Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf
Pablo Neira Ayuso says: ==================== Netfilter fixes for net The following patchset contains Netfilter fixes for your net tree: 1) Missing netlink attribute validation in nf_queue, uncovered by KASAN, from Eric Dumazet. 2) Use pointer to sysctl table, save us 192 bytes of memory per netns. Also from Eric. 3) Possible use-after-free when removing conntrack helper modules due to missing synchronize RCU call. From Taehee Yoo. 4) Fix corner case in systcl writes to nf_log that lead to appending data to uninitialized buffer, from Jann Horn. 5) Jann Horn says we may indefinitely block other users of nf_log_mutex if a userspace access in proc_dostring() blocked e.g. due to a userfaultfd. 6) Fix garbage collection race for unconfirmed conntrack entries, from Florian Westphal. ==================== Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
David S. Miller
commit
0901441839
|
|
@ -128,6 +128,7 @@ struct net {
|
|||
#endif
|
||||
#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
|
||||
struct netns_nf_frag nf_frag;
|
||||
struct ctl_table_header *nf_frag_frags_hdr;
|
||||
#endif
|
||||
struct sock *nfnl;
|
||||
struct sock *nfnl_stash;
|
||||
|
|
|
|||
|
|
@ -109,7 +109,6 @@ struct netns_ipv6 {
|
|||
|
||||
#if IS_ENABLED(CONFIG_NF_DEFRAG_IPV6)
|
||||
struct netns_nf_frag {
|
||||
struct netns_sysctl_ipv6 sysctl;
|
||||
struct netns_frags frags;
|
||||
};
|
||||
#endif
|
||||
|
|
|
|||
|
|
@ -107,7 +107,7 @@ static int nf_ct_frag6_sysctl_register(struct net *net)
|
|||
if (hdr == NULL)
|
||||
goto err_reg;
|
||||
|
||||
net->nf_frag.sysctl.frags_hdr = hdr;
|
||||
net->nf_frag_frags_hdr = hdr;
|
||||
return 0;
|
||||
|
||||
err_reg:
|
||||
|
|
@ -121,8 +121,8 @@ static void __net_exit nf_ct_frags6_sysctl_unregister(struct net *net)
|
|||
{
|
||||
struct ctl_table *table;
|
||||
|
||||
table = net->nf_frag.sysctl.frags_hdr->ctl_table_arg;
|
||||
unregister_net_sysctl_table(net->nf_frag.sysctl.frags_hdr);
|
||||
table = net->nf_frag_frags_hdr->ctl_table_arg;
|
||||
unregister_net_sysctl_table(net->nf_frag_frags_hdr);
|
||||
if (!net_eq(net, &init_net))
|
||||
kfree(table);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -47,6 +47,8 @@ struct nf_conncount_tuple {
|
|||
struct hlist_node node;
|
||||
struct nf_conntrack_tuple tuple;
|
||||
struct nf_conntrack_zone zone;
|
||||
int cpu;
|
||||
u32 jiffies32;
|
||||
};
|
||||
|
||||
struct nf_conncount_rb {
|
||||
|
|
@ -91,11 +93,42 @@ bool nf_conncount_add(struct hlist_head *head,
|
|||
return false;
|
||||
conn->tuple = *tuple;
|
||||
conn->zone = *zone;
|
||||
conn->cpu = raw_smp_processor_id();
|
||||
conn->jiffies32 = (u32)jiffies;
|
||||
hlist_add_head(&conn->node, head);
|
||||
return true;
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nf_conncount_add);
|
||||
|
||||
static const struct nf_conntrack_tuple_hash *
|
||||
find_or_evict(struct net *net, struct nf_conncount_tuple *conn)
|
||||
{
|
||||
const struct nf_conntrack_tuple_hash *found;
|
||||
unsigned long a, b;
|
||||
int cpu = raw_smp_processor_id();
|
||||
__s32 age;
|
||||
|
||||
found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
|
||||
if (found)
|
||||
return found;
|
||||
b = conn->jiffies32;
|
||||
a = (u32)jiffies;
|
||||
|
||||
/* conn might have been added just before by another cpu and
|
||||
* might still be unconfirmed. In this case, nf_conntrack_find()
|
||||
* returns no result. Thus only evict if this cpu added the
|
||||
* stale entry or if the entry is older than two jiffies.
|
||||
*/
|
||||
age = a - b;
|
||||
if (conn->cpu == cpu || age >= 2) {
|
||||
hlist_del(&conn->node);
|
||||
kmem_cache_free(conncount_conn_cachep, conn);
|
||||
return ERR_PTR(-ENOENT);
|
||||
}
|
||||
|
||||
return ERR_PTR(-EAGAIN);
|
||||
}
|
||||
|
||||
unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head,
|
||||
const struct nf_conntrack_tuple *tuple,
|
||||
const struct nf_conntrack_zone *zone,
|
||||
|
|
@ -103,18 +136,27 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head,
|
|||
{
|
||||
const struct nf_conntrack_tuple_hash *found;
|
||||
struct nf_conncount_tuple *conn;
|
||||
struct hlist_node *n;
|
||||
struct nf_conn *found_ct;
|
||||
struct hlist_node *n;
|
||||
unsigned int length = 0;
|
||||
|
||||
*addit = tuple ? true : false;
|
||||
|
||||
/* check the saved connections */
|
||||
hlist_for_each_entry_safe(conn, n, head, node) {
|
||||
found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
|
||||
if (found == NULL) {
|
||||
hlist_del(&conn->node);
|
||||
kmem_cache_free(conncount_conn_cachep, conn);
|
||||
found = find_or_evict(net, conn);
|
||||
if (IS_ERR(found)) {
|
||||
/* Not found, but might be about to be confirmed */
|
||||
if (PTR_ERR(found) == -EAGAIN) {
|
||||
length++;
|
||||
if (!tuple)
|
||||
continue;
|
||||
|
||||
if (nf_ct_tuple_equal(&conn->tuple, tuple) &&
|
||||
nf_ct_zone_id(&conn->zone, conn->zone.dir) ==
|
||||
nf_ct_zone_id(zone, zone->dir))
|
||||
*addit = false;
|
||||
}
|
||||
continue;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -465,6 +465,11 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me)
|
|||
|
||||
nf_ct_expect_iterate_destroy(expect_iter_me, NULL);
|
||||
nf_ct_iterate_destroy(unhelp, me);
|
||||
|
||||
/* Maybe someone has gotten the helper already when unhelp above.
|
||||
* So need to wait it.
|
||||
*/
|
||||
synchronize_rcu();
|
||||
}
|
||||
EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister);
|
||||
|
||||
|
|
|
|||
|
|
@ -424,6 +424,10 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
|
|||
if (write) {
|
||||
struct ctl_table tmp = *table;
|
||||
|
||||
/* proc_dostring() can append to existing strings, so we need to
|
||||
* initialize it as an empty string.
|
||||
*/
|
||||
buf[0] = '\0';
|
||||
tmp.data = buf;
|
||||
r = proc_dostring(&tmp, write, buffer, lenp, ppos);
|
||||
if (r)
|
||||
|
|
@ -442,14 +446,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
|
|||
rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
|
||||
mutex_unlock(&nf_log_mutex);
|
||||
} else {
|
||||
struct ctl_table tmp = *table;
|
||||
|
||||
tmp.data = buf;
|
||||
mutex_lock(&nf_log_mutex);
|
||||
logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
|
||||
if (!logger)
|
||||
table->data = "NONE";
|
||||
strlcpy(buf, "NONE", sizeof(buf));
|
||||
else
|
||||
table->data = logger->name;
|
||||
r = proc_dostring(table, write, buffer, lenp, ppos);
|
||||
strlcpy(buf, logger->name, sizeof(buf));
|
||||
mutex_unlock(&nf_log_mutex);
|
||||
r = proc_dostring(&tmp, write, buffer, lenp, ppos);
|
||||
}
|
||||
|
||||
return r;
|
||||
|
|
|
|||
|
|
@ -1243,6 +1243,9 @@ static int nfqnl_recv_unsupp(struct net *net, struct sock *ctnl,
|
|||
static const struct nla_policy nfqa_cfg_policy[NFQA_CFG_MAX+1] = {
|
||||
[NFQA_CFG_CMD] = { .len = sizeof(struct nfqnl_msg_config_cmd) },
|
||||
[NFQA_CFG_PARAMS] = { .len = sizeof(struct nfqnl_msg_config_params) },
|
||||
[NFQA_CFG_QUEUE_MAXLEN] = { .type = NLA_U32 },
|
||||
[NFQA_CFG_MASK] = { .type = NLA_U32 },
|
||||
[NFQA_CFG_FLAGS] = { .type = NLA_U32 },
|
||||
};
|
||||
|
||||
static const struct nf_queue_handler nfqh = {
|
||||
|
|
|
|||
Loading…
Reference in New Issue