From: Greg Kroah-Hartman Date: Mon, 15 Oct 2012 23:27:03 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.47~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8527118338409dc451cd073a118ba67085d365c8;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch netfilter-ipset-fix-timeout-value-overflow-bug.patch netfilter-ipset-timeout-fixing-bug-broke-set-target-special-timeout-value.patch netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch --- diff --git a/queue-3.4/ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch b/queue-3.4/ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch new file mode 100644 index 00000000000..4d110a1100f --- /dev/null +++ b/queue-3.4/ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch @@ -0,0 +1,52 @@ +From 283283c4da91adc44b03519f434ee1e7e91d6fdb Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sat, 7 Jul 2012 20:30:11 +0300 +Subject: ipvs: fix oops in ip_vs_dst_event on rmmod + +From: Julian Anastasov + +commit 283283c4da91adc44b03519f434ee1e7e91d6fdb upstream. + + After commit 39f618b4fd95ae243d940ec64c961009c74e3333 (3.4) +"ipvs: reset ipvs pointer in netns" we can oops in +ip_vs_dst_event on rmmod ip_vs because ip_vs_control_cleanup +is called after the ipvs_core_ops subsys is unregistered and +net->ipvs is NULL. Fix it by exiting early from ip_vs_dst_event +if ipvs is NULL. It is safe because all services and dests +for the net are already freed. + +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_ctl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -1521,11 +1521,12 @@ static int ip_vs_dst_event(struct notifi + { + struct net_device *dev = ptr; + struct net *net = dev_net(dev); ++ struct netns_ipvs *ipvs = net_ipvs(net); + struct ip_vs_service *svc; + struct ip_vs_dest *dest; + unsigned int idx; + +- if (event != NETDEV_UNREGISTER) ++ if (event != NETDEV_UNREGISTER || !ipvs) + return NOTIFY_DONE; + IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name); + EnterFunction(2); +@@ -1551,7 +1552,7 @@ static int ip_vs_dst_event(struct notifi + } + } + +- list_for_each_entry(dest, &net_ipvs(net)->dest_trash, n_list) { ++ list_for_each_entry(dest, &ipvs->dest_trash, n_list) { + __ip_vs_dev_reset(dest, dev); + } + mutex_unlock(&__ip_vs_mutex); diff --git a/queue-3.4/netfilter-ipset-fix-timeout-value-overflow-bug.patch b/queue-3.4/netfilter-ipset-fix-timeout-value-overflow-bug.patch new file mode 100644 index 00000000000..1f0d2af4f6b --- /dev/null +++ b/queue-3.4/netfilter-ipset-fix-timeout-value-overflow-bug.patch @@ -0,0 +1,73 @@ +From 127f559127f5175e4bec3dab725a34845d956591 Mon Sep 17 00:00:00 2001 +From: Jozsef Kadlecsik +Date: Mon, 7 May 2012 02:35:44 +0000 +Subject: netfilter: ipset: fix timeout value overflow bug + +From: Jozsef Kadlecsik + +commit 127f559127f5175e4bec3dab725a34845d956591 upstream. + +Large timeout parameters could result wrong timeout values due to +an overflow at msec to jiffies conversion (reported by Andreas Herz) + +[ This patch was mangled by Pablo Neira Ayuso since David Laight and + Eric Dumazet noticed that we were using hardcoded 1000 instead of + MSEC_PER_SEC to calculate the timeout ] + +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/netfilter/ipset/ip_set_timeout.h | 4 ++++ + net/netfilter/xt_set.c | 15 +++++++++++++-- + 2 files changed, 17 insertions(+), 2 deletions(-) + +--- a/include/linux/netfilter/ipset/ip_set_timeout.h ++++ b/include/linux/netfilter/ipset/ip_set_timeout.h +@@ -30,6 +30,10 @@ ip_set_timeout_uget(struct nlattr *tb) + { + unsigned int timeout = ip_set_get_h32(tb); + ++ /* Normalize to fit into jiffies */ ++ if (timeout > UINT_MAX/MSEC_PER_SEC) ++ timeout = UINT_MAX/MSEC_PER_SEC; ++ + /* Userspace supplied TIMEOUT parameter: adjust crazy size */ + return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout; + } +--- a/net/netfilter/xt_set.c ++++ b/net/netfilter/xt_set.c +@@ -44,6 +44,14 @@ const struct ip_set_adt_opt n = { \ + .cmdflags = cfs, \ + .timeout = t, \ + } ++#define ADT_MOPT(n, f, d, fs, cfs, t) \ ++struct ip_set_adt_opt n = { \ ++ .family = f, \ ++ .dim = d, \ ++ .flags = fs, \ ++ .cmdflags = cfs, \ ++ .timeout = t, \ ++} + + /* Revision 0 interface: backward compatible with netfilter/iptables */ + +@@ -296,11 +304,14 @@ static unsigned int + set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) + { + const struct xt_set_info_target_v2 *info = par->targinfo; +- ADT_OPT(add_opt, par->family, info->add_set.dim, +- info->add_set.flags, info->flags, info->timeout); ++ ADT_MOPT(add_opt, par->family, info->add_set.dim, ++ info->add_set.flags, info->flags, info->timeout); + ADT_OPT(del_opt, par->family, info->del_set.dim, + info->del_set.flags, 0, UINT_MAX); + ++ /* Normalize to fit into jiffies */ ++ if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) ++ add_opt.timeout = UINT_MAX/MSEC_PER_SEC; + if (info->add_set.index != IPSET_INVALID_ID) + ip_set_add(info->add_set.index, skb, par, &add_opt); + if (info->del_set.index != IPSET_INVALID_ID) diff --git a/queue-3.4/netfilter-ipset-timeout-fixing-bug-broke-set-target-special-timeout-value.patch b/queue-3.4/netfilter-ipset-timeout-fixing-bug-broke-set-target-special-timeout-value.patch new file mode 100644 index 00000000000..b021467e42e --- /dev/null +++ b/queue-3.4/netfilter-ipset-timeout-fixing-bug-broke-set-target-special-timeout-value.patch @@ -0,0 +1,42 @@ +From a73f89a61f92b364f0b4a3be412b5b70553afc23 Mon Sep 17 00:00:00 2001 +From: Jozsef Kadlecsik +Date: Fri, 29 Jun 2012 09:42:28 +0000 +Subject: netfilter: ipset: timeout fixing bug broke SET target special timeout value + +From: Jozsef Kadlecsik + +commit a73f89a61f92b364f0b4a3be412b5b70553afc23 upstream. + +The patch "127f559 netfilter: ipset: fix timeout value overflow bug" +broke the SET target when no timeout was specified. + +Reported-by: Jean-Philippe Menil +Signed-off-by: Jozsef Kadlecsik +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_set.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/netfilter/xt_set.c ++++ b/net/netfilter/xt_set.c +@@ -16,6 +16,7 @@ + + #include + #include ++#include + + MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Jozsef Kadlecsik "); +@@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const + info->del_set.flags, 0, UINT_MAX); + + /* Normalize to fit into jiffies */ +- if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) ++ if (add_opt.timeout != IPSET_NO_TIMEOUT && ++ add_opt.timeout > UINT_MAX/MSEC_PER_SEC) + add_opt.timeout = UINT_MAX/MSEC_PER_SEC; + if (info->add_set.index != IPSET_INVALID_ID) + ip_set_add(info->add_set.index, skb, par, &add_opt); diff --git a/queue-3.4/netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch b/queue-3.4/netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch new file mode 100644 index 00000000000..f31b2c0b4f7 --- /dev/null +++ b/queue-3.4/netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch @@ -0,0 +1,85 @@ +From 5b423f6a40a0327f9d40bc8b97ce9be266f74368 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 29 Aug 2012 16:25:49 +0000 +Subject: netfilter: nf_conntrack: fix racy timer handling with reliable events + +From: Pablo Neira Ayuso + +commit 5b423f6a40a0327f9d40bc8b97ce9be266f74368 upstream. + +Existing code assumes that del_timer returns true for alive conntrack +entries. However, this is not true if reliable events are enabled. +In that case, del_timer may return true for entries that were +just inserted in the dying list. Note that packets / ctnetlink may +hold references to conntrack entries that were just inserted to such +list. + +This patch fixes the issue by adding an independent timer for +event delivery. This increases the size of the ecache extension. +Still we can revisit this later and use variable size extensions +to allocate this area on demand. + +Tested-by: Oliver Smith +Signed-off-by: Pablo Neira Ayuso +Acked-by: David Miller +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/netfilter/nf_conntrack_ecache.h | 1 + + net/netfilter/nf_conntrack_core.c | 16 +++++++++++----- + 2 files changed, 12 insertions(+), 5 deletions(-) + +--- a/include/net/netfilter/nf_conntrack_ecache.h ++++ b/include/net/netfilter/nf_conntrack_ecache.h +@@ -18,6 +18,7 @@ struct nf_conntrack_ecache { + u16 ctmask; /* bitmask of ct events to be delivered */ + u16 expmask; /* bitmask of expect events to be delivered */ + u32 pid; /* netlink pid of destroyer */ ++ struct timer_list timeout; + }; + + static inline struct nf_conntrack_ecache * +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -249,12 +249,15 @@ static void death_by_event(unsigned long + { + struct nf_conn *ct = (void *)ul_conntrack; + struct net *net = nf_ct_net(ct); ++ struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct); ++ ++ BUG_ON(ecache == NULL); + + if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) { + /* bad luck, let's retry again */ +- ct->timeout.expires = jiffies + ++ ecache->timeout.expires = jiffies + + (random32() % net->ct.sysctl_events_retry_timeout); +- add_timer(&ct->timeout); ++ add_timer(&ecache->timeout); + return; + } + /* we've got the event delivered, now it's dying */ +@@ -268,6 +271,9 @@ static void death_by_event(unsigned long + void nf_ct_insert_dying_list(struct nf_conn *ct) + { + struct net *net = nf_ct_net(ct); ++ struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct); ++ ++ BUG_ON(ecache == NULL); + + /* add this conntrack to the dying list */ + spin_lock_bh(&nf_conntrack_lock); +@@ -275,10 +281,10 @@ void nf_ct_insert_dying_list(struct nf_c + &net->ct.dying); + spin_unlock_bh(&nf_conntrack_lock); + /* set a new timer to retry event delivery */ +- setup_timer(&ct->timeout, death_by_event, (unsigned long)ct); +- ct->timeout.expires = jiffies + ++ setup_timer(&ecache->timeout, death_by_event, (unsigned long)ct); ++ ecache->timeout.expires = jiffies + + (random32() % net->ct.sysctl_events_retry_timeout); +- add_timer(&ct->timeout); ++ add_timer(&ecache->timeout); + } + EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list); + diff --git a/queue-3.4/series b/queue-3.4/series index 71865063417..9092a27f6c1 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -31,3 +31,7 @@ ath9k-use-ieee80211_free_txskb.patch md-raid10-use-correct-limit-variable.patch kdb-vt_console-fix-missed-data-due-to-pager-overruns.patch pktgen-fix-crash-when-generating-ipv6-packets.patch +ipvs-fix-oops-in-ip_vs_dst_event-on-rmmod.patch +netfilter-nf_conntrack-fix-racy-timer-handling-with-reliable-events.patch +netfilter-ipset-fix-timeout-value-overflow-bug.patch +netfilter-ipset-timeout-fixing-bug-broke-set-target-special-timeout-value.patch