Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.4.146 2020-12-02T07:49:44+00:00 2020-12-02T07:49:44+00:00 Cong Wang cong.wang@bytedance.com 2020-11-21T03:43:17+00:00 urn:sha1:6ec51459df7117dbe9b1fef2174951f80877a850 NF_HOOK_LIST() uses list_del() to remove skb from the linked list, however, it is not sufficient as skb->next still points to other skb. We should just call skb_list_del_init() to clear skb->next, like the rest places which using skb list. This has been fixed in upstream by commit ca58fbe06c54 ("netfilter: add and use nf_hook_slow_list()"). Fixes: 9f17dbf04ddf ("netfilter: fix use-after-free in NF_HOOK_LIST") Reported-by: liuzx@knownsec.com Tested-by: liuzx@knownsec.com Cc: Florian Westphal <fw@strlen.de> Cc: Edward Cree <ecree@solarflare.com> Cc: stable@vger.kernel.org # between 4.19 and 5.4 Signed-off-by: Cong Wang <cong.wang@bytedance.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2019-09-13T10:47:36+00:00 Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:16+00:00 urn:sha1:f19438bdd4bfbfdaac441034c1aaecf02c116e68 `struct nf_hook_ops`, `struct nf_hook_state` and the `nf_hookfn` function typedef appear in function and struct declarations and definitions in a number of netfilter headers. The structs and typedef themselves are defined by linux/netfilter.h but only when CONFIG_NETFILTER is enabled. Define them unconditionally and add forward declarations in order to remove CONFIG_NETFILTER conditionals from the other headers. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-13T10:47:09+00:00 Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:11+00:00 urn:sha1:25d7cbcd2bb5d919b9ba6fcdfe788e72c2df7e6e A few headers contain instances of: #if defined(CONFIG_XXX) or defined(CONFIG_XXX_MODULE) Replace them with: #if IS_ENABLED(CONFIG_XXX) Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-05-31T16:02:48+00:00 Florian Westphal fw@strlen.de 2019-05-23T13:44:12+00:00 urn:sha1:2cf6bffc49dae26edd12af6b57c8c780590380bf This converts all remaining users and then removes skb_make_writable. Suggested-by: Daniel Borkmann <daniel@iogearbox.net> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-05-05T23:18:58+00:00 Li RongQing lirongqing@baidu.com 2019-04-28T07:12:19+00:00 urn:sha1:522e4077e8dcdfc5b8e96469d3bc2324bc5d6466 using 64bit computation to slightly optimize nf_inet_addr_mask Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-04-08T21:02:52+00:00 Florian Westphal fw@strlen.de 2019-03-27T08:22:26+00:00 urn:sha1:4806e975729f99c7908d1688a143f1e16d464e6c NF_NAT_NEEDED is true whenever nat support for either ipv4 or ipv6 is enabled. Now that the af-specific nat configuration switches have been removed, IS_ENABLED(CONFIG_NF_NAT) has the same effect. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-04-08T20:58:16+00:00 Li RongQing lirongqing@baidu.com 2019-03-26T12:06:20+00:00 urn:sha1:01902f8c85bfde343a4c2b7428d18762442f3a25 optimize nf_inet_addr_cmp by 64bit xor computation similar to ipv6_addr_equal() Signed-off-by: Yuan Linsi <yuanlinsi01@baidu.com> Signed-off-by: Li RongQing <lirongqing@baidu.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-01-06T00:46:51+00:00 Masahiro Yamada yamada.masahiro@socionext.com 2018-12-30T15:14:15+00:00 urn:sha1:e9666d10a5677a494260d60d1fa0b73cc7646eb3 Currently, CONFIG_JUMP_LABEL just means "I _want_ to use jump label". The jump label is controlled by HAVE_JUMP_LABEL, which is defined like this: #if defined(CC_HAVE_ASM_GOTO) && defined(CONFIG_JUMP_LABEL) # define HAVE_JUMP_LABEL #endif We can improve this by testing 'asm goto' support in Kconfig, then make JUMP_LABEL depend on CC_HAS_ASM_GOTO. Ugly #ifdef HAVE_JUMP_LABEL will go away, and CONFIG_JUMP_LABEL will match to the real kernel capability. Signed-off-by: Masahiro Yamada <yamada.masahiro@socionext.com> Acked-by: Michael Ellerman <mpe@ellerman.id.au> (powerpc) Tested-by: Sedat Dilek <sedat.dilek@gmail.com> 2018-09-28T12:47:40+00:00 Florian Westphal fw@strlen.de 2018-09-24T12:10:04+00:00 urn:sha1:421c119f558761556afca6a62ad183bc2d8659e0 Unfortunately some versions of gcc emit following warning: $ make net/xfrm/xfrm_output.o linux/compiler.h:252:20: warning: array subscript is above array bounds [-Warray-bounds] hook_head = rcu_dereference(net->nf.hooks_arp[hook]); ^~~~~~~~~~~~~~~~~~~~~ xfrm_output_resume passes skb_dst(skb)->ops->family as its 'pf' arg so compiler can't know that we'll never access hooks_arp[]. (NFPROTO_IPV4 or NFPROTO_IPV6 are only possible cases). Avoid this by adding an explicit WARN_ON_ONCE() check. This patch has no effect if the family is a compile-time constant as gcc will remove the switch() construct entirely. Reported-by: David Ahern <dsahern@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Reviewed-by: David Ahern <dsahern@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2018-07-11T03:06:34+00:00 Toke Høiland-Jørgensen toke@toke.dk 2018-07-06T15:37:19+00:00 urn:sha1:b60a60405fb95a688eb2ef4ef20f5fcaa7b64f68 This adds a global netfilter function to extract a conntrack tuple from an skb. The function uses a new function added to nf_ct_hook, which will try to get the tuple from skb->_nfct, and do a full lookup if that fails. This makes it possible to use the lookup function before the skb has passed through the conntrack init hooks (e.g., in an ingress qdisc). The tuple is copied to the caller to avoid issues with reference counting. The function returns false if conntrack is not loaded, allowing it to be used without incurring a module dependency on conntrack. This is used by the NAT mode in sch_cake. Cc: netfilter-devel@vger.kernel.org Signed-off-by: Toke Høiland-Jørgensen <toke@toke.dk> Signed-off-by: David S. Miller <davem@davemloft.net>