--- /dev/null
+From 283283c4da91adc44b03519f434ee1e7e91d6fdb Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 7 Jul 2012 20:30:11 +0300
+Subject: ipvs: fix oops in ip_vs_dst_event on rmmod
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit 283283c4da91adc44b03519f434ee1e7e91d6fdb upstream.
+
+ After commit 39f618b4fd95ae243d940ec64c961009c74e3333 (3.4)
+"ipvs: reset ipvs pointer in netns" we can oops in
+ip_vs_dst_event on rmmod ip_vs because ip_vs_control_cleanup
+is called after the ipvs_core_ops subsys is unregistered and
+net->ipvs is NULL. Fix it by exiting early from ip_vs_dst_event
+if ipvs is NULL. It is safe because all services and dests
+for the net are already freed.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1520,11 +1520,12 @@ static int ip_vs_dst_event(struct notifi
+ {
+ struct net_device *dev = ptr;
+ struct net *net = dev_net(dev);
++ struct netns_ipvs *ipvs = net_ipvs(net);
+ struct ip_vs_service *svc;
+ struct ip_vs_dest *dest;
+ unsigned int idx;
+
+- if (event != NETDEV_UNREGISTER)
++ if (event != NETDEV_UNREGISTER || !ipvs)
+ return NOTIFY_DONE;
+ IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
+ EnterFunction(2);
+@@ -1550,7 +1551,7 @@ static int ip_vs_dst_event(struct notifi
+ }
+ }
+
+- list_for_each_entry(dest, &net_ipvs(net)->dest_trash, n_list) {
++ list_for_each_entry(dest, &ipvs->dest_trash, n_list) {
+ __ip_vs_dev_reset(dest, dev);
+ }
+ mutex_unlock(&__ip_vs_mutex);
--- /dev/null
+From 5b423f6a40a0327f9d40bc8b97ce9be266f74368 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 29 Aug 2012 16:25:49 +0000
+Subject: netfilter: nf_conntrack: fix racy timer handling with reliable events
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 5b423f6a40a0327f9d40bc8b97ce9be266f74368 upstream.
+
+Existing code assumes that del_timer returns true for alive conntrack
+entries. However, this is not true if reliable events are enabled.
+In that case, del_timer may return true for entries that were
+just inserted in the dying list. Note that packets / ctnetlink may
+hold references to conntrack entries that were just inserted to such
+list.
+
+This patch fixes the issue by adding an independent timer for
+event delivery. This increases the size of the ecache extension.
+Still we can revisit this later and use variable size extensions
+to allocate this area on demand.
+
+Tested-by: Oliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_conntrack_ecache.h | 1 +
+ net/netfilter/nf_conntrack_core.c | 16 +++++++++++-----
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+--- a/include/net/netfilter/nf_conntrack_ecache.h
++++ b/include/net/netfilter/nf_conntrack_ecache.h
+@@ -18,6 +18,7 @@ struct nf_conntrack_ecache {
+ u16 ctmask; /* bitmask of ct events to be delivered */
+ u16 expmask; /* bitmask of expect events to be delivered */
+ u32 pid; /* netlink pid of destroyer */
++ struct timer_list timeout;
+ };
+
+ static inline struct nf_conntrack_ecache *
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -247,12 +247,15 @@ static void death_by_event(unsigned long
+ {
+ struct nf_conn *ct = (void *)ul_conntrack;
+ struct net *net = nf_ct_net(ct);
++ struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
++
++ BUG_ON(ecache == NULL);
+
+ if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) {
+ /* bad luck, let's retry again */
+- ct->timeout.expires = jiffies +
++ ecache->timeout.expires = jiffies +
+ (random32() % net->ct.sysctl_events_retry_timeout);
+- add_timer(&ct->timeout);
++ add_timer(&ecache->timeout);
+ return;
+ }
+ /* we've got the event delivered, now it's dying */
+@@ -266,6 +269,9 @@ static void death_by_event(unsigned long
+ void nf_ct_insert_dying_list(struct nf_conn *ct)
+ {
+ struct net *net = nf_ct_net(ct);
++ struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
++
++ BUG_ON(ecache == NULL);
+
+ /* add this conntrack to the dying list */
+ spin_lock_bh(&nf_conntrack_lock);
+@@ -273,10 +279,10 @@ void nf_ct_insert_dying_list(struct nf_c
+ &net->ct.dying);
+ spin_unlock_bh(&nf_conntrack_lock);
+ /* set a new timer to retry event delivery */
+- setup_timer(&ct->timeout, death_by_event, (unsigned long)ct);
+- ct->timeout.expires = jiffies +
++ setup_timer(&ecache->timeout, death_by_event, (unsigned long)ct);
++ ecache->timeout.expires = jiffies +
+ (random32() % net->ct.sysctl_events_retry_timeout);
+- add_timer(&ct->timeout);
++ add_timer(&ecache->timeout);
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list);
+
--- /dev/null
+From 07153c6ec074257ade76a461429b567cff2b3a1e Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Tue, 3 Apr 2012 22:02:01 +0200
+Subject: netfilter: nf_ct_ipv4: packets with wrong ihl are invalid
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 07153c6ec074257ade76a461429b567cff2b3a1e upstream.
+
+It was reported that the Linux kernel sometimes logs:
+
+klogd: [2629147.402413] kernel BUG at net / netfilter /
+nf_conntrack_proto_tcp.c: 447!
+klogd: [1072212.887368] kernel BUG at net / netfilter /
+nf_conntrack_proto_tcp.c: 392
+
+ipv4_get_l4proto() in nf_conntrack_l3proto_ipv4.c and tcp_error() in
+nf_conntrack_proto_tcp.c should catch malformed packets, so the errors
+at the indicated lines - TCP options parsing - should not happen.
+However, tcp_error() relies on the "dataoff" offset to the TCP header,
+calculated by ipv4_get_l4proto(). But ipv4_get_l4proto() does not check
+bogus ihl values in IPv4 packets, which then can slip through tcp_error()
+and get caught at the TCP options parsing routines.
+
+The patch fixes ipv4_get_l4proto() by invalidating packets with bogus
+ihl value.
+
+The patch closes netfilter bugzilla id 771.
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
++++ b/net/ipv4/netfilter/nf_conntrack_l3proto_ipv4.c
+@@ -84,6 +84,14 @@ static int ipv4_get_l4proto(const struct
+ *dataoff = nhoff + (iph->ihl << 2);
+ *protonum = iph->protocol;
+
++ /* Check bogus IP headers */
++ if (*dataoff > skb->len) {
++ pr_debug("nf_conntrack_ipv4: bogus IPv4 packet: "
++ "nhoff %u, ihl %u, skblen %u\n",
++ nhoff, iph->ihl << 2, skb->len);
++ return -NF_ACCEPT;
++ }
++
+ return NF_ACCEPT;
+ }
+
timers-fix-endless-looping-between-cascade-and-internal_add_timer.patch
pktgen-fix-crash-when-generating-ipv6-packets.patch
tg3-apply-short-dma-frag-workaround-to-5906.patch
+ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch
+netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch
+netfilter-nf_ct_ipv4-packets-with-wrong-ihl-are-invalid.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
