From: Greg Kroah-Hartman Date: Fri, 1 Feb 2013 12:34:56 +0000 (+0100) Subject: 3.7-stable patches X-Git-Tag: v3.0.62~3 X-Git-Url: http://git.ipfire.org/gitweb/?a=commitdiff_plain;h=5ade2f89a0592c738695e76ee7245b7d37da195f;p=thirdparty%2Fkernel%2Fstable-queue.git 3.7-stable patches added patches: netfilter-ctnetlink-fix-leak-in-error-path-of-ctnetlink_create_expect.patch netfilter-fix-missing-dependencies-for-the-notrack-target.patch netfilter-nf_conntrack-fix-bug_on-while-removing-nf_conntrack-with-netns.patch netfilter-nfnetlink_log-fix-mac-address-for-6in4-tunnels.patch netfilter-nfnetlink_log-fix-possible-compilation-issue-due-to-missing-include.patch netfilter-x_tables-print-correct-hook-names-for-arp.patch netfilter-xt_ct-recover-notrack-target-support.patch netfilter-xt_hashlimit-fix-namespace-destroy-path.patch netfilter-xt_hashlimit-fix-race-that-results-in-duplicated-entries.patch netfilter-xt_recent-avoid-high-order-page-allocations.patch netfilter-xt_recent-fix-namespace-destroy-path.patch --- diff --git a/queue-3.7/netfilter-ctnetlink-fix-leak-in-error-path-of-ctnetlink_create_expect.patch b/queue-3.7/netfilter-ctnetlink-fix-leak-in-error-path-of-ctnetlink_create_expect.patch new file mode 100644 index 00000000000..8dbf7863068 --- /dev/null +++ b/queue-3.7/netfilter-ctnetlink-fix-leak-in-error-path-of-ctnetlink_create_expect.patch @@ -0,0 +1,31 @@ +From 1310b955c804975651dca6c674ebfd1cb2b4c7ff Mon Sep 17 00:00:00 2001 +From: Jesper Juhl +Date: Wed, 26 Dec 2012 11:49:40 +0000 +Subject: netfilter: ctnetlink: fix leak in error path of ctnetlink_create_expect + +From: Jesper Juhl + +commit 1310b955c804975651dca6c674ebfd1cb2b4c7ff upstream. + +This patch fixes a leak in one of the error paths of +ctnetlink_create_expect if no helper and no timeout is specified. + +Signed-off-by: Jesper Juhl +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -2514,7 +2514,7 @@ ctnetlink_create_expect(struct net *net, + if (!help) { + if (!cda[CTA_EXPECT_TIMEOUT]) { + err = -EINVAL; +- goto out; ++ goto err_out; + } + exp->timeout.expires = + jiffies + ntohl(nla_get_be32(cda[CTA_EXPECT_TIMEOUT])) * HZ; diff --git a/queue-3.7/netfilter-fix-missing-dependencies-for-the-notrack-target.patch b/queue-3.7/netfilter-fix-missing-dependencies-for-the-notrack-target.patch new file mode 100644 index 00000000000..3878fb9ae17 --- /dev/null +++ b/queue-3.7/netfilter-fix-missing-dependencies-for-the-notrack-target.patch @@ -0,0 +1,35 @@ +From 757ae316fb35811cfd8c67de0e0b8680ec4c1f37 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Wed, 2 Jan 2013 16:30:01 +0000 +Subject: netfilter: fix missing dependencies for the NOTRACK target + +From: Pablo Neira Ayuso + +commit 757ae316fb35811cfd8c67de0e0b8680ec4c1f37 upstream. + +warning: (NETFILTER_XT_TARGET_NOTRACK) selects NETFILTER_XT_TARGET_CT which has unmet direct ++dependencies (NET && INET && NETFILTER && NETFILTER_XTABLES && NF_CONNTRACK && (IP_NF_RAW || ++IP6_NF_RAW) && NETFILTER_ADVANCED) + +Reported-by: Randy Dunlap +Reported-by: kbuild test robot +Acked-by: Randy Dunlap +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/Kconfig | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -682,6 +682,9 @@ config NETFILTER_XT_TARGET_NFQUEUE + + config NETFILTER_XT_TARGET_NOTRACK + tristate '"NOTRACK" target support (DEPRECATED)' ++ depends on NF_CONNTRACK ++ depends on IP_NF_RAW || IP6_NF_RAW ++ depends on NETFILTER_ADVANCED + select NETFILTER_XT_TARGET_CT + + config NETFILTER_XT_TARGET_RATEEST diff --git a/queue-3.7/netfilter-nf_conntrack-fix-bug_on-while-removing-nf_conntrack-with-netns.patch b/queue-3.7/netfilter-nf_conntrack-fix-bug_on-while-removing-nf_conntrack-with-netns.patch new file mode 100644 index 00000000000..44a2ff36e99 --- /dev/null +++ b/queue-3.7/netfilter-nf_conntrack-fix-bug_on-while-removing-nf_conntrack-with-netns.patch @@ -0,0 +1,72 @@ +From 1e47ee8367babe6a5e8adf44a714c7086657b87e Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 10 Jan 2013 16:12:01 +0100 +Subject: netfilter: nf_conntrack: fix BUG_ON while removing nf_conntrack with netns + +From: Pablo Neira Ayuso + +commit 1e47ee8367babe6a5e8adf44a714c7086657b87e upstream. + +canqun zhang reported that we're hitting BUG_ON in the +nf_conntrack_destroy path when calling kfree_skb while +rmmod'ing the nf_conntrack module. + +Currently, the nf_ct_destroy hook is being set to NULL in the +destroy path of conntrack.init_net. However, this is a problem +since init_net may be destroyed before any other existing netns +(we cannot assume any specific ordering while releasing existing +netns according to what I read in recent emails). + +Thanks to Gao feng for initial patch to address this issue. + +Reported-by: canqun zhang +Acked-by: Gao feng +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/netfilter/nf_conntrack_core.h | 2 ++ + net/netfilter/nf_conntrack_core.c | 9 +++++---- + net/netfilter/nf_conntrack_standalone.c | 1 + + 3 files changed, 8 insertions(+), 4 deletions(-) + +--- a/include/net/netfilter/nf_conntrack_core.h ++++ b/include/net/netfilter/nf_conntrack_core.h +@@ -31,6 +31,8 @@ extern void nf_conntrack_cleanup(struct + extern int nf_conntrack_proto_init(struct net *net); + extern void nf_conntrack_proto_fini(struct net *net); + ++extern void nf_conntrack_cleanup_end(void); ++ + extern bool + nf_ct_get_tuple(const struct sk_buff *skb, + unsigned int nhoff, +--- a/net/netfilter/nf_conntrack_core.c ++++ b/net/netfilter/nf_conntrack_core.c +@@ -1383,11 +1383,12 @@ void nf_conntrack_cleanup(struct net *ne + synchronize_net(); + nf_conntrack_proto_fini(net); + nf_conntrack_cleanup_net(net); ++} + +- if (net_eq(net, &init_net)) { +- RCU_INIT_POINTER(nf_ct_destroy, NULL); +- nf_conntrack_cleanup_init_net(); +- } ++void nf_conntrack_cleanup_end(void) ++{ ++ RCU_INIT_POINTER(nf_ct_destroy, NULL); ++ nf_conntrack_cleanup_init_net(); + } + + void *nf_ct_alloc_hashtable(unsigned int *sizep, int nulls) +--- a/net/netfilter/nf_conntrack_standalone.c ++++ b/net/netfilter/nf_conntrack_standalone.c +@@ -571,6 +571,7 @@ static int __init nf_conntrack_standalon + static void __exit nf_conntrack_standalone_fini(void) + { + unregister_pernet_subsys(&nf_conntrack_net_ops); ++ nf_conntrack_cleanup_end(); + } + + module_init(nf_conntrack_standalone_init); diff --git a/queue-3.7/netfilter-nfnetlink_log-fix-mac-address-for-6in4-tunnels.patch b/queue-3.7/netfilter-nfnetlink_log-fix-mac-address-for-6in4-tunnels.patch new file mode 100644 index 00000000000..9ee6a64b12e --- /dev/null +++ b/queue-3.7/netfilter-nfnetlink_log-fix-mac-address-for-6in4-tunnels.patch @@ -0,0 +1,54 @@ +From 0c36b48b36dc84d4215dc9d1cde1bda829214ba6 Mon Sep 17 00:00:00 2001 +From: Bob Hockney +Date: Sun, 16 Dec 2012 19:34:11 +0100 +Subject: netfilter: nfnetlink_log: fix mac address for 6in4 tunnels + +From: Bob Hockney + +commit 0c36b48b36dc84d4215dc9d1cde1bda829214ba6 upstream. + +For tunnelled ipv6in4 packets, the LOG target (xt_LOG.c) adjusts +the start of the mac field to start at the ethernet header instead +of the ipv4 header for the tunnel. This patch conforms what is +passed by the NFLOG target through nfnetlink to what the LOG target +does. Code borrowed from xt_LOG.c. + +Signed-off-by: Bob Hockney +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nfnetlink_log.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -384,6 +384,7 @@ __build_packet_message(struct nfulnl_ins + struct nfgenmsg *nfmsg; + sk_buff_data_t old_tail = inst->skb->tail; + struct sock *sk; ++ const unsigned char *hwhdrp; + + nlh = nlmsg_put(inst->skb, 0, 0, + NFNL_SUBSYS_ULOG << 8 | NFULNL_MSG_PACKET, +@@ -485,9 +486,17 @@ __build_packet_message(struct nfulnl_ins + if (indev && skb_mac_header_was_set(skb)) { + if (nla_put_be16(inst->skb, NFULA_HWTYPE, htons(skb->dev->type)) || + nla_put_be16(inst->skb, NFULA_HWLEN, +- htons(skb->dev->hard_header_len)) || +- nla_put(inst->skb, NFULA_HWHEADER, skb->dev->hard_header_len, +- skb_mac_header(skb))) ++ htons(skb->dev->hard_header_len))) ++ goto nla_put_failure; ++ ++ hwhdrp = skb_mac_header(skb); ++ ++ if (skb->dev->type == ARPHRD_SIT) ++ hwhdrp -= ETH_HLEN; ++ ++ if (hwhdrp >= skb->head && ++ nla_put(inst->skb, NFULA_HWHEADER, ++ skb->dev->hard_header_len, hwhdrp)) + goto nla_put_failure; + } + diff --git a/queue-3.7/netfilter-nfnetlink_log-fix-possible-compilation-issue-due-to-missing-include.patch b/queue-3.7/netfilter-nfnetlink_log-fix-possible-compilation-issue-due-to-missing-include.patch new file mode 100644 index 00000000000..3680bddf610 --- /dev/null +++ b/queue-3.7/netfilter-nfnetlink_log-fix-possible-compilation-issue-due-to-missing-include.patch @@ -0,0 +1,35 @@ +From e035edd16ee83498cccc9beedfc215e15cab3a07 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 17 Dec 2012 01:12:00 +0100 +Subject: netfilter: nfnetlink_log: fix possible compilation issue due to missing include + +From: Pablo Neira Ayuso + +commit e035edd16ee83498cccc9beedfc215e15cab3a07 upstream. + +In (0c36b48 netfilter: nfnetlink_log: fix mac address for 6in4 tunnels) +the include file that defines ARPD_SIT was missing. This passed unnoticed +during my tests (I did not hit this problem here). + +net/netfilter/nfnetlink_log.c: In function '__build_packet_message': +net/netfilter/nfnetlink_log.c:494:25: error: 'ARPHRD_SIT' undeclared (first use in this function) +net/netfilter/nfnetlink_log.c:494:25: note: each undeclared identifier is reported only once for ++each function it appears in + +Reported-by: kbuild test robot +Signed-off-by: Pablo Neira Ayuso + +--- + net/netfilter/nfnetlink_log.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/netfilter/nfnetlink_log.c ++++ b/net/netfilter/nfnetlink_log.c +@@ -13,6 +13,7 @@ + */ + #include + #include ++#include + #include + #include + #include diff --git a/queue-3.7/netfilter-x_tables-print-correct-hook-names-for-arp.patch b/queue-3.7/netfilter-x_tables-print-correct-hook-names-for-arp.patch new file mode 100644 index 00000000000..db37d09474b --- /dev/null +++ b/queue-3.7/netfilter-x_tables-print-correct-hook-names-for-arp.patch @@ -0,0 +1,95 @@ +From 5b76c4948fe6977bead2359c2054f3e6a2dcf3d0 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Thu, 10 Jan 2013 12:30:05 +0000 +Subject: netfilter: x_tables: print correct hook names for ARP + +From: Jan Engelhardt + +commit 5b76c4948fe6977bead2359c2054f3e6a2dcf3d0 upstream. + +arptables 0.0.4 (released on 10th Jan 2013) supports calling the +CLASSIFY target, but on adding a rule to the wrong chain, the +diagnostic is as follows: + + # arptables -A INPUT -j CLASSIFY --set-class 0:0 + arptables: Invalid argument + # dmesg | tail -n1 + x_tables: arp_tables: CLASSIFY target: used from hooks + PREROUTING, but only usable from INPUT/FORWARD + +This is incorrect, since xt_CLASSIFY.c does specify +(1 << NF_ARP_OUT) | (1 << NF_ARP_FORWARD). + +This patch corrects the x_tables diagnostic message to print the +proper hook names for the NFPROTO_ARP case. + +Affects all kernels down to and including v2.6.31. + +Signed-off-by: Jan Engelhardt +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/x_tables.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +--- a/net/netfilter/x_tables.c ++++ b/net/netfilter/x_tables.c +@@ -345,19 +345,27 @@ int xt_find_revision(u8 af, const char * + } + EXPORT_SYMBOL_GPL(xt_find_revision); + +-static char *textify_hooks(char *buf, size_t size, unsigned int mask) ++static char * ++textify_hooks(char *buf, size_t size, unsigned int mask, uint8_t nfproto) + { +- static const char *const names[] = { ++ static const char *const inetbr_names[] = { + "PREROUTING", "INPUT", "FORWARD", + "OUTPUT", "POSTROUTING", "BROUTING", + }; +- unsigned int i; ++ static const char *const arp_names[] = { ++ "INPUT", "FORWARD", "OUTPUT", ++ }; ++ const char *const *names; ++ unsigned int i, max; + char *p = buf; + bool np = false; + int res; + ++ names = (nfproto == NFPROTO_ARP) ? arp_names : inetbr_names; ++ max = (nfproto == NFPROTO_ARP) ? ARRAY_SIZE(arp_names) : ++ ARRAY_SIZE(inetbr_names); + *p = '\0'; +- for (i = 0; i < ARRAY_SIZE(names); ++i) { ++ for (i = 0; i < max; ++i) { + if (!(mask & (1 << i))) + continue; + res = snprintf(p, size, "%s%s", np ? "/" : "", names[i]); +@@ -402,8 +410,10 @@ int xt_check_match(struct xt_mtchk_param + pr_err("%s_tables: %s match: used from hooks %s, but only " + "valid from %s\n", + xt_prefix[par->family], par->match->name, +- textify_hooks(used, sizeof(used), par->hook_mask), +- textify_hooks(allow, sizeof(allow), par->match->hooks)); ++ textify_hooks(used, sizeof(used), par->hook_mask, ++ par->family), ++ textify_hooks(allow, sizeof(allow), par->match->hooks, ++ par->family)); + return -EINVAL; + } + if (par->match->proto && (par->match->proto != proto || inv_proto)) { +@@ -575,8 +585,10 @@ int xt_check_target(struct xt_tgchk_para + pr_err("%s_tables: %s target: used from hooks %s, but only " + "usable from %s\n", + xt_prefix[par->family], par->target->name, +- textify_hooks(used, sizeof(used), par->hook_mask), +- textify_hooks(allow, sizeof(allow), par->target->hooks)); ++ textify_hooks(used, sizeof(used), par->hook_mask, ++ par->family), ++ textify_hooks(allow, sizeof(allow), par->target->hooks, ++ par->family)); + return -EINVAL; + } + if (par->target->proto && (par->target->proto != proto || inv_proto)) { diff --git a/queue-3.7/netfilter-xt_ct-recover-notrack-target-support.patch b/queue-3.7/netfilter-xt_ct-recover-notrack-target-support.patch new file mode 100644 index 00000000000..506b3184c47 --- /dev/null +++ b/queue-3.7/netfilter-xt_ct-recover-notrack-target-support.patch @@ -0,0 +1,137 @@ +From 10db9069eb5c60195170a4119bdbcbce69a4945f Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 20 Dec 2012 01:54:51 +0000 +Subject: netfilter: xt_CT: recover NOTRACK target support + +From: Pablo Neira Ayuso + +commit 10db9069eb5c60195170a4119bdbcbce69a4945f upstream. + +Florian Westphal reported that the removal of the NOTRACK target +(9655050 netfilter: remove xt_NOTRACK) is breaking some existing +setups. + +That removal was scheduled for removal since long time ago as +described in Documentation/feature-removal-schedule.txt + +What: xt_NOTRACK +Files: net/netfilter/xt_NOTRACK.c +When: April 2011 +Why: Superseded by xt_CT + +Still, people may have not notice / may have decided to stick to an +old iptables version. I agree with him in that some more conservative +approach by spotting some printk to warn users for some time is less +agressive. + +Current iptables 1.4.16.3 already contains the aliasing support +that makes it point to the CT target, so upgrading would fix it. +Still, the policy so far has been to avoid pushing our users to +upgrade. + +As a solution, this patch recovers the NOTRACK target inside the CT +target and it now spots a warning. + +Reported-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + include/net/netns/x_tables.h | 1 + net/netfilter/Kconfig | 4 +++ + net/netfilter/xt_CT.c | 50 ++++++++++++++++++++++++++++++++++++++++++- + 3 files changed, 54 insertions(+), 1 deletion(-) + +--- a/include/net/netns/x_tables.h ++++ b/include/net/netns/x_tables.h +@@ -8,6 +8,7 @@ struct ebt_table; + + struct netns_xt { + struct list_head tables[NFPROTO_NUMPROTO]; ++ bool notrack_deprecated_warning; + #if defined(CONFIG_BRIDGE_NF_EBTABLES) || \ + defined(CONFIG_BRIDGE_NF_EBTABLES_MODULE) + struct ebt_table *broute_table; +--- a/net/netfilter/Kconfig ++++ b/net/netfilter/Kconfig +@@ -680,6 +680,10 @@ config NETFILTER_XT_TARGET_NFQUEUE + + To compile it as a module, choose M here. If unsure, say N. + ++config NETFILTER_XT_TARGET_NOTRACK ++ tristate '"NOTRACK" target support (DEPRECATED)' ++ select NETFILTER_XT_TARGET_CT ++ + config NETFILTER_XT_TARGET_RATEEST + tristate '"RATEEST" target support' + depends on NETFILTER_ADVANCED +--- a/net/netfilter/xt_CT.c ++++ b/net/netfilter/xt_CT.c +@@ -377,14 +377,60 @@ static struct xt_target xt_ct_tg_reg[] _ + }, + }; + ++static unsigned int ++notrack_tg(struct sk_buff *skb, const struct xt_action_param *par) ++{ ++ /* Previously seen (loopback)? Ignore. */ ++ if (skb->nfct != NULL) ++ return XT_CONTINUE; ++ ++ skb->nfct = &nf_ct_untracked_get()->ct_general; ++ skb->nfctinfo = IP_CT_NEW; ++ nf_conntrack_get(skb->nfct); ++ ++ return XT_CONTINUE; ++} ++ ++static int notrack_chk(const struct xt_tgchk_param *par) ++{ ++ if (!par->net->xt.notrack_deprecated_warning) { ++ pr_info("netfilter: NOTRACK target is deprecated, " ++ "use CT instead or upgrade iptables\n"); ++ par->net->xt.notrack_deprecated_warning = true; ++ } ++ return 0; ++} ++ ++static struct xt_target notrack_tg_reg __read_mostly = { ++ .name = "NOTRACK", ++ .revision = 0, ++ .family = NFPROTO_UNSPEC, ++ .checkentry = notrack_chk, ++ .target = notrack_tg, ++ .table = "raw", ++ .me = THIS_MODULE, ++}; ++ + static int __init xt_ct_tg_init(void) + { +- return xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); ++ int ret; ++ ++ ret = xt_register_target(¬rack_tg_reg); ++ if (ret < 0) ++ return ret; ++ ++ ret = xt_register_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); ++ if (ret < 0) { ++ xt_unregister_target(¬rack_tg_reg); ++ return ret; ++ } ++ return 0; + } + + static void __exit xt_ct_tg_exit(void) + { + xt_unregister_targets(xt_ct_tg_reg, ARRAY_SIZE(xt_ct_tg_reg)); ++ xt_unregister_target(¬rack_tg_reg); + } + + module_init(xt_ct_tg_init); +@@ -394,3 +440,5 @@ MODULE_LICENSE("GPL"); + MODULE_DESCRIPTION("Xtables: connection tracking target"); + MODULE_ALIAS("ipt_CT"); + MODULE_ALIAS("ip6t_CT"); ++MODULE_ALIAS("ipt_NOTRACK"); ++MODULE_ALIAS("ip6t_NOTRACK"); diff --git a/queue-3.7/netfilter-xt_hashlimit-fix-namespace-destroy-path.patch b/queue-3.7/netfilter-xt_hashlimit-fix-namespace-destroy-path.patch new file mode 100644 index 00000000000..55b8a9bd899 --- /dev/null +++ b/queue-3.7/netfilter-xt_hashlimit-fix-namespace-destroy-path.patch @@ -0,0 +1,73 @@ +From 32263dd1b43378b4f7d7796ed713f77e95f27e8a Mon Sep 17 00:00:00 2001 +From: "Vitaly E. Lavrov" +Date: Mon, 24 Dec 2012 14:42:17 +0100 +Subject: netfilter: xt_hashlimit: fix namespace destroy path + +From: "Vitaly E. Lavrov" + +commit 32263dd1b43378b4f7d7796ed713f77e95f27e8a upstream. + +recent_net_exit() is called before recent_mt_destroy() in the +destroy path of network namespaces. Make sure there are no entries +in the parent proc entry xt_recent before removing it. + +Signed-off-by: Vitaly E. Lavrov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_hashlimit.c | 29 +++++++++++++++++++++++++---- + 1 file changed, 25 insertions(+), 4 deletions(-) + +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -318,7 +318,10 @@ static void htable_destroy(struct xt_has + parent = hashlimit_net->ipt_hashlimit; + else + parent = hashlimit_net->ip6t_hashlimit; +- remove_proc_entry(hinfo->pde->name, parent); ++ ++ if(parent != NULL) ++ remove_proc_entry(hinfo->pde->name, parent); ++ + htable_selective_cleanup(hinfo, select_all); + vfree(hinfo); + } +@@ -856,6 +859,27 @@ static int __net_init hashlimit_proc_net + + static void __net_exit hashlimit_proc_net_exit(struct net *net) + { ++ struct xt_hashlimit_htable *hinfo; ++ struct hlist_node *pos; ++ struct proc_dir_entry *pde; ++ struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); ++ ++ /* recent_net_exit() is called before recent_mt_destroy(). Make sure ++ * that the parent xt_recent proc entry is is empty before trying to ++ * remove it. ++ */ ++ mutex_lock(&hashlimit_mutex); ++ pde = hashlimit_net->ipt_hashlimit; ++ if (pde == NULL) ++ pde = hashlimit_net->ip6t_hashlimit; ++ ++ hlist_for_each_entry(hinfo, pos, &hashlimit_net->htables, node) ++ remove_proc_entry(hinfo->pde->name, pde); ++ ++ hashlimit_net->ipt_hashlimit = NULL; ++ hashlimit_net->ip6t_hashlimit = NULL; ++ mutex_unlock(&hashlimit_mutex); ++ + proc_net_remove(net, "ipt_hashlimit"); + #if IS_ENABLED(CONFIG_IP6_NF_IPTABLES) + proc_net_remove(net, "ip6t_hashlimit"); +@@ -872,9 +896,6 @@ static int __net_init hashlimit_net_init + + static void __net_exit hashlimit_net_exit(struct net *net) + { +- struct hashlimit_net *hashlimit_net = hashlimit_pernet(net); +- +- BUG_ON(!hlist_empty(&hashlimit_net->htables)); + hashlimit_proc_net_exit(net); + } + diff --git a/queue-3.7/netfilter-xt_hashlimit-fix-race-that-results-in-duplicated-entries.patch b/queue-3.7/netfilter-xt_hashlimit-fix-race-that-results-in-duplicated-entries.patch new file mode 100644 index 00000000000..6a8a6269d6d --- /dev/null +++ b/queue-3.7/netfilter-xt_hashlimit-fix-race-that-results-in-duplicated-entries.patch @@ -0,0 +1,80 @@ +From 09181842b000344b1205801df3aa5b726c03cc62 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Mon, 24 Dec 2012 13:09:25 +0100 +Subject: netfilter: xt_hashlimit: fix race that results in duplicated entries + +From: Pablo Neira Ayuso + +commit 09181842b000344b1205801df3aa5b726c03cc62 upstream. + +Two packets may race to create the same entry in the hashtable, +double check if this packet lost race. This double checking only +happens in the path of the packet that creates the hashtable for +first time. + +Note that, with this patch, no packet drops occur if the race happens. + +Reported-by: Feng Gao +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_hashlimit.c | 25 +++++++++++++++++++++---- + 1 file changed, 21 insertions(+), 4 deletions(-) + +--- a/net/netfilter/xt_hashlimit.c ++++ b/net/netfilter/xt_hashlimit.c +@@ -157,11 +157,22 @@ dsthash_find(const struct xt_hashlimit_h + /* allocate dsthash_ent, initialize dst, put in htable and lock it */ + static struct dsthash_ent * + dsthash_alloc_init(struct xt_hashlimit_htable *ht, +- const struct dsthash_dst *dst) ++ const struct dsthash_dst *dst, bool *race) + { + struct dsthash_ent *ent; + + spin_lock(&ht->lock); ++ ++ /* Two or more packets may race to create the same entry in the ++ * hashtable, double check if this packet lost race. ++ */ ++ ent = dsthash_find(ht, dst); ++ if (ent != NULL) { ++ spin_unlock(&ht->lock); ++ *race = true; ++ return ent; ++ } ++ + /* initialize hash with random val at the time we allocate + * the first hashtable entry */ + if (unlikely(!ht->rnd_initialized)) { +@@ -588,6 +599,7 @@ hashlimit_mt(const struct sk_buff *skb, + unsigned long now = jiffies; + struct dsthash_ent *dh; + struct dsthash_dst dst; ++ bool race = false; + u32 cost; + + if (hashlimit_init_dst(hinfo, &dst, skb, par->thoff) < 0) +@@ -596,13 +608,18 @@ hashlimit_mt(const struct sk_buff *skb, + rcu_read_lock_bh(); + dh = dsthash_find(hinfo, &dst); + if (dh == NULL) { +- dh = dsthash_alloc_init(hinfo, &dst); ++ dh = dsthash_alloc_init(hinfo, &dst, &race); + if (dh == NULL) { + rcu_read_unlock_bh(); + goto hotdrop; ++ } else if (race) { ++ /* Already got an entry, update expiration timeout */ ++ dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire); ++ rateinfo_recalc(dh, now, hinfo->cfg.mode); ++ } else { ++ dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire); ++ rateinfo_init(dh, hinfo); + } +- dh->expires = jiffies + msecs_to_jiffies(hinfo->cfg.expire); +- rateinfo_init(dh, hinfo); + } else { + /* update expiration timeout */ + dh->expires = now + msecs_to_jiffies(hinfo->cfg.expire); diff --git a/queue-3.7/netfilter-xt_recent-avoid-high-order-page-allocations.patch b/queue-3.7/netfilter-xt_recent-avoid-high-order-page-allocations.patch new file mode 100644 index 00000000000..cd1b07e5277 --- /dev/null +++ b/queue-3.7/netfilter-xt_recent-avoid-high-order-page-allocations.patch @@ -0,0 +1,103 @@ +From 2727de76041b2064c0b74f00a2a89678fb3efafc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 3 Jan 2013 22:18:39 +0000 +Subject: netfilter: xt_recent: avoid high order page allocations + +From: Eric Dumazet + +commit 2727de76041b2064c0b74f00a2a89678fb3efafc upstream. + +xt_recent can try high order page allocations and this can fail. + +iptables: page allocation failure: order:9, mode:0xc0d0 + +It also wastes about half the allocated space because of kmalloc() +power-of-two roundups and struct recent_table layout. + +Use vmalloc() instead to save space and be less prone to allocation +errors when memory is fragmented. + +Reported-by: Miroslav Kratochvil +Reported-by: Dave Jones +Reported-by: Harald Reindl +Signed-off-by: Eric Dumazet +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_recent.c | 23 ++++++++++++++++++----- + 1 file changed, 18 insertions(+), 5 deletions(-) + +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -310,6 +311,14 @@ out: + return ret; + } + ++static void recent_table_free(void *addr) ++{ ++ if (is_vmalloc_addr(addr)) ++ vfree(addr); ++ else ++ kfree(addr); ++} ++ + static int recent_mt_check(const struct xt_mtchk_param *par, + const struct xt_recent_mtinfo_v1 *info) + { +@@ -322,6 +331,7 @@ static int recent_mt_check(const struct + #endif + unsigned int i; + int ret = -EINVAL; ++ size_t sz; + + if (unlikely(!hash_rnd_inited)) { + get_random_bytes(&hash_rnd, sizeof(hash_rnd)); +@@ -360,8 +370,11 @@ static int recent_mt_check(const struct + goto out; + } + +- t = kzalloc(sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size, +- GFP_KERNEL); ++ sz = sizeof(*t) + sizeof(t->iphash[0]) * ip_list_hash_size; ++ if (sz <= PAGE_SIZE) ++ t = kzalloc(sz, GFP_KERNEL); ++ else ++ t = vzalloc(sz); + if (t == NULL) { + ret = -ENOMEM; + goto out; +@@ -377,14 +390,14 @@ static int recent_mt_check(const struct + uid = make_kuid(&init_user_ns, ip_list_uid); + gid = make_kgid(&init_user_ns, ip_list_gid); + if (!uid_valid(uid) || !gid_valid(gid)) { +- kfree(t); ++ recent_table_free(t); + ret = -EINVAL; + goto out; + } + pde = proc_create_data(t->name, ip_list_perms, recent_net->xt_recent, + &recent_mt_fops, t); + if (pde == NULL) { +- kfree(t); ++ recent_table_free(t); + ret = -ENOMEM; + goto out; + } +@@ -435,7 +448,7 @@ static void recent_mt_destroy(const stru + remove_proc_entry(t->name, recent_net->xt_recent); + #endif + recent_table_flush(t); +- kfree(t); ++ recent_table_free(t); + } + mutex_unlock(&recent_mutex); + } diff --git a/queue-3.7/netfilter-xt_recent-fix-namespace-destroy-path.patch b/queue-3.7/netfilter-xt_recent-fix-namespace-destroy-path.patch new file mode 100644 index 00000000000..3cbe6abf508 --- /dev/null +++ b/queue-3.7/netfilter-xt_recent-fix-namespace-destroy-path.patch @@ -0,0 +1,64 @@ +From 665e205c16c1f902ac6763b8ce8a0a3a1dcefe59 Mon Sep 17 00:00:00 2001 +From: "Vitaly E. Lavrov" +Date: Mon, 24 Dec 2012 13:55:20 +0100 +Subject: netfilter: xt_recent: fix namespace destroy path + +From: "Vitaly E. Lavrov" + +commit 665e205c16c1f902ac6763b8ce8a0a3a1dcefe59 upstream. + +recent_net_exit() is called before recent_mt_destroy() in the +destroy path of network namespaces. Make sure there are no entries +in the parent proc entry xt_recent before removing it. + +Signed-off-by: Vitaly E. Lavrov +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_recent.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/net/netfilter/xt_recent.c ++++ b/net/netfilter/xt_recent.c +@@ -431,7 +431,8 @@ static void recent_mt_destroy(const stru + list_del(&t->list); + spin_unlock_bh(&recent_lock); + #ifdef CONFIG_PROC_FS +- remove_proc_entry(t->name, recent_net->xt_recent); ++ if (recent_net->xt_recent != NULL) ++ remove_proc_entry(t->name, recent_net->xt_recent); + #endif + recent_table_flush(t); + kfree(t); +@@ -615,6 +616,20 @@ static int __net_init recent_proc_net_in + + static void __net_exit recent_proc_net_exit(struct net *net) + { ++ struct recent_net *recent_net = recent_pernet(net); ++ struct recent_table *t; ++ ++ /* recent_net_exit() is called before recent_mt_destroy(). Make sure ++ * that the parent xt_recent proc entry is is empty before trying to ++ * remove it. ++ */ ++ spin_lock_bh(&recent_lock); ++ list_for_each_entry(t, &recent_net->tables, list) ++ remove_proc_entry(t->name, recent_net->xt_recent); ++ ++ recent_net->xt_recent = NULL; ++ spin_unlock_bh(&recent_lock); ++ + proc_net_remove(net, "xt_recent"); + } + #else +@@ -638,9 +653,6 @@ static int __net_init recent_net_init(st + + static void __net_exit recent_net_exit(struct net *net) + { +- struct recent_net *recent_net = recent_pernet(net); +- +- BUG_ON(!list_empty(&recent_net->tables)); + recent_proc_net_exit(net); + } + diff --git a/queue-3.7/series b/queue-3.7/series index e6e21b35c86..cf3f72edde9 100644 --- a/queue-3.7/series +++ b/queue-3.7/series @@ -74,3 +74,14 @@ netfilter-nf_ct_reasm-fix-conntrack-reassembly-expire-code.patch x86-sandy-bridge-sandy-bridge-workaround-depends-on-config_pci.patch xfs-fix-periodic-log-flushing.patch target-fix-regression-with-dev_link_magic-in-target_fabric_port_link.patch +netfilter-nfnetlink_log-fix-mac-address-for-6in4-tunnels.patch +netfilter-nfnetlink_log-fix-possible-compilation-issue-due-to-missing-include.patch +netfilter-xt_ct-recover-notrack-target-support.patch +netfilter-fix-missing-dependencies-for-the-notrack-target.patch +netfilter-xt_hashlimit-fix-namespace-destroy-path.patch +netfilter-xt_hashlimit-fix-race-that-results-in-duplicated-entries.patch +netfilter-xt_recent-fix-namespace-destroy-path.patch +netfilter-xt_recent-avoid-high-order-page-allocations.patch +netfilter-nf_conntrack-fix-bug_on-while-removing-nf_conntrack-with-netns.patch +netfilter-x_tables-print-correct-hook-names-for-arp.patch +netfilter-ctnetlink-fix-leak-in-error-path-of-ctnetlink_create_expect.patch