From: Greg Kroah-Hartman Date: Sat, 17 Oct 2015 19:50:05 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.10.91~54 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=982e550e024bfb65b653dbd841a34bf29a6ce583;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: netfilter-ctnetlink-put-back-references-to-master-ct-and-expect-objects.patch netfilter-nf_conntrack-support-expectations-in-different-zones.patch netfilter-nft_compat-skip-family-comparison-in-case-of-nfproto_unspec.patch --- diff --git a/queue-3.14/netfilter-ctnetlink-put-back-references-to-master-ct-and-expect-objects.patch b/queue-3.14/netfilter-ctnetlink-put-back-references-to-master-ct-and-expect-objects.patch new file mode 100644 index 00000000000..50f0493e573 --- /dev/null +++ b/queue-3.14/netfilter-ctnetlink-put-back-references-to-master-ct-and-expect-objects.patch @@ -0,0 +1,35 @@ +From 95dd8653de658143770cb0e55a58d2aab97c79d2 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 9 Jul 2015 22:56:00 +0200 +Subject: netfilter: ctnetlink: put back references to master ct and expect objects + +From: Pablo Neira Ayuso + +commit 95dd8653de658143770cb0e55a58d2aab97c79d2 upstream. + +We have to put back the references to the master conntrack and the expectation +that we just created, otherwise we'll leak them. + +Fixes: 0ef71ee1a5b9 ("netfilter: ctnetlink: refactor ctnetlink_create_expect") +Reported-by: Tim Wiess +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_netlink.c | 5 ----- + 1 file changed, 5 deletions(-) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -2927,11 +2927,6 @@ ctnetlink_create_expect(struct net *net, + } + + err = nf_ct_expect_related_report(exp, portid, report); +- if (err < 0) +- goto err_exp; +- +- return 0; +-err_exp: + nf_ct_expect_put(exp); + err_ct: + nf_ct_put(ct); diff --git a/queue-3.14/netfilter-nf_conntrack-support-expectations-in-different-zones.patch b/queue-3.14/netfilter-nf_conntrack-support-expectations-in-different-zones.patch new file mode 100644 index 00000000000..83943c592d2 --- /dev/null +++ b/queue-3.14/netfilter-nf_conntrack-support-expectations-in-different-zones.patch @@ -0,0 +1,36 @@ +From 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 Mon Sep 17 00:00:00 2001 +From: Joe Stringer +Date: Tue, 21 Jul 2015 21:37:31 -0700 +Subject: netfilter: nf_conntrack: Support expectations in different zones + +From: Joe Stringer + +commit 4b31814d20cbe5cd4ccf18089751e77a04afe4f2 upstream. + +When zones were originally introduced, the expectation functions were +all extended to perform lookup using the zone. However, insertion was +not modified to check the zone. This means that two expectations which +are intended to apply for different connections that have the same tuple +but exist in different zones cannot both be tracked. + +Fixes: 5d0aa2ccd4 (netfilter: nf_conntrack: add support for "conntrack zones") +Signed-off-by: Joe Stringer +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_expect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_expect.c ++++ b/net/netfilter/nf_conntrack_expect.c +@@ -202,7 +202,8 @@ static inline int expect_clash(const str + a->mask.src.u3.all[count] & b->mask.src.u3.all[count]; + } + +- return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask); ++ return nf_ct_tuple_mask_cmp(&a->tuple, &b->tuple, &intersect_mask) && ++ nf_ct_zone(a->master) == nf_ct_zone(b->master); + } + + static inline int expect_matches(const struct nf_conntrack_expect *a, diff --git a/queue-3.14/netfilter-nft_compat-skip-family-comparison-in-case-of-nfproto_unspec.patch b/queue-3.14/netfilter-nft_compat-skip-family-comparison-in-case-of-nfproto_unspec.patch new file mode 100644 index 00000000000..6487ed5c819 --- /dev/null +++ b/queue-3.14/netfilter-nft_compat-skip-family-comparison-in-case-of-nfproto_unspec.patch @@ -0,0 +1,96 @@ +From ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 14 Sep 2015 18:04:09 +0200 +Subject: netfilter: nft_compat: skip family comparison in case of NFPROTO_UNSPEC + +From: Pablo Neira Ayuso + +commit ba378ca9c04a5fc1b2cf0f0274a9d02eb3d1bad9 upstream. + +Fix lookup of existing match/target structures in the corresponding list +by skipping the family check if NFPROTO_UNSPEC is used. + +This is resulting in the allocation and insertion of one match/target +structure for each use of them. So this not only bloats memory +consumption but also severely affects the time to reload the ruleset +from the iptables-compat utility. + +After this patch, iptables-compat-restore and iptables-compat take +almost the same time to reload large rulesets. + +Fixes: 0ca743a55991 ("netfilter: nf_tables: add compatibility layer for x_tables") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_compat.c | 24 ++++++++++++++++++------ + 1 file changed, 18 insertions(+), 6 deletions(-) + +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -594,6 +594,13 @@ struct nft_xt { + + static struct nft_expr_type nft_match_type; + ++static bool nft_match_cmp(const struct xt_match *match, ++ const char *name, u32 rev, u32 family) ++{ ++ return strcmp(match->name, name) == 0 && match->revision == rev && ++ (match->family == NFPROTO_UNSPEC || match->family == family); ++} ++ + static const struct nft_expr_ops * + nft_match_select_ops(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) +@@ -601,7 +608,7 @@ nft_match_select_ops(const struct nft_ct + struct nft_xt *nft_match; + struct xt_match *match; + char *mt_name; +- __u32 rev, family; ++ u32 rev, family; + + if (tb[NFTA_MATCH_NAME] == NULL || + tb[NFTA_MATCH_REV] == NULL || +@@ -616,8 +623,7 @@ nft_match_select_ops(const struct nft_ct + list_for_each_entry(nft_match, &nft_match_list, head) { + struct xt_match *match = nft_match->ops.data; + +- if (strcmp(match->name, mt_name) == 0 && +- match->revision == rev && match->family == family) { ++ if (nft_match_cmp(match, mt_name, rev, family)) { + if (!try_module_get(match->me)) + return ERR_PTR(-ENOENT); + +@@ -669,6 +675,13 @@ static LIST_HEAD(nft_target_list); + + static struct nft_expr_type nft_target_type; + ++static bool nft_target_cmp(const struct xt_target *tg, ++ const char *name, u32 rev, u32 family) ++{ ++ return strcmp(tg->name, name) == 0 && tg->revision == rev && ++ (tg->family == NFPROTO_UNSPEC || tg->family == family); ++} ++ + static const struct nft_expr_ops * + nft_target_select_ops(const struct nft_ctx *ctx, + const struct nlattr * const tb[]) +@@ -676,7 +689,7 @@ nft_target_select_ops(const struct nft_c + struct nft_xt *nft_target; + struct xt_target *target; + char *tg_name; +- __u32 rev, family; ++ u32 rev, family; + + if (tb[NFTA_TARGET_NAME] == NULL || + tb[NFTA_TARGET_REV] == NULL || +@@ -691,8 +704,7 @@ nft_target_select_ops(const struct nft_c + list_for_each_entry(nft_target, &nft_target_list, head) { + struct xt_target *target = nft_target->ops.data; + +- if (strcmp(target->name, tg_name) == 0 && +- target->revision == rev && target->family == family) { ++ if (nft_target_cmp(target, tg_name, rev, family)) { + if (!try_module_get(target->me)) + return ERR_PTR(-ENOENT); + diff --git a/queue-3.14/series b/queue-3.14/series index c2ec0dea527..72b3f1384a1 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -35,3 +35,6 @@ dm-btree-add-ref-counting-ops-for-the-leaves-of-top-level-btrees.patch staging-ion-fix-corruption-of-ion_import_dma_buf.patch usb-option-add-zte-pids.patch dm-raid-fix-round-up-of-default-region-size.patch +netfilter-nf_conntrack-support-expectations-in-different-zones.patch +netfilter-ctnetlink-put-back-references-to-master-ct-and-expect-objects.patch +netfilter-nft_compat-skip-family-comparison-in-case-of-nfproto_unspec.patch