--- /dev/null
+From 283283c4da91adc44b03519f434ee1e7e91d6fdb Mon Sep 17 00:00:00 2001
+From: Julian Anastasov <ja@ssi.bg>
+Date: Sat, 7 Jul 2012 20:30:11 +0300
+Subject: ipvs: fix oops in ip_vs_dst_event on rmmod
+
+From: Julian Anastasov <ja@ssi.bg>
+
+commit 283283c4da91adc44b03519f434ee1e7e91d6fdb upstream.
+
+ After commit 39f618b4fd95ae243d940ec64c961009c74e3333 (3.4)
+"ipvs: reset ipvs pointer in netns" we can oops in
+ip_vs_dst_event on rmmod ip_vs because ip_vs_control_cleanup
+is called after the ipvs_core_ops subsys is unregistered and
+net->ipvs is NULL. Fix it by exiting early from ip_vs_dst_event
+if ipvs is NULL. It is safe because all services and dests
+for the net are already freed.
+
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/ipvs/ip_vs_ctl.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/ipvs/ip_vs_ctl.c
++++ b/net/netfilter/ipvs/ip_vs_ctl.c
+@@ -1521,11 +1521,12 @@ static int ip_vs_dst_event(struct notifi
+ {
+ struct net_device *dev = ptr;
+ struct net *net = dev_net(dev);
++ struct netns_ipvs *ipvs = net_ipvs(net);
+ struct ip_vs_service *svc;
+ struct ip_vs_dest *dest;
+ unsigned int idx;
+
+- if (event != NETDEV_UNREGISTER)
++ if (event != NETDEV_UNREGISTER || !ipvs)
+ return NOTIFY_DONE;
+ IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name);
+ EnterFunction(2);
+@@ -1551,7 +1552,7 @@ static int ip_vs_dst_event(struct notifi
+ }
+ }
+
+- list_for_each_entry(dest, &net_ipvs(net)->dest_trash, n_list) {
++ list_for_each_entry(dest, &ipvs->dest_trash, n_list) {
+ __ip_vs_dev_reset(dest, dev);
+ }
+ mutex_unlock(&__ip_vs_mutex);
--- /dev/null
+From 127f559127f5175e4bec3dab725a34845d956591 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Mon, 7 May 2012 02:35:44 +0000
+Subject: netfilter: ipset: fix timeout value overflow bug
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit 127f559127f5175e4bec3dab725a34845d956591 upstream.
+
+Large timeout parameters could result wrong timeout values due to
+an overflow at msec to jiffies conversion (reported by Andreas Herz)
+
+[ This patch was mangled by Pablo Neira Ayuso since David Laight and
+ Eric Dumazet noticed that we were using hardcoded 1000 instead of
+ MSEC_PER_SEC to calculate the timeout ]
+
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/linux/netfilter/ipset/ip_set_timeout.h | 4 ++++
+ net/netfilter/xt_set.c | 15 +++++++++++++--
+ 2 files changed, 17 insertions(+), 2 deletions(-)
+
+--- a/include/linux/netfilter/ipset/ip_set_timeout.h
++++ b/include/linux/netfilter/ipset/ip_set_timeout.h
+@@ -30,6 +30,10 @@ ip_set_timeout_uget(struct nlattr *tb)
+ {
+ unsigned int timeout = ip_set_get_h32(tb);
+
++ /* Normalize to fit into jiffies */
++ if (timeout > UINT_MAX/MSEC_PER_SEC)
++ timeout = UINT_MAX/MSEC_PER_SEC;
++
+ /* Userspace supplied TIMEOUT parameter: adjust crazy size */
+ return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;
+ }
+--- a/net/netfilter/xt_set.c
++++ b/net/netfilter/xt_set.c
+@@ -44,6 +44,14 @@ const struct ip_set_adt_opt n = { \
+ .cmdflags = cfs, \
+ .timeout = t, \
+ }
++#define ADT_MOPT(n, f, d, fs, cfs, t) \
++struct ip_set_adt_opt n = { \
++ .family = f, \
++ .dim = d, \
++ .flags = fs, \
++ .cmdflags = cfs, \
++ .timeout = t, \
++}
+
+ /* Revision 0 interface: backward compatible with netfilter/iptables */
+
+@@ -296,11 +304,14 @@ static unsigned int
+ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par)
+ {
+ const struct xt_set_info_target_v2 *info = par->targinfo;
+- ADT_OPT(add_opt, par->family, info->add_set.dim,
+- info->add_set.flags, info->flags, info->timeout);
++ ADT_MOPT(add_opt, par->family, info->add_set.dim,
++ info->add_set.flags, info->flags, info->timeout);
+ ADT_OPT(del_opt, par->family, info->del_set.dim,
+ info->del_set.flags, 0, UINT_MAX);
+
++ /* Normalize to fit into jiffies */
++ if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
++ add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
+ if (info->add_set.index != IPSET_INVALID_ID)
+ ip_set_add(info->add_set.index, skb, par, &add_opt);
+ if (info->del_set.index != IPSET_INVALID_ID)
--- /dev/null
+From a73f89a61f92b364f0b4a3be412b5b70553afc23 Mon Sep 17 00:00:00 2001
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Date: Fri, 29 Jun 2012 09:42:28 +0000
+Subject: netfilter: ipset: timeout fixing bug broke SET target special timeout value
+
+From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+
+commit a73f89a61f92b364f0b4a3be412b5b70553afc23 upstream.
+
+The patch "127f559 netfilter: ipset: fix timeout value overflow bug"
+broke the SET target when no timeout was specified.
+
+Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr>
+Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_set.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/net/netfilter/xt_set.c
++++ b/net/netfilter/xt_set.c
+@@ -16,6 +16,7 @@
+
+ #include <linux/netfilter/x_tables.h>
+ #include <linux/netfilter/xt_set.h>
++#include <linux/netfilter/ipset/ip_set_timeout.h>
+
+ MODULE_LICENSE("GPL");
+ MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>");
+@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const
+ info->del_set.flags, 0, UINT_MAX);
+
+ /* Normalize to fit into jiffies */
+- if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
++ if (add_opt.timeout != IPSET_NO_TIMEOUT &&
++ add_opt.timeout > UINT_MAX/MSEC_PER_SEC)
+ add_opt.timeout = UINT_MAX/MSEC_PER_SEC;
+ if (info->add_set.index != IPSET_INVALID_ID)
+ ip_set_add(info->add_set.index, skb, par, &add_opt);
--- /dev/null
+From 5b423f6a40a0327f9d40bc8b97ce9be266f74368 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 29 Aug 2012 16:25:49 +0000
+Subject: netfilter: nf_conntrack: fix racy timer handling with reliable events
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 5b423f6a40a0327f9d40bc8b97ce9be266f74368 upstream.
+
+Existing code assumes that del_timer returns true for alive conntrack
+entries. However, this is not true if reliable events are enabled.
+In that case, del_timer may return true for entries that were
+just inserted in the dying list. Note that packets / ctnetlink may
+hold references to conntrack entries that were just inserted to such
+list.
+
+This patch fixes the issue by adding an independent timer for
+event delivery. This increases the size of the ecache extension.
+Still we can revisit this later and use variable size extensions
+to allocate this area on demand.
+
+Tested-by: Oliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/netfilter/nf_conntrack_ecache.h | 1 +
+ net/netfilter/nf_conntrack_core.c | 16 +++++++++++-----
+ 2 files changed, 12 insertions(+), 5 deletions(-)
+
+--- a/include/net/netfilter/nf_conntrack_ecache.h
++++ b/include/net/netfilter/nf_conntrack_ecache.h
+@@ -18,6 +18,7 @@ struct nf_conntrack_ecache {
+ u16 ctmask; /* bitmask of ct events to be delivered */
+ u16 expmask; /* bitmask of expect events to be delivered */
+ u32 pid; /* netlink pid of destroyer */
++ struct timer_list timeout;
+ };
+
+ static inline struct nf_conntrack_ecache *
+--- a/net/netfilter/nf_conntrack_core.c
++++ b/net/netfilter/nf_conntrack_core.c
+@@ -249,12 +249,15 @@ static void death_by_event(unsigned long
+ {
+ struct nf_conn *ct = (void *)ul_conntrack;
+ struct net *net = nf_ct_net(ct);
++ struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
++
++ BUG_ON(ecache == NULL);
+
+ if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) {
+ /* bad luck, let's retry again */
+- ct->timeout.expires = jiffies +
++ ecache->timeout.expires = jiffies +
+ (random32() % net->ct.sysctl_events_retry_timeout);
+- add_timer(&ct->timeout);
++ add_timer(&ecache->timeout);
+ return;
+ }
+ /* we've got the event delivered, now it's dying */
+@@ -268,6 +271,9 @@ static void death_by_event(unsigned long
+ void nf_ct_insert_dying_list(struct nf_conn *ct)
+ {
+ struct net *net = nf_ct_net(ct);
++ struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct);
++
++ BUG_ON(ecache == NULL);
+
+ /* add this conntrack to the dying list */
+ spin_lock_bh(&nf_conntrack_lock);
+@@ -275,10 +281,10 @@ void nf_ct_insert_dying_list(struct nf_c
+ &net->ct.dying);
+ spin_unlock_bh(&nf_conntrack_lock);
+ /* set a new timer to retry event delivery */
+- setup_timer(&ct->timeout, death_by_event, (unsigned long)ct);
+- ct->timeout.expires = jiffies +
++ setup_timer(&ecache->timeout, death_by_event, (unsigned long)ct);
++ ecache->timeout.expires = jiffies +
+ (random32() % net->ct.sysctl_events_retry_timeout);
+- add_timer(&ct->timeout);
++ add_timer(&ecache->timeout);
+ }
+ EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list);
+
md-raid10-use-correct-limit-variable.patch
kdb-vt_console-fix-missed-data-due-to-pager-overruns.patch
pktgen-fix-crash-when-generating-ipv6-packets.patch
+ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch
+netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch
+netfilter-ipset-fix-timeout-value-overflow-bug.patch
+netfilter-ipset-timeout-fixing-bug-broke-set-target-special-timeout-value.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
