set IP6T_F_PROTO flag in nft_compat so we can use SYNPROXY6 and
> REJECT6 from xt over nftables.
Pulled, thanks Pablo.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2015-03-22 18:46 Pablo Neira Ayuso
2015-03-22 20:57 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2015-03-22 18:46 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
1) Fix missing initialization of tuple structure in nfnetlink_cthelper
to avoid mismatches when looking up to attach userspace helpers to
flows, from Ian Wilson.
2) Fix potential crash in nft_hash when we hit -EAGAIN in
nft_hash_walk(), from Herbert Xu.
3) We don't need to indicate the hook information to update the
basechain default policy in nf_tables.
4) Restore tracing over nfnetlink_log due to recent rework to
accomodate logging infrastructure into nf_tables.
5) Fix wrong IP6T_INV_PROTO check in xt_TPROXY.
6) Set IP6T_F_PROTO flag in nft_compat so we can use SYNPROXY6 and
REJECT6 from xt over nftables.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 4363890079674db7b00cf1bb0e6fa430e846e86b:
net: Handle unregister properly when netdev namespace change fails. (2015-03-10 21:59:46 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 749177ccc74f9c6d0f51bd78a15c652a2134aa11:
netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set (2015-03-22 19:32:05 +0100)
----------------------------------------------------------------
Herbert Xu (1):
netfilter: Fix potential crash in nft_hash walker
Ian Wilson (1):
netfilter: Zero the tuple in nfnl_cthelper_parse_tuple()
Pablo Neira Ayuso (4):
netfilter: nf_tables: allow to change chain policy without hook if it exists
netfilter: restore rule tracing via nfnetlink_log
netfilter: xt_TPROXY: fix invflags check in tproxy_tg6_check()
netfilter: nft_compat: set IP6T_F_PROTO flag if protocol is set
include/net/netfilter/nf_log.h | 10 ++++++++++
net/ipv4/netfilter/ip_tables.c | 6 +++---
net/ipv6/netfilter/ip6_tables.c | 6 +++---
net/netfilter/nf_log.c | 24 ++++++++++++++++++++++++
net/netfilter/nf_tables_api.c | 5 ++++-
net/netfilter/nf_tables_core.c | 8 ++++----
net/netfilter/nfnetlink_cthelper.c | 3 +++
net/netfilter/nft_compat.c | 6 ++++++
net/netfilter/nft_hash.c | 2 ++
net/netfilter/xt_TPROXY.c | 4 ++--
10 files changed, 61 insertions(+), 13 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2014-05-09 10:56 Pablo Neira Ayuso
@ 2014-05-09 17:17 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2014-05-09 17:17 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Fri, 9 May 2014 12:56:01 +0200
> The following batch contains netfilter fixes for your net tree, they are:
>
> 1) Fix use after free in nfnetlink when sending a batch for some
> unsupported subsystem, from Denys Fedoryshchenko.
>
> 2) Skip autoload of the nat module if no binding is specified via
> ctnetlink, from Florian Westphal.
>
> 3) Set local_df after netfilter defragmentation to avoid a bogus ICMP
> fragmentation needed in the forwarding path, also from Florian.
>
> 4) Fix potential user after free in ip6_route_me_harder() when returning
> the error code to the upper layers, from Sergey Popovich.
>
> 5) Skip possible bogus ICMP time exceeded emitted from the router (not
> valid according to RFC) if conntrack zones are used, from Vasily Averin.
>
> 6) Fix fragment handling when nf_defrag_ipv4 is loaded but nf_conntrack
> is not present, also from Vasily.
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2014-05-09 10:56 Pablo Neira Ayuso
2014-05-09 17:17 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2014-05-09 10:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following batch contains netfilter fixes for your net tree, they are:
1) Fix use after free in nfnetlink when sending a batch for some
unsupported subsystem, from Denys Fedoryshchenko.
2) Skip autoload of the nat module if no binding is specified via
ctnetlink, from Florian Westphal.
3) Set local_df after netfilter defragmentation to avoid a bogus ICMP
fragmentation needed in the forwarding path, also from Florian.
4) Fix potential user after free in ip6_route_me_harder() when returning
the error code to the upper layers, from Sergey Popovich.
5) Skip possible bogus ICMP time exceeded emitted from the router (not
valid according to RFC) if conntrack zones are used, from Vasily Averin.
6) Fix fragment handling when nf_defrag_ipv4 is loaded but nf_conntrack
is not present, also from Vasily.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
----------------------------------------------------------------
The following changes since commit 014f1b20108dc2c0bb0777d8383654a089c790f8:
net: bonding: Fix format string mismatch in bond_sysfs.c (2014-04-28 14:48:16 -0400)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to a8951d5814e1373807a94f79f7ccec7041325470:
netfilter: Fix potential use after free in ip6_route_me_harder() (2014-05-09 02:36:39 +0200)
----------------------------------------------------------------
Denys Fedoryshchenko (1):
netfilter: nfnetlink: Fix use after free when it fails to process batch
Florian Westphal (2):
netfilter: ctnetlink: don't add null bindings if no nat requested
netfilter: ipv4: defrag: set local_df flag on defragmented skb
Sergey Popovich (1):
netfilter: Fix potential use after free in ip6_route_me_harder()
Vasily Averin (2):
ipv4: fix "conntrack zones" support for defrag user check in ip_expire
bridge: superfluous skb->nfct check in br_nf_dev_queue_xmit
net/bridge/br_netfilter.c | 4 ++--
net/ipv4/ip_fragment.c | 5 +++--
net/ipv4/netfilter/nf_defrag_ipv4.c | 5 +++--
net/ipv6/netfilter.c | 6 ++++--
net/netfilter/nf_conntrack_netlink.c | 3 +++
net/netfilter/nfnetlink.c | 8 ++++----
6 files changed, 19 insertions(+), 12 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
* Re: [PATCH 0/6] Netfilter fixes for net
2014-02-19 11:41 Pablo Neira Ayuso
@ 2014-02-19 18:16 ` David Miller
0 siblings, 0 replies; 44+ messages in thread
From: David Miller @ 2014-02-19 18:16 UTC (permalink / raw)
To: pablo; +Cc: netfilter-devel, netdev
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Wed, 19 Feb 2014 12:41:36 +0100
> The following patchset contains Netfilter fixes for your net tree,
> they are:
>
> * Fix nf_trace in nftables if XT_TRACE=n, from Florian Westphal.
>
> * Don't use the fast payload operation in nf_tables if the length is
> not power of 2 or it is not aligned, from Nikolay Aleksandrov.
>
> * Fix missing break statement the inet flavour of nft_reject, which
> results in evaluating IPv4 packets with the IPv6 evaluation routine,
> from Patrick McHardy.
>
> * Fix wrong kconfig symbol in nft_meta to match the routing realm,
> from Paul Bolle.
>
> * Allocate the NAT null binding when creating new conntracks via
> ctnetlink to avoid that several packets race at initializing the
> the conntrack NAT extension, original patch from Florian Westphal,
> revisited version from me.
>
> * Fix DNAT handling in the snmp NAT helper, the same handling was being
> done for SNAT and DNAT and 2.4 already contains that fix, from
> Francois-Xavier Le Bail.
>
> You can pull these changes from:
>
> git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Pulled, thanks a lot Pablo.
^ permalink raw reply [flat|nested] 44+ messages in thread
* [PATCH 0/6] Netfilter fixes for net
@ 2014-02-19 11:41 Pablo Neira Ayuso
2014-02-19 18:16 ` David Miller
0 siblings, 1 reply; 44+ messages in thread
From: Pablo Neira Ayuso @ 2014-02-19 11:41 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev
Hi David,
The following patchset contains Netfilter fixes for your net tree,
they are:
* Fix nf_trace in nftables if XT_TRACE=n, from Florian Westphal.
* Don't use the fast payload operation in nf_tables if the length is
not power of 2 or it is not aligned, from Nikolay Aleksandrov.
* Fix missing break statement the inet flavour of nft_reject, which
results in evaluating IPv4 packets with the IPv6 evaluation routine,
from Patrick McHardy.
* Fix wrong kconfig symbol in nft_meta to match the routing realm,
from Paul Bolle.
* Allocate the NAT null binding when creating new conntracks via
ctnetlink to avoid that several packets race at initializing the
the conntrack NAT extension, original patch from Florian Westphal,
revisited version from me.
* Fix DNAT handling in the snmp NAT helper, the same handling was being
done for SNAT and DNAT and 2.4 already contains that fix, from
Francois-Xavier Le Bail.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
Thanks!
----------------------------------------------------------------
The following changes since commit 20e7c4e80dcd01dad5e6c8b32455228b8fe9c619:
6lowpan: fix lockdep splats (2014-02-10 17:51:29 -0800)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git master
for you to fetch changes up to 0eba801b64cc8284d9024c7ece30415a2b981a72:
netfilter: ctnetlink: force null nat binding on insert (2014-02-18 00:13:51 +0100)
----------------------------------------------------------------
FX Le Bail (1):
netfilter: nf_nat_snmp_basic: fix duplicates in if/else branches
Florian Westphal (1):
netfilter: nf_tables: fix nf_trace always-on with XT_TRACE=n
Nikolay Aleksandrov (1):
netfilter: nf_tables: check if payload length is a power of 2
Pablo Neira Ayuso (1):
netfilter: ctnetlink: force null nat binding on insert
Patrick McHardy (1):
netfilter: nft_reject_inet: fix unintended fall-through in switch-statatement
Paul Bolle (1):
netfilter: nft_meta: fix typo "CONFIG_NET_CLS_ROUTE"
include/linux/skbuff.h | 5 ++-
net/core/skbuff.c | 3 --
net/ipv4/ip_output.c | 3 --
net/ipv4/netfilter/nf_nat_snmp_basic.c | 4 +--
net/ipv6/ip6_output.c | 3 --
net/netfilter/nf_conntrack_netlink.c | 35 ++++++++------------
net/netfilter/nf_nat_core.c | 56 ++++++++++++++++++++------------
net/netfilter/nft_meta.c | 4 +--
net/netfilter/nft_payload.c | 3 +-
net/netfilter/nft_reject_inet.c | 4 +--
10 files changed, 61 insertions(+), 59 deletions(-)
^ permalink raw reply [flat|nested] 44+ messages in thread
end of thread, other threads:[~2020-08-24 13:40 UTC | newest]
Thread overview: 44+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2018-02-01 18:02 [PATCH 0/6] Netfilter fixes for net Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 1/6] netfilter: x_tables: fix int overflow in xt_alloc_table_info() Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 2/6] netfilter: x_tables: avoid out-of-bounds reads in xt_request_find_{match|target} Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 3/6] netfilter: ipset: Fix wraparound in hash:*net* types Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 4/6] netfilter: x_tables: fix pointer leaks to userspace Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 5/6] netfilter: ipt_CLUSTERIP: fix out-of-bounds accesses in clusterip_tg_check() Pablo Neira Ayuso
2018-02-01 18:02 ` [PATCH 6/6] netfilter: on sockopt() acquire sock lock only in the required scope Pablo Neira Ayuso
2018-02-01 19:45 ` [PATCH 0/6] Netfilter fixes for net David Miller
-- strict thread matches above, loose matches on Subject: below --
2020-08-24 11:39 Pablo Neira Ayuso
2020-08-24 13:37 ` David Miller
2020-05-14 12:19 Pablo Neira Ayuso
2020-05-14 20:15 ` David Miller
2020-02-26 22:54 Pablo Neira Ayuso
2020-02-27 0:32 ` David Miller
2020-01-31 19:24 Pablo Neira Ayuso
2020-02-01 20:59 ` Jakub Kicinski
2019-02-05 19:04 Pablo Neira Ayuso
2019-02-05 19:23 ` David Miller
2018-10-01 22:37 Pablo Neira Ayuso
2018-10-01 22:41 ` David Miller
2018-07-09 17:18 Pablo Neira Ayuso
2018-07-09 21:24 ` David Miller
2018-06-27 15:22 Pablo Neira Ayuso
2018-06-28 4:33 ` David Miller
2017-02-27 11:35 Pablo Neira Ayuso
2017-02-27 14:19 ` David Miller
2017-01-05 11:19 Pablo Neira Ayuso
2017-01-05 16:52 ` David Miller
2016-08-18 17:29 Pablo Neira Ayuso
2016-08-19 1:49 ` David Miller
2016-02-16 17:02 Pablo Neira Ayuso
2016-02-16 17:56 ` David Miller
2016-01-20 17:03 Pablo Neira Ayuso
2016-01-21 2:57 ` David Miller
2015-12-14 11:25 [PATCH 0/6] netfilter " Pablo Neira Ayuso
2015-12-14 16:09 ` David Miller
2015-09-03 9:50 [PATCH 0/6] Netfilter " Pablo Neira Ayuso
2015-09-06 4:59 ` David Miller
2015-03-22 18:46 Pablo Neira Ayuso
2015-03-22 20:57 ` David Miller
2014-05-09 10:56 Pablo Neira Ayuso
2014-05-09 17:17 ` David Miller
2014-02-19 11:41 Pablo Neira Ayuso
2014-02-19 18:16 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.