Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v3.2.95 2017-08-26T01:14:03+00:00 2017-08-26T01:14:03+00:00 Liping Zhang zlpnobody@gmail.com 2017-04-17T13:18:57+00:00 urn:sha1:883a0ef402e5ed967af0e5b83aad95b8703fd0de commit 53b56da83d7899de375a9de153fd7f5397de85e6 upstream. After converting to use rcu for conntrack hash, one CPU may update the ct->status via ctnetlink, while another CPU may process the packets and update the ct->status. So the non-atomic operation "ct->status |= status;" via ctnetlink becomes unsafe, and this may clear the IPS_DYING_BIT bit set by another CPU unexpectedly. For example: CPU0 CPU1 ctnetlink_change_status __nf_conntrack_find_get old = ct->status nf_ct_gc_expired - nf_ct_kill - test_and_set_bit(IPS_DYING_BIT new = old | status; - ct->status = new; <-- oops, _DYING_ is cleared! Now using a series of atomic bit operation to solve the above issue. Also note, user shouldn't set IPS_TEMPLATE, IPS_SEQ_ADJUST directly, so make these two bits be unchangable too. If we set the IPS_TEMPLATE_BIT, ct will be freed by nf_ct_tmpl_free, but actually it is alloced by nf_conntrack_alloc. If we set the IPS_SEQ_ADJUST_BIT, this may cause the NULL pointer deference, as the nfct_seqadj(ct) maybe NULL. Last, add some comments to describe the logic change due to the commit a963d710f367 ("netfilter: ctnetlink: Fix regression in CTA_STATUS processing"), which makes me feel a little confusing. Fixes: 76507f69c44e ("[NETFILTER]: nf_conntrack: use RCU for conntrack hash") Signed-off-by: Liping Zhang <zlpnobody@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> [bwh: Backported to 3.2: - IPS_UNCHANGEABLE_MASK was not previously defined and ctnetlink_update_status() is not needed - enum ip_conntrack_status only assigns 13 bits - Adjust filename] Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2012-10-30T23:26:26+00:00 Jan Engelhardt jengelh@medozas.de 2012-01-14T16:38:55+00:00 urn:sha1:582e0a81e7e5bc587ff1f768793911799a46ca39 commit 5276e16bb6f35412583518d6f04651dd9dc114be upstream. When using the xt_set.h header in userspace, one will get these gcc reports: ipset/ip_set.h:184:1: error: unknown type name "u16" In file included from libxt_SET.c:21:0: netfilter/xt_set.h:61:2: error: unknown type name "u32" netfilter/xt_set.h:62:2: error: unknown type name "u32" Signed-off-by: Jan Engelhardt <jengelh@medozas.de> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> 2011-08-26T16:02:50+00:00 Ben Hutchings ben@decadent.org.uk 2011-08-24T18:45:42+00:00 urn:sha1:5740bb569303a1272cf082a652c020e980e4781b Various headers use union nf_inet_addr, defined in <linux/netfilter.h>. Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Acked-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net> 2011-07-21T19:39:35+00:00 David S. Miller davem@davemloft.net 2011-07-21T19:39:35+00:00 urn:sha1:f5caadbb3d8fc0b71533e880c684b2230bdb76ac 2011-07-21T10:07:10+00:00 Chris Friesen chris.friesen@genband.com 2011-07-21T10:07:10+00:00 urn:sha1:0f598f0b4c3b2259366cfa8adc01bd8e714c82d0 Some gcc versions warn about prototypes without "inline" when the declaration includes the "inline" keyword. The fix generates a false error message "marked inline, but without a definition" with sparse below 0.4.2. Signed-off-by: Chris Friesen <chris.friesen@genband.com> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 2011-07-21T10:06:18+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-07-21T10:06:18+00:00 urn:sha1:89dc79b787d20e4b6c4077dcee1c5b1be4ab55b8 If overlapping networks with different interfaces was added to the set, the type did not handle it properly. Example ipset create test hash:net,iface ipset add test 192.168.0.0/16,eth0 ipset add test 192.168.0.0/24,eth1 Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned a match. In the patch the algorithm is fixed in order to correctly handle overlapping networks. Limitation: the same network cannot be stored with more than 64 different interfaces in a single set. Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 2011-07-21T10:05:31+00:00 Jozsef Kadlecsik kadlec@blackhole.kfki.hu 2011-07-21T10:05:31+00:00 urn:sha1:a6a7b759ba62e62542308e091f7fc9cfac4f978e Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Patrick McHardy <kaber@trash.net> 2011-07-19T09:46:33+00:00 Florian Westphal fw@strlen.de 2011-07-19T09:46:33+00:00 urn:sha1:97d32cf9440d2111a12471740446d4d63231b79a Introduces a new nfnetlink type that applies a given verdict to all queued packets with an id <= the id in the verdict message. If a mark is provided it is applied to all matched packets. This reduces the number of verdicts that have to be sent. Applications that make use of this feature need to maintain a timeout to send a batchverdict periodically to avoid starvation. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Patrick McHardy <kaber@trash.net> 2011-07-18T14:08:07+00:00 Eric Dumazet eric.dumazet@gmail.com 2011-07-18T14:08:07+00:00 urn:sha1:6b75e3e8d664a9a1b99d31a7f4976ae70d1d090a Goal of this patch is to permit nfnetlink providers not mandate nfnl_mutex being held while nfnetlink_rcv_msg() calls them. If struct nfnl_callback contains a non NULL call_rcu(), then nfnetlink_rcv_msg() will use it instead of call() field, holding rcu_read_lock instead of nfnl_mutex Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> CC: Florian Westphal <fw@strlen.de> CC: Eric Leblond <eric@regit.org> Signed-off-by: Patrick McHardy <kaber@trash.net> 2011-06-21T05:29:08+00:00 David S. Miller davem@davemloft.net 2011-06-21T05:29:08+00:00 urn:sha1:9f6ec8d697c08963d83880ccd35c13c5ace716ea Conflicts: drivers/net/wireless/iwlwifi/iwl-agn-rxon.c drivers/net/wireless/rtlwifi/pci.c net/netfilter/ipvs/ip_vs_core.c