--- /dev/null
+From 9e33ce453f8ac8452649802bee1f410319408f4b Mon Sep 17 00:00:00 2001
+From: Lin Ming <mlin@ss.pku.edu.cn>
+Date: Sat, 7 Jul 2012 18:26:10 +0800
+Subject: ipvs: fix oops on NAT reply in br_nf context
+
+From: Lin Ming <mlin@ss.pku.edu.cn>
+
+commit 9e33ce453f8ac8452649802bee1f410319408f4b upstream.
+
+IPVS should not reset skb->nf_bridge in FORWARD hook
+by calling nf_reset for NAT replies. It triggers oops in
+br_nf_forward_finish.
+
+[ 579.781508] BUG: unable to handle kernel NULL pointer dereference at 0000000000000004
+[ 579.781669] IP: [<ffffffff817b1ca5>] br_nf_forward_finish+0x58/0x112
+[ 579.781792] PGD 218f9067 PUD 0
+[ 579.781865] Oops: 0000 [#1] SMP
+[ 579.781945] CPU 0
+[ 579.781983] Modules linked in:
+[ 579.782047]
+[ 579.782080]
+[ 579.782114] Pid: 4644, comm: qemu Tainted: G W 3.5.0-rc5-00006-g95e69f9 #282 Hewlett-Packard /30E8
+[ 579.782300] RIP: 0010:[<ffffffff817b1ca5>] [<ffffffff817b1ca5>] br_nf_forward_finish+0x58/0x112
+[ 579.782455] RSP: 0018:ffff88007b003a98 EFLAGS: 00010287
+[ 579.782541] RAX: 0000000000000008 RBX: ffff8800762ead00 RCX: 000000000001670a
+[ 579.782653] RDX: 0000000000000000 RSI: 000000000000000a RDI: ffff8800762ead00
+[ 579.782845] RBP: ffff88007b003ac8 R08: 0000000000016630 R09: ffff88007b003a90
+[ 579.782957] R10: ffff88007b0038e8 R11: ffff88002da37540 R12: ffff88002da01a02
+[ 579.783066] R13: ffff88002da01a80 R14: ffff88002d83c000 R15: ffff88002d82a000
+[ 579.783177] FS: 0000000000000000(0000) GS:ffff88007b000000(0063) knlGS:00000000f62d1b70
+[ 579.783306] CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b
+[ 579.783395] CR2: 0000000000000004 CR3: 00000000218fe000 CR4: 00000000000027f0
+[ 579.783505] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+[ 579.783684] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+[ 579.783795] Process qemu (pid: 4644, threadinfo ffff880021b20000, task ffff880021aba760)
+[ 579.783919] Stack:
+[ 579.783959] ffff88007693cedc ffff8800762ead00 ffff88002da01a02 ffff8800762ead00
+[ 579.784110] ffff88002da01a02 ffff88002da01a80 ffff88007b003b18 ffffffff817b26c7
+[ 579.784260] ffff880080000000 ffffffff81ef59f0 ffff8800762ead00 ffffffff81ef58b0
+[ 579.784477] Call Trace:
+[ 579.784523] <IRQ>
+[ 579.784562]
+[ 579.784603] [<ffffffff817b26c7>] br_nf_forward_ip+0x275/0x2c8
+[ 579.784707] [<ffffffff81704b58>] nf_iterate+0x47/0x7d
+[ 579.784797] [<ffffffff817ac32e>] ? br_dev_queue_push_xmit+0xae/0xae
+[ 579.784906] [<ffffffff81704bfb>] nf_hook_slow+0x6d/0x102
+[ 579.784995] [<ffffffff817ac32e>] ? br_dev_queue_push_xmit+0xae/0xae
+[ 579.785175] [<ffffffff8187fa95>] ? _raw_write_unlock_bh+0x19/0x1b
+[ 579.785179] [<ffffffff817ac417>] __br_forward+0x97/0xa2
+[ 579.785179] [<ffffffff817ad366>] br_handle_frame_finish+0x1a6/0x257
+[ 579.785179] [<ffffffff817b2386>] br_nf_pre_routing_finish+0x26d/0x2cb
+[ 579.785179] [<ffffffff817b2cf0>] br_nf_pre_routing+0x55d/0x5c1
+[ 579.785179] [<ffffffff81704b58>] nf_iterate+0x47/0x7d
+[ 579.785179] [<ffffffff817ad1c0>] ? br_handle_local_finish+0x44/0x44
+[ 579.785179] [<ffffffff81704bfb>] nf_hook_slow+0x6d/0x102
+[ 579.785179] [<ffffffff817ad1c0>] ? br_handle_local_finish+0x44/0x44
+[ 579.785179] [<ffffffff81551525>] ? sky2_poll+0xb35/0xb54
+[ 579.785179] [<ffffffff817ad62a>] br_handle_frame+0x213/0x229
+[ 579.785179] [<ffffffff817ad417>] ? br_handle_frame_finish+0x257/0x257
+[ 579.785179] [<ffffffff816e3b47>] __netif_receive_skb+0x2b4/0x3f1
+[ 579.785179] [<ffffffff816e69fc>] process_backlog+0x99/0x1e2
+[ 579.785179] [<ffffffff816e6800>] net_rx_action+0xdf/0x242
+[ 579.785179] [<ffffffff8107e8a8>] __do_softirq+0xc1/0x1e0
+[ 579.785179] [<ffffffff8135a5ba>] ? trace_hardirqs_off_thunk+0x3a/0x6c
+[ 579.785179] [<ffffffff8188812c>] call_softirq+0x1c/0x30
+
+The steps to reproduce as follow,
+
+1. On Host1, setup brige br0(192.168.1.106)
+2. Boot a kvm guest(192.168.1.105) on Host1 and start httpd
+3. Start IPVS service on Host1
+ ipvsadm -A -t 192.168.1.106:80 -s rr
+ ipvsadm -a -t 192.168.1.106:80 -r 192.168.1.105:80 -m
+4. Run apache benchmark on Host2(192.168.1.101)
+ ab -n 1000 http://192.168.1.106/
+
+ip_vs_reply4
+ ip_vs_out
+ handle_response
+ ip_vs_notrack
+ nf_reset()
+ {
+ skb->nf_bridge = NULL;
+ }
+
+Actually, IPVS wants in this case just to replace nfct
+with untracked version. So replace the nf_reset(skb) call
+in ip_vs_notrack() with a nf_conntrack_put(skb->nfct) call.
+
+Signed-off-by: Lin Ming <mlin@ss.pku.edu.cn>
+Signed-off-by: Julian Anastasov <ja@ssi.bg>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ include/net/ip_vs.h | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/include/net/ip_vs.h
++++ b/include/net/ip_vs.h
+@@ -1361,7 +1361,7 @@ static inline void ip_vs_notrack(struct
+ struct nf_conn *ct = nf_ct_get(skb, &ctinfo);
+
+ if (!ct || !nf_ct_is_untracked(ct)) {
+- nf_reset(skb);
++ nf_conntrack_put(skb->nfct);
+ skb->nfct = &nf_ct_untracked_get()->ct_general;
+ skb->nfctinfo = IP_CT_NEW;
+ nf_conntrack_get(skb->nfct);
--- /dev/null
+From 7a909ac70f6b0823d9f23a43f19598d4b57ac901 Mon Sep 17 00:00:00 2001
+From: Florian Westphal <fw@strlen.de>
+Date: Mon, 7 May 2012 10:51:43 +0000
+Subject: netfilter: limit, hashlimit: avoid duplicated inline
+
+From: Florian Westphal <fw@strlen.de>
+
+commit 7a909ac70f6b0823d9f23a43f19598d4b57ac901 upstream.
+
+credit_cap can be set to credit, which avoids inlining user2credits
+twice. Also, remove inline keyword and let compiler decide.
+
+old:
+ 684 192 0 876 36c net/netfilter/xt_limit.o
+ 4927 344 32 5303 14b7 net/netfilter/xt_hashlimit.o
+now:
+ 668 192 0 860 35c net/netfilter/xt_limit.o
+ 4793 344 32 5169 1431 net/netfilter/xt_hashlimit.o
+
+Signed-off-by: Florian Westphal <fw@strlen.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_hashlimit.c | 8 +++-----
+ net/netfilter/xt_limit.c | 5 ++---
+ 2 files changed, 5 insertions(+), 8 deletions(-)
+
+--- a/net/netfilter/xt_hashlimit.c
++++ b/net/netfilter/xt_hashlimit.c
+@@ -392,8 +392,7 @@ static void htable_put(struct xt_hashlim
+ #define CREDITS_PER_JIFFY POW2_BELOW32(MAX_CPJ)
+
+ /* Precision saver. */
+-static inline u_int32_t
+-user2credits(u_int32_t user)
++static u32 user2credits(u32 user)
+ {
+ /* If multiplying would overflow... */
+ if (user > 0xFFFFFFFF / (HZ*CREDITS_PER_JIFFY))
+@@ -403,7 +402,7 @@ user2credits(u_int32_t user)
+ return (user * HZ * CREDITS_PER_JIFFY) / XT_HASHLIMIT_SCALE;
+ }
+
+-static inline void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now)
++static void rateinfo_recalc(struct dsthash_ent *dh, unsigned long now)
+ {
+ dh->rateinfo.credit += (now - dh->rateinfo.prev) * CREDITS_PER_JIFFY;
+ if (dh->rateinfo.credit > dh->rateinfo.credit_cap)
+@@ -534,8 +533,7 @@ hashlimit_mt(const struct sk_buff *skb,
+ dh->rateinfo.prev = jiffies;
+ dh->rateinfo.credit = user2credits(hinfo->cfg.avg *
+ hinfo->cfg.burst);
+- dh->rateinfo.credit_cap = user2credits(hinfo->cfg.avg *
+- hinfo->cfg.burst);
++ dh->rateinfo.credit_cap = dh->rateinfo.credit;
+ dh->rateinfo.cost = user2credits(hinfo->cfg.avg);
+ } else {
+ /* update expiration timeout */
+--- a/net/netfilter/xt_limit.c
++++ b/net/netfilter/xt_limit.c
+@@ -88,8 +88,7 @@ limit_mt(const struct sk_buff *skb, stru
+ }
+
+ /* Precision saver. */
+-static u_int32_t
+-user2credits(u_int32_t user)
++static u32 user2credits(u32 user)
+ {
+ /* If multiplying would overflow... */
+ if (user > 0xFFFFFFFF / (HZ*CREDITS_PER_JIFFY))
+@@ -123,7 +122,7 @@ static int limit_mt_check(const struct x
+ 128. */
+ priv->prev = jiffies;
+ priv->credit = user2credits(r->avg * r->burst); /* Credits full. */
+- r->credit_cap = user2credits(r->avg * r->burst); /* Credits full. */
++ r->credit_cap = priv->credit; /* Credits full. */
+ r->cost = user2credits(r->avg);
+ }
+ return 0;
--- /dev/null
+From 2614f86490122bf51eb7c12ec73927f1900f4e7d Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Thu, 16 Aug 2012 02:25:24 +0200
+Subject: netfilter: nf_ct_expect: fix possible access to uninitialized timer
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 2614f86490122bf51eb7c12ec73927f1900f4e7d upstream.
+
+In __nf_ct_expect_check, the function refresh_timer returns 1
+if a matching expectation is found and its timer is successfully
+refreshed. This results in nf_ct_expect_related returning 0.
+Note that at this point:
+
+- the passed expectation is not inserted in the expectation table
+ and its timer was not initialized, since we have refreshed one
+ matching/existing expectation.
+
+- nf_ct_expect_alloc uses kmem_cache_alloc, so the expectation
+ timer is in some undefined state just after the allocation,
+ until it is appropriately initialized.
+
+This can be a problem for the SIP helper during the expectation
+addition:
+
+ ...
+ if (nf_ct_expect_related(rtp_exp) == 0) {
+ if (nf_ct_expect_related(rtcp_exp) != 0)
+ nf_ct_unexpect_related(rtp_exp);
+ ...
+
+Note that nf_ct_expect_related(rtp_exp) may return 0 for the timer refresh
+case that is detailed above. Then, if nf_ct_unexpect_related(rtcp_exp)
+returns != 0, nf_ct_unexpect_related(rtp_exp) is called, which does:
+
+ spin_lock_bh(&nf_conntrack_lock);
+ if (del_timer(&exp->timeout)) {
+ nf_ct_unlink_expect(exp);
+ nf_ct_expect_put(exp);
+ }
+ spin_unlock_bh(&nf_conntrack_lock);
+
+Note that del_timer always returns false if the timer has been
+initialized. However, the timer was not initialized since setup_timer
+was not called, therefore, the expectation timer remains in some
+undefined state. If I'm not missing anything, this may lead to the
+removal an unexistent expectation.
+
+To fix this, the optimization that allows refreshing an expectation
+is removed. Now nf_conntrack_expect_related looks more consistent
+to me since it always add the expectation in case that it returns
+success.
+
+Thanks to Patrick McHardy for participating in the discussion of
+this patch.
+
+I think this may be the source of the problem described by:
+http://marc.info/?l=netfilter-devel&m=134073514719421&w=2
+
+Reported-by: Rafal Fitt <rafalf@aplusc.com.pl>
+Acked-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/nf_conntrack_expect.c | 29 ++++++-----------------------
+ 1 file changed, 6 insertions(+), 23 deletions(-)
+
+--- a/net/netfilter/nf_conntrack_expect.c
++++ b/net/netfilter/nf_conntrack_expect.c
+@@ -364,23 +364,6 @@ static void evict_oldest_expect(struct n
+ }
+ }
+
+-static inline int refresh_timer(struct nf_conntrack_expect *i)
+-{
+- struct nf_conn_help *master_help = nfct_help(i->master);
+- const struct nf_conntrack_expect_policy *p;
+-
+- if (!del_timer(&i->timeout))
+- return 0;
+-
+- p = &rcu_dereference_protected(
+- master_help->helper,
+- lockdep_is_held(&nf_conntrack_lock)
+- )->expect_policy[i->class];
+- i->timeout.expires = jiffies + p->timeout * HZ;
+- add_timer(&i->timeout);
+- return 1;
+-}
+-
+ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
+ {
+ const struct nf_conntrack_expect_policy *p;
+@@ -388,7 +371,7 @@ static inline int __nf_ct_expect_check(s
+ struct nf_conn *master = expect->master;
+ struct nf_conn_help *master_help = nfct_help(master);
+ struct net *net = nf_ct_exp_net(expect);
+- struct hlist_node *n;
++ struct hlist_node *n, *next;
+ unsigned int h;
+ int ret = 1;
+
+@@ -399,12 +382,12 @@ static inline int __nf_ct_expect_check(s
+ goto out;
+ }
+ h = nf_ct_expect_dst_hash(&expect->tuple);
+- hlist_for_each_entry(i, n, &net->ct.expect_hash[h], hnode) {
++ hlist_for_each_entry_safe(i, n, next, &net->ct.expect_hash[h], hnode) {
+ if (expect_matches(i, expect)) {
+- /* Refresh timer: if it's dying, ignore.. */
+- if (refresh_timer(i)) {
+- ret = 0;
+- goto out;
++ if (del_timer(&i->timeout)) {
++ nf_ct_unlink_expect(i);
++ nf_ct_expect_put(i);
++ break;
+ }
+ } else if (expect_clash(i, expect)) {
+ ret = -EBUSY;
--- /dev/null
+From 3f509c689a07a4aa989b426893d8491a7ffcc410 Mon Sep 17 00:00:00 2001
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+Date: Wed, 29 Aug 2012 15:24:09 +0000
+Subject: netfilter: nf_nat_sip: fix incorrect handling of EBUSY for RTCP expectation
+
+From: Pablo Neira Ayuso <pablo@netfilter.org>
+
+commit 3f509c689a07a4aa989b426893d8491a7ffcc410 upstream.
+
+We're hitting bug while trying to reinsert an already existing
+expectation:
+
+kernel BUG at kernel/timer.c:895!
+invalid opcode: 0000 [#1] SMP
+[...]
+Call Trace:
+ <IRQ>
+ [<ffffffffa0069563>] nf_ct_expect_related_report+0x4a0/0x57a [nf_conntrack]
+ [<ffffffff812d423a>] ? in4_pton+0x72/0x131
+ [<ffffffffa00ca69e>] ip_nat_sdp_media+0xeb/0x185 [nf_nat_sip]
+ [<ffffffffa00b5b9b>] set_expected_rtp_rtcp+0x32d/0x39b [nf_conntrack_sip]
+ [<ffffffffa00b5f15>] process_sdp+0x30c/0x3ec [nf_conntrack_sip]
+ [<ffffffff8103f1eb>] ? irq_exit+0x9a/0x9c
+ [<ffffffffa00ca738>] ? ip_nat_sdp_media+0x185/0x185 [nf_nat_sip]
+
+We have to remove the RTP expectation if the RTCP expectation hits EBUSY
+since we keep trying with other ports until we succeed.
+
+Reported-by: Rafal Fitt <rafalf@aplusc.com.pl>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/nf_nat_sip.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv4/netfilter/nf_nat_sip.c
++++ b/net/ipv4/netfilter/nf_nat_sip.c
+@@ -501,7 +501,10 @@ static unsigned int ip_nat_sdp_media(str
+ ret = nf_ct_expect_related(rtcp_exp);
+ if (ret == 0)
+ break;
+- else if (ret != -EBUSY) {
++ else if (ret == -EBUSY) {
++ nf_ct_unexpect_related(rtp_exp);
++ continue;
++ } else if (ret < 0) {
+ nf_ct_unexpect_related(rtp_exp);
+ port = 0;
+ break;
--- /dev/null
+From f22eb25cf5b1157b29ef88c793b71972efc47143 Mon Sep 17 00:00:00 2001
+From: Patrick McHardy <kaber@trash.net>
+Date: Thu, 9 Aug 2012 10:08:47 +0000
+Subject: netfilter: nf_nat_sip: fix via header translation with multiple parameters
+
+From: Patrick McHardy <kaber@trash.net>
+
+commit f22eb25cf5b1157b29ef88c793b71972efc47143 upstream.
+
+Via-headers are parsed beginning at the first character after the Via-address.
+When the address is translated first and its length decreases, the offset to
+start parsing at is incorrect and header parameters might be missed.
+
+Update the offset after translating the Via-address to fix this.
+
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/nf_nat_sip.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+--- a/net/ipv4/netfilter/nf_nat_sip.c
++++ b/net/ipv4/netfilter/nf_nat_sip.c
+@@ -148,7 +148,7 @@ static unsigned int ip_nat_sip(struct sk
+ if (ct_sip_parse_header_uri(ct, *dptr, NULL, *datalen,
+ hdr, NULL, &matchoff, &matchlen,
+ &addr, &port) > 0) {
+- unsigned int matchend, poff, plen, buflen, n;
++ unsigned int olen, matchend, poff, plen, buflen, n;
+ char buffer[sizeof("nnn.nnn.nnn.nnn:nnnnn")];
+
+ /* We're only interested in headers related to this
+@@ -163,11 +163,12 @@ static unsigned int ip_nat_sip(struct sk
+ goto next;
+ }
+
++ olen = *datalen;
+ if (!map_addr(skb, dataoff, dptr, datalen, matchoff, matchlen,
+ &addr, port))
+ return NF_DROP;
+
+- matchend = matchoff + matchlen;
++ matchend = matchoff + matchlen + *datalen - olen;
+
+ /* The maddr= parameter (RFC 2361) specifies where to send
+ * the reply. */
--- /dev/null
+From 82e6bfe2fbc4d48852114c4f979137cd5bf1d1a8 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Fri, 21 Sep 2012 22:26:52 +0000
+Subject: netfilter: xt_limit: have r->cost != 0 case work
+
+From: Jan Engelhardt <jengelh@inai.de>
+
+commit 82e6bfe2fbc4d48852114c4f979137cd5bf1d1a8 upstream.
+
+Commit v2.6.19-rc1~1272^2~41 tells us that r->cost != 0 can happen when
+a running state is saved to userspace and then reinstated from there.
+
+Make sure that private xt_limit area is initialized with correct values.
+Otherwise, random matchings due to use of uninitialized memory.
+
+Signed-off-by: Jan Engelhardt <jengelh@inai.de>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Acked-by: David Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/netfilter/xt_limit.c | 8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/net/netfilter/xt_limit.c
++++ b/net/netfilter/xt_limit.c
+@@ -117,11 +117,11 @@ static int limit_mt_check(const struct x
+
+ /* For SMP, we only want to use one set of state. */
+ r->master = priv;
++ /* User avg in seconds * XT_LIMIT_SCALE: convert to jiffies *
++ 128. */
++ priv->prev = jiffies;
++ priv->credit = user2credits(r->avg * r->burst); /* Credits full. */
+ if (r->cost == 0) {
+- /* User avg in seconds * XT_LIMIT_SCALE: convert to jiffies *
+- 128. */
+- priv->prev = jiffies;
+- priv->credit = user2credits(r->avg * r->burst); /* Credits full. */
+ r->credit_cap = priv->credit; /* Credits full. */
+ r->cost = user2credits(r->avg);
+ }
ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch
netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch
netfilter-nf_ct_ipv4-packets-with-wrong-ihl-are-invalid.patch
+netfilter-nf_nat_sip-fix-incorrect-handling-of-ebusy-for-rtcp-expectation.patch
+ipvs-fix-oops-on-nat-reply-in-br_nf-context.patch
+netfilter-nf_nat_sip-fix-via-header-translation-with-multiple-parameters.patch
+netfilter-nf_ct_expect-fix-possible-access-to-uninitialized-timer.patch
+netfilter-limit-hashlimit-avoid-duplicated-inline.patch
+netfilter-xt_limit-have-r-cost-0-case-work.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
