From b76b364f29c751062316c8a5b3a05bbb896ce687 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 3 May 2015 20:45:07 +0200 Subject: [PATCH] delete broken netfilter patch --- ...-fix-cgroup-matching-on-non-full-sks.patch | 43 ------------------- queue-3.19/series | 1 - ...-fix-cgroup-matching-on-non-full-sks.patch | 43 ------------------- queue-4.0/series | 1 - 4 files changed, 88 deletions(-) delete mode 100644 queue-3.19/netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch delete mode 100644 queue-4.0/netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch diff --git a/queue-3.19/netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch b/queue-3.19/netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch deleted file mode 100644 index f4b22f14d48..00000000000 --- a/queue-3.19/netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch +++ /dev/null @@ -1,43 +0,0 @@ -From afb7718016fcb0370ac29a83b2839c78b76c2960 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Fri, 27 Mar 2015 19:37:41 +0100 -Subject: netfilter: x_tables: fix cgroup matching on non-full sks - -From: Daniel Borkmann - -commit afb7718016fcb0370ac29a83b2839c78b76c2960 upstream. - -While originally only being intended for outgoing traffic, commit -a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for -LOCAL_IN nf hooks") enabled xt_cgroups for the NF_INET_LOCAL_IN hook -as well, in order to allow for nfacct accounting. - -Besides being currently limited to early demuxes only, commit -a00e76349f35 forgot to add a check if we deal with full sockets, -i.e. in this case not with time wait sockets. TCP time wait sockets -do not have the same memory layout as full sockets, a lower memory -footprint and consequently also don't have a sk_classid member; -probing for sk_classid member there could potentially lead to a -crash. - -Fixes: a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks") -Cc: Alexey Perevalov -Signed-off-by: Daniel Borkmann -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman - ---- - net/netfilter/xt_cgroup.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/netfilter/xt_cgroup.c -+++ b/net/netfilter/xt_cgroup.c -@@ -39,7 +39,7 @@ cgroup_mt(const struct sk_buff *skb, str - { - const struct xt_cgroup_info *info = par->matchinfo; - -- if (skb->sk == NULL) -+ if (skb->sk == NULL || !sk_fullsock(skb->sk)) - return false; - - return (info->id == skb->sk->sk_classid) ^ info->invert; diff --git a/queue-3.19/series b/queue-3.19/series index 431148ce286..e65d7d90e5f 100644 --- a/queue-3.19/series +++ b/queue-3.19/series @@ -173,5 +173,4 @@ c6x-time-ensure-consistency-in-__init.patch memstick-mspro_block-add-missing-curly-braces.patch drivers-platform-parse-irq-flags-from-resources.patch driver-core-bus-goto-appropriate-labels-on-failure-in-bus_add_device.patch -netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch netfilter-bridge-really-save-frag_max_size-between-pre-and-post_routing.patch diff --git a/queue-4.0/netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch b/queue-4.0/netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch deleted file mode 100644 index f4b22f14d48..00000000000 --- a/queue-4.0/netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch +++ /dev/null @@ -1,43 +0,0 @@ -From afb7718016fcb0370ac29a83b2839c78b76c2960 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Fri, 27 Mar 2015 19:37:41 +0100 -Subject: netfilter: x_tables: fix cgroup matching on non-full sks - -From: Daniel Borkmann - -commit afb7718016fcb0370ac29a83b2839c78b76c2960 upstream. - -While originally only being intended for outgoing traffic, commit -a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for -LOCAL_IN nf hooks") enabled xt_cgroups for the NF_INET_LOCAL_IN hook -as well, in order to allow for nfacct accounting. - -Besides being currently limited to early demuxes only, commit -a00e76349f35 forgot to add a check if we deal with full sockets, -i.e. in this case not with time wait sockets. TCP time wait sockets -do not have the same memory layout as full sockets, a lower memory -footprint and consequently also don't have a sk_classid member; -probing for sk_classid member there could potentially lead to a -crash. - -Fixes: a00e76349f35 ("netfilter: x_tables: allow to use cgroup match for LOCAL_IN nf hooks") -Cc: Alexey Perevalov -Signed-off-by: Daniel Borkmann -Signed-off-by: Pablo Neira Ayuso -Signed-off-by: Greg Kroah-Hartman - ---- - net/netfilter/xt_cgroup.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - ---- a/net/netfilter/xt_cgroup.c -+++ b/net/netfilter/xt_cgroup.c -@@ -39,7 +39,7 @@ cgroup_mt(const struct sk_buff *skb, str - { - const struct xt_cgroup_info *info = par->matchinfo; - -- if (skb->sk == NULL) -+ if (skb->sk == NULL || !sk_fullsock(skb->sk)) - return false; - - return (info->id == skb->sk->sk_classid) ^ info->invert; diff --git a/queue-4.0/series b/queue-4.0/series index a254cbae046..366f4e3df62 100644 --- a/queue-4.0/series +++ b/queue-4.0/series @@ -216,5 +216,4 @@ c6x-time-ensure-consistency-in-__init.patch memstick-mspro_block-add-missing-curly-braces.patch drivers-platform-parse-irq-flags-from-resources.patch driver-core-bus-goto-appropriate-labels-on-failure-in-bus_add_device.patch -netfilter-x_tables-fix-cgroup-matching-on-non-full-sks.patch netfilter-bridge-really-save-frag_max_size-between-pre-and-post_routing.patch -- 2.47.2