From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org
Subject: [PATCH 0/7] Netfilter fixes for net
Date: Thu, 25 Jun 2020 20:26:28 +0200 [thread overview]
Message-ID: <20200625182635.1958-1-pablo@netfilter.org> (raw)
Hi,
The following patchset contains Netfilter fixes for net, they are:
1) Unaligned atomic access in ipset, from Russell King.
2) Missing module description, from Rob Gill.
3) Patches to fix a module unload causing NULL pointer dereference in
xtables, from David Wilder. For the record, I posting here his cover
letter explaining the problem:
A crash happened on ppc64le when running ltp network tests triggered by
"rmmod iptable_mangle".
See previous discussion in this thread:
https://lists.openwall.net/netdev/2020/06/03/161 .
In the crash I found in iptable_mangle_hook() that
state->net->ipv4.iptable_mangle=NULL causing a NULL pointer dereference.
net->ipv4.iptable_mangle is set to NULL in +iptable_mangle_net_exit() and
called when ip_mangle modules is unloaded. A rmmod task was found running
in the crash dump. A 2nd crash showed the same problem when running
"rmmod iptable_filter" (net->ipv4.iptable_filter=NULL).
To fix this I added .pre_exit hook in all iptable_foo.c. The pre_exit will
un-register the underlying hook and exit would do the table freeing. The
netns core does an unconditional +synchronize_rcu after the pre_exit hooks
insuring no packets are in flight that have picked up the pointer before
completing the un-register.
These patches include changes for both iptables and ip6tables.
We tested this fix with ltp running iptables01.sh and iptables01.sh -6 a
loop for 72 hours.
4) Add a selftest for conntrack helper assignment, from Florian Westphal.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thank you.
----------------------------------------------------------------
The following changes since commit 67c20de35a3cc2e2cd940f95ebd85ed0a765315a:
net: Add MODULE_DESCRIPTION entries to network modules (2020-06-20 21:33:57 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 619ae8e0697a6fb85b99b19137590c7c337c579e:
selftests: netfilter: add test case for conntrack helper assignment (2020-06-25 00:50:31 +0200)
----------------------------------------------------------------
David Wilder (4):
netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers.
netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c.
netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers.
netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c.
Florian Westphal (1):
selftests: netfilter: add test case for conntrack helper assignment
Rob Gill (1):
netfilter: Add MODULE_DESCRIPTION entries to kernel modules
Russell King (1):
netfilter: ipset: fix unaligned atomic access
include/linux/netfilter_ipv4/ip_tables.h | 6 +
include/linux/netfilter_ipv6/ip6_tables.h | 3 +
net/bridge/netfilter/nft_meta_bridge.c | 1 +
net/bridge/netfilter/nft_reject_bridge.c | 1 +
net/ipv4/netfilter/ip_tables.c | 15 +-
net/ipv4/netfilter/ipt_SYNPROXY.c | 1 +
net/ipv4/netfilter/iptable_filter.c | 10 +-
net/ipv4/netfilter/iptable_mangle.c | 10 +-
net/ipv4/netfilter/iptable_nat.c | 10 +-
net/ipv4/netfilter/iptable_raw.c | 10 +-
net/ipv4/netfilter/iptable_security.c | 11 +-
net/ipv4/netfilter/nf_flow_table_ipv4.c | 1 +
net/ipv4/netfilter/nft_dup_ipv4.c | 1 +
net/ipv4/netfilter/nft_fib_ipv4.c | 1 +
net/ipv4/netfilter/nft_reject_ipv4.c | 1 +
net/ipv6/netfilter/ip6_tables.c | 15 +-
net/ipv6/netfilter/ip6t_SYNPROXY.c | 1 +
net/ipv6/netfilter/ip6table_filter.c | 10 +-
net/ipv6/netfilter/ip6table_mangle.c | 10 +-
net/ipv6/netfilter/ip6table_nat.c | 10 +-
net/ipv6/netfilter/ip6table_raw.c | 10 +-
net/ipv6/netfilter/ip6table_security.c | 10 +-
net/ipv6/netfilter/nf_flow_table_ipv6.c | 1 +
net/ipv6/netfilter/nft_dup_ipv6.c | 1 +
net/ipv6/netfilter/nft_fib_ipv6.c | 1 +
net/ipv6/netfilter/nft_reject_ipv6.c | 1 +
net/netfilter/ipset/ip_set_core.c | 2 +
net/netfilter/nf_dup_netdev.c | 1 +
net/netfilter/nf_flow_table_core.c | 1 +
net/netfilter/nf_flow_table_inet.c | 1 +
net/netfilter/nf_synproxy_core.c | 1 +
net/netfilter/nfnetlink.c | 1 +
net/netfilter/nft_compat.c | 1 +
net/netfilter/nft_connlimit.c | 1 +
net/netfilter/nft_counter.c | 1 +
net/netfilter/nft_ct.c | 1 +
net/netfilter/nft_dup_netdev.c | 1 +
net/netfilter/nft_fib_inet.c | 1 +
net/netfilter/nft_fib_netdev.c | 1 +
net/netfilter/nft_flow_offload.c | 1 +
net/netfilter/nft_hash.c | 1 +
net/netfilter/nft_limit.c | 1 +
net/netfilter/nft_log.c | 1 +
net/netfilter/nft_masq.c | 1 +
net/netfilter/nft_nat.c | 1 +
net/netfilter/nft_numgen.c | 1 +
net/netfilter/nft_objref.c | 1 +
net/netfilter/nft_osf.c | 1 +
net/netfilter/nft_queue.c | 1 +
net/netfilter/nft_quota.c | 1 +
net/netfilter/nft_redir.c | 1 +
net/netfilter/nft_reject.c | 1 +
net/netfilter/nft_reject_inet.c | 1 +
net/netfilter/nft_synproxy.c | 1 +
net/netfilter/nft_tunnel.c | 1 +
net/netfilter/xt_nat.c | 1 +
tools/testing/selftests/netfilter/Makefile | 2 +-
.../selftests/netfilter/nft_conntrack_helper.sh | 175 +++++++++++++++++++++
58 files changed, 344 insertions(+), 16 deletions(-)
create mode 100755 tools/testing/selftests/netfilter/nft_conntrack_helper.sh
next reply other threads:[~2020-06-25 18:27 UTC|newest]
Thread overview: 36+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-25 18:26 Pablo Neira Ayuso [this message]
2020-06-25 18:26 ` [PATCH 1/7] netfilter: ipset: fix unaligned atomic access Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 2/7] netfilter: Add MODULE_DESCRIPTION entries to kernel modules Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 3/7] netfilter: iptables: Split ipt_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 4/7] netfilter: iptables: Add a .pre_exit hook in all iptable_foo.c Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 5/7] netfilter: ip6tables: Split ip6t_unregister_table() into pre_exit and exit helpers Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 6/7] netfilter: ip6tables: Add a .pre_exit hook in all ip6table_foo.c Pablo Neira Ayuso
2020-06-25 18:26 ` [PATCH 7/7] selftests: netfilter: add test case for conntrack helper assignment Pablo Neira Ayuso
2020-06-25 19:59 ` [PATCH 0/7] Netfilter fixes for net David Miller
-- strict thread matches above, loose matches on Subject: below --
2020-10-22 17:29 Pablo Neira Ayuso
2020-10-22 19:16 ` Jakub Kicinski
2020-04-07 22:29 Pablo Neira Ayuso
2020-04-08 1:08 ` David Miller
2020-03-24 22:32 Pablo Neira Ayuso
2020-03-25 0:31 ` David Miller
2020-01-25 17:34 Pablo Neira Ayuso
2020-01-25 20:40 ` David Miller
2019-08-14 9:24 Pablo Neira Ayuso
2019-08-15 21:02 ` David Miller
2019-01-14 21:29 Pablo Neira Ayuso
2019-01-15 21:32 ` David Miller
2016-08-30 11:26 Pablo Neira Ayuso
2016-08-31 5:02 ` David Miller
2016-06-17 18:25 Pablo Neira Ayuso
2016-06-18 2:50 ` David Miller
2016-06-01 12:03 Pablo Neira Ayuso
2016-06-02 0:54 ` David Miller
2015-07-08 9:48 Pablo Neira Ayuso
2015-07-09 7:03 ` David Miller
2014-10-20 8:10 [PATCH 0/7] netfilter " Pablo Neira Ayuso
2014-10-20 15:58 ` David Miller
2013-11-21 9:05 Pablo Neira Ayuso
2013-11-21 17:45 ` David Miller
2013-09-17 22:21 Pablo Neira Ayuso
2013-09-18 0:23 ` David Miller
2013-09-17 22:07 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200625182635.1958-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).