--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1204,6 +1204,18 @@ static int do_add_counters(struct net *n
+@@ -1205,6 +1205,18 @@ static int do_add_counters(struct net *n
}
#ifdef CONFIG_COMPAT
static inline void compat_release_entry(struct compat_arpt_entry *e)
{
struct xt_entry_target *t;
-@@ -1219,8 +1231,7 @@ check_compat_entry_size_and_hooks(struct
+@@ -1220,8 +1232,7 @@ check_compat_entry_size_and_hooks(struct
const unsigned char *base,
const unsigned char *limit,
const unsigned int *hook_entries,
{
struct xt_entry_target *t;
struct xt_target *target;
-@@ -1291,7 +1302,7 @@ out:
+@@ -1292,7 +1303,7 @@ out:
static int
compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
struct xt_table_info *newinfo, unsigned char *base)
{
struct xt_entry_target *t;
-@@ -1324,14 +1335,9 @@ compat_copy_entry_from_user(struct compa
+@@ -1325,14 +1336,9 @@ compat_copy_entry_from_user(struct compa
return ret;
}
{
unsigned int i, j;
struct xt_table_info *newinfo, *info;
-@@ -1343,8 +1349,8 @@ static int translate_compat_table(const
+@@ -1344,8 +1350,8 @@ static int translate_compat_table(const
info = *pinfo;
entry0 = *pentry0;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_ARP_NUMHOOKS; i++) {
-@@ -1355,40 +1361,39 @@ static int translate_compat_table(const
+@@ -1356,40 +1362,39 @@ static int translate_compat_table(const
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(NFPROTO_ARP);
goto out_unlock;
}
}
-@@ -1398,17 +1403,17 @@ static int translate_compat_table(const
+@@ -1399,17 +1404,17 @@ static int translate_compat_table(const
if (!newinfo)
goto out_unlock;
if (ret != 0)
break;
}
-@@ -1418,12 +1423,12 @@ static int translate_compat_table(const
+@@ -1419,12 +1424,12 @@ static int translate_compat_table(const
goto free_newinfo;
ret = -ELOOP;
if (ret != 0)
break;
++i;
-@@ -1468,7 +1473,7 @@ static int translate_compat_table(const
+@@ -1469,7 +1474,7 @@ static int translate_compat_table(const
free_newinfo:
xt_free_table_info(newinfo);
out:
if (j-- == 0)
break;
compat_release_entry(iter0);
-@@ -1480,18 +1485,6 @@ out_unlock:
+@@ -1481,18 +1486,6 @@ out_unlock:
goto out;
}
static int compat_do_replace(struct net *net, void __user *user,
unsigned int len)
{
-@@ -1522,10 +1515,7 @@ static int compat_do_replace(struct net
+@@ -1523,10 +1516,7 @@ static int compat_do_replace(struct net
goto free_newinfo;
}
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1081,6 +1081,9 @@ static int do_replace(struct net *net, c
+@@ -1082,6 +1082,9 @@ static int do_replace(struct net *net, c
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
-@@ -1495,6 +1498,9 @@ static int compat_do_replace(struct net
+@@ -1496,6 +1499,9 @@ static int compat_do_replace(struct net
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
newinfo = xt_alloc_table_info(tmp.size);
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1267,6 +1267,9 @@ do_replace(struct net *net, const void _
+@@ -1268,6 +1268,9 @@ do_replace(struct net *net, const void _
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
-@@ -1802,6 +1805,9 @@ compat_do_replace(struct net *net, void
+@@ -1803,6 +1806,9 @@ compat_do_replace(struct net *net, void
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
newinfo = xt_alloc_table_info(tmp.size);
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1277,6 +1277,9 @@ do_replace(struct net *net, const void _
+@@ -1278,6 +1278,9 @@ do_replace(struct net *net, const void _
/* overflow check */
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
tmp.name[sizeof(tmp.name)-1] = 0;
newinfo = xt_alloc_table_info(tmp.size);
-@@ -1811,6 +1814,9 @@ compat_do_replace(struct net *net, void
+@@ -1812,6 +1815,9 @@ compat_do_replace(struct net *net, void
return -ENOMEM;
if (tmp.num_counters >= INT_MAX / sizeof(struct xt_counters))
return -ENOMEM;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1456,7 +1456,6 @@ compat_copy_entry_to_user(struct ip6t_en
+@@ -1457,7 +1457,6 @@ compat_copy_entry_to_user(struct ip6t_en
static int
compat_find_calc_match(struct xt_entry_match *m,
const struct ip6t_ip6 *ipv6,
unsigned int hookmask,
int *size)
-@@ -1494,8 +1493,7 @@ check_compat_entry_size_and_hooks(struct
+@@ -1495,8 +1494,7 @@ check_compat_entry_size_and_hooks(struct
const unsigned char *base,
const unsigned char *limit,
const unsigned int *hook_entries,
{
struct xt_entry_match *ematch;
struct xt_entry_target *t;
-@@ -1531,8 +1529,8 @@ check_compat_entry_size_and_hooks(struct
+@@ -1532,8 +1530,8 @@ check_compat_entry_size_and_hooks(struct
entry_offset = (void *)e - (void *)base;
j = 0;
xt_ematch_foreach(ematch, e) {
if (ret != 0)
goto release_matches;
++j;
-@@ -1581,7 +1579,7 @@ release_matches:
+@@ -1582,7 +1580,7 @@ release_matches:
static int
compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
struct xt_table_info *newinfo, unsigned char *base)
{
struct xt_entry_target *t;
-@@ -1655,14 +1653,9 @@ static int compat_check_entry(struct ip6
+@@ -1656,14 +1654,9 @@ static int compat_check_entry(struct ip6
static int
translate_compat_table(struct net *net,
{
unsigned int i, j;
struct xt_table_info *newinfo, *info;
-@@ -1674,8 +1667,8 @@ translate_compat_table(struct net *net,
+@@ -1675,8 +1668,8 @@ translate_compat_table(struct net *net,
info = *pinfo;
entry0 = *pentry0;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-@@ -1686,40 +1679,39 @@ translate_compat_table(struct net *net,
+@@ -1687,40 +1680,39 @@ translate_compat_table(struct net *net,
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(AF_INET6);
goto out_unlock;
}
}
-@@ -1729,17 +1721,17 @@ translate_compat_table(struct net *net,
+@@ -1730,17 +1722,17 @@ translate_compat_table(struct net *net,
if (!newinfo)
goto out_unlock;
if (ret != 0)
break;
}
-@@ -1749,12 +1741,12 @@ translate_compat_table(struct net *net,
+@@ -1750,12 +1742,12 @@ translate_compat_table(struct net *net,
goto free_newinfo;
ret = -ELOOP;
if (ret != 0)
break;
++i;
-@@ -1799,7 +1791,7 @@ translate_compat_table(struct net *net,
+@@ -1800,7 +1792,7 @@ translate_compat_table(struct net *net,
free_newinfo:
xt_free_table_info(newinfo);
out:
if (j-- == 0)
break;
compat_release_entry(iter0);
-@@ -1842,10 +1834,7 @@ compat_do_replace(struct net *net, void
+@@ -1843,10 +1835,7 @@ compat_do_replace(struct net *net, void
goto free_newinfo;
}
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1444,7 +1444,6 @@ compat_copy_entry_to_user(struct ipt_ent
+@@ -1445,7 +1445,6 @@ compat_copy_entry_to_user(struct ipt_ent
static int
compat_find_calc_match(struct xt_entry_match *m,
const struct ipt_ip *ip,
unsigned int hookmask,
int *size)
-@@ -1482,8 +1481,7 @@ check_compat_entry_size_and_hooks(struct
+@@ -1483,8 +1482,7 @@ check_compat_entry_size_and_hooks(struct
const unsigned char *base,
const unsigned char *limit,
const unsigned int *hook_entries,
{
struct xt_entry_match *ematch;
struct xt_entry_target *t;
-@@ -1519,8 +1517,8 @@ check_compat_entry_size_and_hooks(struct
+@@ -1520,8 +1518,8 @@ check_compat_entry_size_and_hooks(struct
entry_offset = (void *)e - (void *)base;
j = 0;
xt_ematch_foreach(ematch, e) {
if (ret != 0)
goto release_matches;
++j;
-@@ -1569,7 +1567,7 @@ release_matches:
+@@ -1570,7 +1568,7 @@ release_matches:
static int
compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
struct xt_table_info *newinfo, unsigned char *base)
{
struct xt_entry_target *t;
-@@ -1645,14 +1643,9 @@ compat_check_entry(struct ipt_entry *e,
+@@ -1646,14 +1644,9 @@ compat_check_entry(struct ipt_entry *e,
static int
translate_compat_table(struct net *net,
{
unsigned int i, j;
struct xt_table_info *newinfo, *info;
-@@ -1664,8 +1657,8 @@ translate_compat_table(struct net *net,
+@@ -1665,8 +1658,8 @@ translate_compat_table(struct net *net,
info = *pinfo;
entry0 = *pentry0;
/* Init all hooks to impossible value. */
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
-@@ -1676,40 +1669,39 @@ translate_compat_table(struct net *net,
+@@ -1677,40 +1670,39 @@ translate_compat_table(struct net *net,
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(AF_INET);
goto out_unlock;
}
}
-@@ -1719,17 +1711,17 @@ translate_compat_table(struct net *net,
+@@ -1720,17 +1712,17 @@ translate_compat_table(struct net *net,
if (!newinfo)
goto out_unlock;
if (ret != 0)
break;
}
-@@ -1739,12 +1731,12 @@ translate_compat_table(struct net *net,
+@@ -1740,12 +1732,12 @@ translate_compat_table(struct net *net,
goto free_newinfo;
ret = -ELOOP;
if (ret != 0)
break;
++i;
-@@ -1789,7 +1781,7 @@ translate_compat_table(struct net *net,
+@@ -1790,7 +1782,7 @@ translate_compat_table(struct net *net,
free_newinfo:
xt_free_table_info(newinfo);
out:
if (j-- == 0)
break;
compat_release_entry(iter0);
-@@ -1832,10 +1824,7 @@ compat_do_replace(struct net *net, void
+@@ -1833,10 +1825,7 @@ compat_do_replace(struct net *net, void
goto free_newinfo;
}
int xt_check_target(struct xt_tgchk_param *, unsigned int size, u_int8_t proto,
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -492,19 +492,10 @@ static int mark_source_chains(const stru
+@@ -493,19 +493,10 @@ static int mark_source_chains(const stru
static inline int check_entry(const struct arpt_entry *e)
{
static inline int check_target(struct arpt_entry *e, const char *name)
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -586,20 +586,10 @@ static void cleanup_match(struct xt_entr
+@@ -587,20 +587,10 @@ static void cleanup_match(struct xt_entr
static int
check_entry(const struct ipt_entry *e)
{
static int
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -596,20 +596,10 @@ static void cleanup_match(struct xt_entr
+@@ -597,20 +597,10 @@ static void cleanup_match(struct xt_entr
static int
check_entry(const struct ip6t_entry *e)
{
#endif /* _X_TABLES_H */
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1244,7 +1244,8 @@ check_compat_entry_size_and_hooks(struct
+@@ -1245,7 +1245,8 @@ check_compat_entry_size_and_hooks(struct
if (!arp_checkentry(&e->arp))
return -EINVAL;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1509,7 +1509,8 @@ check_compat_entry_size_and_hooks(struct
+@@ -1510,7 +1510,8 @@ check_compat_entry_size_and_hooks(struct
if (!ip_checkentry(&e->ip))
return -EINVAL;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1521,7 +1521,8 @@ check_compat_entry_size_and_hooks(struct
+@@ -1522,7 +1522,8 @@ check_compat_entry_size_and_hooks(struct
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -582,7 +582,8 @@ static inline int check_entry_size_and_h
+@@ -583,7 +583,8 @@ static inline int check_entry_size_and_h
if (!arp_checkentry(&e->arp))
return -EINVAL;
if (err)
return err;
-@@ -1244,7 +1245,7 @@ check_compat_entry_size_and_hooks(struct
+@@ -1245,7 +1246,7 @@ check_compat_entry_size_and_hooks(struct
if (!arp_checkentry(&e->arp))
return -EINVAL;
return ret;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -742,7 +742,8 @@ check_entry_size_and_hooks(struct ipt_en
+@@ -743,7 +743,8 @@ check_entry_size_and_hooks(struct ipt_en
if (!ip_checkentry(&e->ip))
return -EINVAL;
if (err)
return err;
-@@ -1509,7 +1510,7 @@ check_compat_entry_size_and_hooks(struct
+@@ -1510,7 +1511,7 @@ check_compat_entry_size_and_hooks(struct
if (!ip_checkentry(&e->ip))
return -EINVAL;
return ret;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -753,7 +753,8 @@ check_entry_size_and_hooks(struct ip6t_e
+@@ -754,7 +754,8 @@ check_entry_size_and_hooks(struct ip6t_e
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
if (err)
return err;
-@@ -1521,7 +1522,7 @@ check_compat_entry_size_and_hooks(struct
+@@ -1522,7 +1523,7 @@ check_compat_entry_size_and_hooks(struct
if (!ip6_checkentry(&e->ipv6))
return -EINVAL;
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1227,19 +1227,17 @@ static inline void compat_release_entry(
+@@ -1228,19 +1228,17 @@ static inline void compat_release_entry(
module_put(t->u.kernel.target->me);
}
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_arpt_entry) != 0 ||
-@@ -1284,17 +1282,6 @@ check_compat_entry_size_and_hooks(struct
+@@ -1285,17 +1283,6 @@ check_compat_entry_size_and_hooks(struct
if (ret)
goto release_target;
return 0;
release_target:
-@@ -1344,7 +1331,7 @@ static int translate_compat_table(struct
+@@ -1345,7 +1332,7 @@ static int translate_compat_table(struct
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
struct compat_arpt_entry *iter0;
unsigned int size;
int ret = 0;
-@@ -1353,12 +1340,6 @@ static int translate_compat_table(struct
+@@ -1354,12 +1341,6 @@ static int translate_compat_table(struct
size = compatr->size;
info->number = compatr->num_entries;
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(NFPROTO_ARP);
-@@ -1367,9 +1348,7 @@ static int translate_compat_table(struct
+@@ -1368,9 +1349,7 @@ static int translate_compat_table(struct
xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
if (ret != 0)
goto out_unlock;
++j;
-@@ -1382,23 +1361,6 @@ static int translate_compat_table(struct
+@@ -1383,23 +1362,6 @@ static int translate_compat_table(struct
goto out_unlock;
}
ret = -ENOMEM;
newinfo = xt_alloc_table_info(size);
if (!newinfo)
-@@ -1415,51 +1377,25 @@ static int translate_compat_table(struct
+@@ -1416,51 +1378,25 @@ static int translate_compat_table(struct
xt_entry_foreach(iter0, entry0, compatr->size)
compat_copy_entry_from_user(iter0, &pos, &size,
newinfo, entry1);
*pinfo = newinfo;
*pentry0 = entry1;
-@@ -1468,17 +1404,16 @@ static int translate_compat_table(struct
+@@ -1469,17 +1405,16 @@ static int translate_compat_table(struct
free_newinfo:
xt_free_table_info(newinfo);
static int compat_do_replace(struct net *net, void __user *user,
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1482,16 +1482,14 @@ check_compat_entry_size_and_hooks(struct
+@@ -1483,16 +1483,14 @@ check_compat_entry_size_and_hooks(struct
struct xt_table_info *newinfo,
unsigned int *size,
const unsigned char *base,
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ipt_entry) != 0 ||
-@@ -1544,17 +1542,6 @@ check_compat_entry_size_and_hooks(struct
+@@ -1545,17 +1543,6 @@ check_compat_entry_size_and_hooks(struct
if (ret)
goto out;
return 0;
out:
-@@ -1597,6 +1584,7 @@ compat_copy_entry_from_user(struct compa
+@@ -1598,6 +1585,7 @@ compat_copy_entry_from_user(struct compa
xt_compat_target_from_user(t, dstptr, size);
de->next_offset = e->next_offset - (origsize - *size);
for (h = 0; h < NF_INET_NUMHOOKS; h++) {
if ((unsigned char *)de - base < newinfo->hook_entry[h])
newinfo->hook_entry[h] -= origsize - *size;
-@@ -1606,41 +1594,6 @@ compat_copy_entry_from_user(struct compa
+@@ -1607,41 +1595,6 @@ compat_copy_entry_from_user(struct compa
}
static int
translate_compat_table(struct net *net,
struct xt_table_info **pinfo,
void **pentry0,
-@@ -1650,7 +1603,7 @@ translate_compat_table(struct net *net,
+@@ -1651,7 +1604,7 @@ translate_compat_table(struct net *net,
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
struct compat_ipt_entry *iter0;
unsigned int size;
int ret;
-@@ -1659,12 +1612,6 @@ translate_compat_table(struct net *net,
+@@ -1660,12 +1613,6 @@ translate_compat_table(struct net *net,
size = compatr->size;
info->number = compatr->num_entries;
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(AF_INET);
-@@ -1673,9 +1620,7 @@ translate_compat_table(struct net *net,
+@@ -1674,9 +1621,7 @@ translate_compat_table(struct net *net,
xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
if (ret != 0)
goto out_unlock;
++j;
-@@ -1688,23 +1633,6 @@ translate_compat_table(struct net *net,
+@@ -1689,23 +1634,6 @@ translate_compat_table(struct net *net,
goto out_unlock;
}
ret = -ENOMEM;
newinfo = xt_alloc_table_info(size);
if (!newinfo)
-@@ -1712,8 +1640,8 @@ translate_compat_table(struct net *net,
+@@ -1713,8 +1641,8 @@ translate_compat_table(struct net *net,
newinfo->number = compatr->num_entries;
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
}
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
-@@ -1722,51 +1650,29 @@ translate_compat_table(struct net *net,
+@@ -1723,51 +1651,29 @@ translate_compat_table(struct net *net,
compat_copy_entry_from_user(iter0, &pos, &size,
newinfo, entry1);
*pinfo = newinfo;
*pentry0 = entry1;
-@@ -1775,17 +1681,16 @@ translate_compat_table(struct net *net,
+@@ -1776,17 +1682,16 @@ translate_compat_table(struct net *net,
free_newinfo:
xt_free_table_info(newinfo);
static int
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1494,16 +1494,14 @@ check_compat_entry_size_and_hooks(struct
+@@ -1495,16 +1495,14 @@ check_compat_entry_size_and_hooks(struct
struct xt_table_info *newinfo,
unsigned int *size,
const unsigned char *base,
duprintf("check_compat_entry_size_and_hooks %p\n", e);
if ((unsigned long)e % __alignof__(struct compat_ip6t_entry) != 0 ||
-@@ -1556,17 +1554,6 @@ check_compat_entry_size_and_hooks(struct
+@@ -1557,17 +1555,6 @@ check_compat_entry_size_and_hooks(struct
if (ret)
goto out;
return 0;
out:
-@@ -1615,41 +1602,6 @@ compat_copy_entry_from_user(struct compa
+@@ -1616,41 +1603,6 @@ compat_copy_entry_from_user(struct compa
}
}
static int
translate_compat_table(struct net *net,
struct xt_table_info **pinfo,
-@@ -1660,7 +1612,7 @@ translate_compat_table(struct net *net,
+@@ -1661,7 +1613,7 @@ translate_compat_table(struct net *net,
struct xt_table_info *newinfo, *info;
void *pos, *entry0, *entry1;
struct compat_ip6t_entry *iter0;
unsigned int size;
int ret = 0;
-@@ -1669,12 +1621,6 @@ translate_compat_table(struct net *net,
+@@ -1670,12 +1622,6 @@ translate_compat_table(struct net *net,
size = compatr->size;
info->number = compatr->num_entries;
duprintf("translate_compat_table: size %u\n", info->size);
j = 0;
xt_compat_lock(AF_INET6);
-@@ -1683,9 +1629,7 @@ translate_compat_table(struct net *net,
+@@ -1684,9 +1630,7 @@ translate_compat_table(struct net *net,
xt_entry_foreach(iter0, entry0, compatr->size) {
ret = check_compat_entry_size_and_hooks(iter0, info, &size,
entry0,
if (ret != 0)
goto out_unlock;
++j;
-@@ -1698,23 +1642,6 @@ translate_compat_table(struct net *net,
+@@ -1699,23 +1643,6 @@ translate_compat_table(struct net *net,
goto out_unlock;
}
ret = -ENOMEM;
newinfo = xt_alloc_table_info(size);
if (!newinfo)
-@@ -1722,60 +1649,33 @@ translate_compat_table(struct net *net,
+@@ -1723,60 +1650,33 @@ translate_compat_table(struct net *net,
newinfo->number = compatr->num_entries;
for (i = 0; i < NF_INET_NUMHOOKS; i++) {
*pinfo = newinfo;
*pentry0 = entry1;
-@@ -1784,17 +1684,16 @@ translate_compat_table(struct net *net,
+@@ -1785,17 +1685,16 @@ translate_compat_table(struct net *net,
free_newinfo:
xt_free_table_info(newinfo);
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -490,14 +490,6 @@ static int mark_source_chains(const stru
+@@ -491,14 +491,6 @@ static int mark_source_chains(const stru
return 1;
}
static inline int check_target(struct arpt_entry *e, const char *name)
{
struct xt_entry_target *t = arpt_get_target(e);
-@@ -587,7 +579,10 @@ static inline int check_entry_size_and_h
+@@ -588,7 +580,10 @@ static inline int check_entry_size_and_h
return -EINVAL;
}
if (err)
return err;
-@@ -1246,8 +1241,10 @@ check_compat_entry_size_and_hooks(struct
+@@ -1247,8 +1242,10 @@ check_compat_entry_size_and_hooks(struct
return -EINVAL;
}
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -584,15 +584,6 @@ static void cleanup_match(struct xt_entr
+@@ -585,15 +585,6 @@ static void cleanup_match(struct xt_entr
}
static int
check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
{
const struct ipt_ip *ip = par->entryinfo;
-@@ -748,7 +739,10 @@ check_entry_size_and_hooks(struct ipt_en
+@@ -749,7 +740,10 @@ check_entry_size_and_hooks(struct ipt_en
return -EINVAL;
}
if (err)
return err;
-@@ -1512,8 +1506,10 @@ check_compat_entry_size_and_hooks(struct
+@@ -1513,8 +1507,10 @@ check_compat_entry_size_and_hooks(struct
return -EINVAL;
}
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -593,15 +593,6 @@ static void cleanup_match(struct xt_entr
+@@ -594,15 +594,6 @@ static void cleanup_match(struct xt_entr
module_put(par.match->me);
}
static int check_match(struct xt_entry_match *m, struct xt_mtchk_param *par)
{
const struct ip6t_ip6 *ipv6 = par->entryinfo;
-@@ -759,7 +750,10 @@ check_entry_size_and_hooks(struct ip6t_e
+@@ -760,7 +751,10 @@ check_entry_size_and_hooks(struct ip6t_e
return -EINVAL;
}
if (err)
return err;
-@@ -1524,8 +1518,10 @@ check_compat_entry_size_and_hooks(struct
+@@ -1525,8 +1519,10 @@ check_compat_entry_size_and_hooks(struct
return -EINVAL;
}
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
- net/ipv4/netfilter/arp_tables.c | 16 ++++++++++++++++
- net/ipv4/netfilter/ip_tables.c | 16 ++++++++++++++++
- net/ipv6/netfilter/ip6_tables.c | 16 ++++++++++++++++
- 3 files changed, 48 insertions(+)
+ net/ipv4/netfilter/arp_tables.c | 17 +++++++++++++++++
+ net/ipv4/netfilter/ip_tables.c | 17 +++++++++++++++++
+ net/ipv6/netfilter/ip6_tables.c | 17 +++++++++++++++++
+ 3 files changed, 51 insertions(+)
+
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -363,6 +363,18 @@ static inline bool unconditional(const s
+@@ -363,6 +363,19 @@ static inline bool unconditional(const s
memcmp(&e->arp, &uncond, sizeof(uncond)) == 0;
}
+static bool find_jump_target(const struct xt_table_info *t,
++ const void *entry0,
+ const struct arpt_entry *target)
+{
+ struct arpt_entry *iter;
+
-+ xt_entry_foreach(iter, t->entries, t->size) {
++ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
/* Figures out from what hook each rule can be called: returns 0 if
* there are loops. Puts hook bitmask in comefrom.
*/
-@@ -456,6 +468,10 @@ static int mark_source_chains(const stru
+@@ -456,6 +469,10 @@ static int mark_source_chains(const stru
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct arpt_entry *)
+ (entry0 + newpos);
-+ if (!find_jump_target(newinfo, e))
++ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -439,6 +439,18 @@ ipt_do_table(struct sk_buff *skb,
+@@ -439,6 +439,19 @@ ipt_do_table(struct sk_buff *skb,
#endif
}
+static bool find_jump_target(const struct xt_table_info *t,
++ const void *entry0,
+ const struct ipt_entry *target)
+{
+ struct ipt_entry *iter;
+
-+ xt_entry_foreach(iter, t->entries, t->size) {
++ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
-@@ -536,6 +548,10 @@ mark_source_chains(const struct xt_table
+@@ -536,6 +549,10 @@ mark_source_chains(const struct xt_table
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct ipt_entry *)
+ (entry0 + newpos);
-+ if (!find_jump_target(newinfo, e))
++ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
newpos = pos + e->next_offset;
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -449,6 +449,18 @@ ip6t_do_table(struct sk_buff *skb,
+@@ -449,6 +449,19 @@ ip6t_do_table(struct sk_buff *skb,
#endif
}
+static bool find_jump_target(const struct xt_table_info *t,
++ const void *entry0,
+ const struct ip6t_entry *target)
+{
+ struct ip6t_entry *iter;
+
-+ xt_entry_foreach(iter, t->entries, t->size) {
++ xt_entry_foreach(iter, entry0, t->size) {
+ if (iter == target)
+ return true;
+ }
/* Figures out from what hook each rule can be called: returns 0 if
there are loops. Puts hook bitmask in comefrom. */
static int
-@@ -546,6 +558,10 @@ mark_source_chains(const struct xt_table
+@@ -546,6 +559,10 @@ mark_source_chains(const struct xt_table
/* This a jump; chase it. */
duprintf("Jump rule %u -> %u\n",
pos, newpos);
+ e = (struct ip6t_entry *)
+ (entry0 + newpos);
-+ if (!find_jump_target(newinfo, e))
++ if (!find_jump_target(newinfo, entry0, e))
+ return 0;
} else {
/* ... this is a fallthru */
void __user **dstptr, unsigned int *size);
--- a/net/ipv4/netfilter/arp_tables.c
+++ b/net/ipv4/netfilter/arp_tables.c
-@@ -1300,7 +1300,7 @@ out:
+@@ -1301,7 +1301,7 @@ out:
return ret;
}
compat_copy_entry_from_user(struct compat_arpt_entry *e, void **dstptr,
unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
-@@ -1309,9 +1309,8 @@ compat_copy_entry_from_user(struct compa
+@@ -1310,9 +1310,8 @@ compat_copy_entry_from_user(struct compa
struct xt_target *target;
struct arpt_entry *de;
unsigned int origsize;
origsize = *size;
de = (struct arpt_entry *)*dstptr;
memcpy(de, e, sizeof(struct arpt_entry));
-@@ -1332,7 +1331,6 @@ compat_copy_entry_from_user(struct compa
+@@ -1333,7 +1332,6 @@ compat_copy_entry_from_user(struct compa
if ((unsigned char *)de - base < newinfo->underflow[h])
newinfo->underflow[h] -= origsize - *size;
}
}
static int translate_compat_table(struct xt_table_info **pinfo,
-@@ -1411,16 +1409,11 @@ static int translate_compat_table(struct
+@@ -1412,16 +1410,11 @@ static int translate_compat_table(struct
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
size = compatr->size;
if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
--- a/net/ipv4/netfilter/ip_tables.c
+++ b/net/ipv4/netfilter/ip_tables.c
-@@ -1565,7 +1565,7 @@ release_matches:
+@@ -1566,7 +1566,7 @@ release_matches:
return ret;
}
compat_copy_entry_from_user(struct compat_ipt_entry *e, void **dstptr,
unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
-@@ -1574,10 +1574,9 @@ compat_copy_entry_from_user(struct compa
+@@ -1575,10 +1575,9 @@ compat_copy_entry_from_user(struct compa
struct xt_target *target;
struct ipt_entry *de;
unsigned int origsize;
origsize = *size;
de = (struct ipt_entry *)*dstptr;
memcpy(de, e, sizeof(struct ipt_entry));
-@@ -1586,11 +1585,9 @@ compat_copy_entry_from_user(struct compa
+@@ -1587,11 +1586,9 @@ compat_copy_entry_from_user(struct compa
*dstptr += sizeof(struct ipt_entry);
*size += sizeof(struct ipt_entry) - sizeof(struct compat_ipt_entry);
de->target_offset = e->target_offset - (origsize - *size);
t = compat_ipt_get_target(e);
target = t->u.kernel.target;
-@@ -1603,7 +1600,6 @@ compat_copy_entry_from_user(struct compa
+@@ -1604,7 +1601,6 @@ compat_copy_entry_from_user(struct compa
if ((unsigned char *)de - base < newinfo->underflow[h])
newinfo->underflow[h] -= origsize - *size;
}
}
static int
-@@ -1719,16 +1715,12 @@ translate_compat_table(struct net *net,
+@@ -1720,16 +1716,12 @@ translate_compat_table(struct net *net,
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
size = compatr->size;
if (!mark_source_chains(newinfo, compatr->valid_hooks, entry1))
--- a/net/ipv6/netfilter/ip6_tables.c
+++ b/net/ipv6/netfilter/ip6_tables.c
-@@ -1577,7 +1577,7 @@ release_matches:
+@@ -1578,7 +1578,7 @@ release_matches:
return ret;
}
compat_copy_entry_from_user(struct compat_ip6t_entry *e, void **dstptr,
unsigned int *size,
struct xt_table_info *newinfo, unsigned char *base)
-@@ -1585,10 +1585,9 @@ compat_copy_entry_from_user(struct compa
+@@ -1586,10 +1586,9 @@ compat_copy_entry_from_user(struct compa
struct xt_entry_target *t;
struct ip6t_entry *de;
unsigned int origsize;
origsize = *size;
de = (struct ip6t_entry *)*dstptr;
memcpy(de, e, sizeof(struct ip6t_entry));
-@@ -1597,11 +1596,9 @@ compat_copy_entry_from_user(struct compa
+@@ -1598,11 +1597,9 @@ compat_copy_entry_from_user(struct compa
*dstptr += sizeof(struct ip6t_entry);
*size += sizeof(struct ip6t_entry) - sizeof(struct compat_ip6t_entry);
de->target_offset = e->target_offset - (origsize - *size);
t = compat_ip6t_get_target(e);
xt_compat_target_from_user(t, dstptr, size);
-@@ -1613,7 +1610,6 @@ compat_copy_entry_from_user(struct compa
+@@ -1614,7 +1611,6 @@ compat_copy_entry_from_user(struct compa
if ((unsigned char *)de - base < newinfo->underflow[h])
newinfo->underflow[h] -= origsize - *size;
}
}
static int compat_check_entry(struct ip6t_entry *e, struct net *net,
-@@ -1728,17 +1724,12 @@ translate_compat_table(struct net *net,
+@@ -1729,17 +1725,12 @@ translate_compat_table(struct net *net,
}
entry1 = newinfo->entries[raw_smp_processor_id()];
pos = entry1;
--- /dev/null
+From d26e2c9ffa385dd1b646f43c1397ba12af9ed431 Mon Sep 17 00:00:00 2001
+From: Bernhard Thaler <bernhard.thaler@wvnet.at>
+Date: Thu, 28 May 2015 10:26:18 +0200
+Subject: Revert "netfilter: ensure number of counters is >0 in do_replace()"
+
+From: Bernhard Thaler <bernhard.thaler@wvnet.at>
+
+commit d26e2c9ffa385dd1b646f43c1397ba12af9ed431 upstream.
+
+This partially reverts commit 1086bbe97a07 ("netfilter: ensure number of
+counters is >0 in do_replace()") in net/bridge/netfilter/ebtables.c.
+
+Setting rules with ebtables does not work any more with 1086bbe97a07 place.
+
+There is an error message and no rules set in the end.
+
+e.g.
+
+~# ebtables -t nat -A POSTROUTING --src 12:34:56:78:9a:bc -j DROP
+Unable to update the kernel. Two possible causes:
+1. Multiple ebtables programs were executing simultaneously. The ebtables
+ userspace tool doesn't by default support multiple ebtables programs
+running
+
+Reverting the ebtables part of 1086bbe97a07 makes this work again.
+
+Signed-off-by: Bernhard Thaler <bernhard.thaler@wvnet.at>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/bridge/netfilter/ebtables.c | 4 ----
+ 1 file changed, 4 deletions(-)
+
+--- a/net/bridge/netfilter/ebtables.c
++++ b/net/bridge/netfilter/ebtables.c
+@@ -1105,8 +1105,6 @@ static int do_replace(struct net *net, c
+ return -ENOMEM;
+ if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ return -ENOMEM;
+- if (tmp.num_counters == 0)
+- return -EINVAL;
+
+ tmp.name[sizeof(tmp.name) - 1] = 0;
+
+@@ -2152,8 +2150,6 @@ static int compat_copy_ebt_replace_from_
+ return -ENOMEM;
+ if (tmp.num_counters >= INT_MAX / sizeof(struct ebt_counter))
+ return -ENOMEM;
+- if (tmp.num_counters == 0)
+- return -EINVAL;
+
+ memcpy(repl, &tmp, offsetof(struct ebt_replace, hook_entry));
+
netfilter-x_tables-xt_compat_match_from_user-doesn-t-need-a-retval.patch
netfilter-ensure-number-of-counters-is-0-in-do_replace.patch
netfilter-x_tables-do-compat-validation-via-translate_table.patch
+revert-netfilter-ensure-number-of-counters-is-0-in-do_replace.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
