mbox

[00/19] Netfilter fixes for net

Message ID 20180220163906.12380-1-pablo@netfilter.org
State Accepted
Delegated to: Pablo Neira
Headers show

Pull-request

git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

Message

Pablo Neira Ayuso Feb. 20, 2018, 4:38 p.m. UTC 
Hi David,

The following patchset contains large batch with Netfilter fixes for
your net tree, mostly due to syzbot report fixups and pr_err()
ratelimiting, more specifically, they are:

1) Get rid of superfluous unnecessary check in x_tables before vmalloc(),
   we don't hit BUG there anymore, patch from Michal Hock, suggested by
   Andrew Morton.

2) Race condition in proc file creation in ipt_CLUSTERIP, from Cong Wang.

3) Drop socket lock that results in circular locking dependency, patch
   from Paolo Abeni.

4) Drop packet if case of malformed blob that makes backpointer jump
   in x_tables, from Florian Westphal.

5) Fix refcount leak due to race in ipt_CLUSTERIP in
   clusterip_config_find_get(), from Cong Wang.

6) Several patches to ratelimit pr_err() for x_tables since this can be
   a problem where CAP_NET_ADMIN semantics can protect us in untrusted
   namespace, from Florian Westphal.

7) Missing .gitignore update for new autogenerated asn1 state machine
   for the SNMP NAT helper, from Zhu Lingshan.

8) Missing timer initialization in xt_LED, from Paolo Abeni.

9) Do not allow negative port range in NAT, also from Paolo.

10) Lock imbalance in the xt_hashlimit rate match mode, patch from
    Eric Dumazet.

11) Initialize workqueue before timer in the idletimer match,
    from Eric Dumazet.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

P.S: If I can get net.git merge into net-next.git, I'll appreciate
     since I have people willing to bang me here with patches that
     have dependencies with this batch. Thanks again!

----------------------------------------------------------------

The following changes since commit 5c487bb9adddbc1d23433e09d2548759375c2b52:

  tcp: tracepoint: only call trace_tcp_send_reset with full socket (2018-02-07 22:00:42 -0500)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to cfc2c740533368b96e2be5e0a4e8c3cace7d9814:

  netfilter: IDLETIMER: be syzkaller friendly (2018-02-19 18:28:59 +0100)

----------------------------------------------------------------
Cong Wang (2):
      netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation
      netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()

Eric Dumazet (2):
      netfilter: xt_hashlimit: fix lock imbalance
      netfilter: IDLETIMER: be syzkaller friendly

Florian Westphal (10):
      netfilter: add back stackpointer size checks
      netfilter: x_tables: remove pr_info where possible
      netfilter: x_tables: use pr ratelimiting in xt core
      netfilter: xt_CT: use pr ratelimiting
      netfilter: xt_NFQUEUE: use pr ratelimiting
      netfilter: xt_set: use pr ratelimiting
      netfilter: bridge: use pr ratelimiting
      netfilter: x_tables: rate-limit table mismatch warnings
      netfilter: x_tables: use pr ratelimiting in matches/targets
      netfilter: x_tables: use pr ratelimiting in all remaining spots

Michal Hocko (1):
      netfilter: x_tables: remove size check

Paolo Abeni (3):
      netfilter: drop outermost socket lock in getsockopt()
      netfilter: x_tables: fix missing timer initialization in xt_LED
      netfilter: nat: cope with negative port range

Zhu Lingshan (1):
      .gitignore: ignore ASN.1 auto generated files

 .gitignore                          |  4 ++
 net/bridge/netfilter/ebt_among.c    | 10 ++---
 net/bridge/netfilter/ebt_limit.c    |  4 +-
 net/ipv4/ip_sockglue.c              |  7 +---
 net/ipv4/netfilter/arp_tables.c     |  4 ++
 net/ipv4/netfilter/ip_tables.c      |  7 +++-
 net/ipv4/netfilter/ipt_CLUSTERIP.c  | 20 ++++++----
 net/ipv4/netfilter/ipt_ECN.c        | 12 +++---
 net/ipv4/netfilter/ipt_REJECT.c     |  4 +-
 net/ipv4/netfilter/ipt_rpfilter.c   |  6 +--
 net/ipv6/ipv6_sockglue.c            | 10 +----
 net/ipv6/netfilter/ip6_tables.c     |  4 ++
 net/ipv6/netfilter/ip6t_REJECT.c    |  4 +-
 net/ipv6/netfilter/ip6t_rpfilter.c  |  6 +--
 net/ipv6/netfilter/ip6t_srh.c       |  6 ++-
 net/netfilter/nf_nat_proto_common.c |  7 +++-
 net/netfilter/x_tables.c            | 74 +++++++++++++++++--------------------
 net/netfilter/xt_AUDIT.c            |  4 +-
 net/netfilter/xt_CHECKSUM.c         |  8 ++--
 net/netfilter/xt_CONNSECMARK.c      | 10 ++---
 net/netfilter/xt_CT.c               | 25 +++++++------
 net/netfilter/xt_DSCP.c             |  4 +-
 net/netfilter/xt_HL.c               | 13 ++-----
 net/netfilter/xt_HMARK.c            | 27 ++++++++------
 net/netfilter/xt_IDLETIMER.c        |  9 +++--
 net/netfilter/xt_LED.c              | 16 ++++----
 net/netfilter/xt_NFQUEUE.c          |  8 ++--
 net/netfilter/xt_SECMARK.c          | 18 +++++----
 net/netfilter/xt_TCPMSS.c           | 10 ++---
 net/netfilter/xt_TPROXY.c           |  6 +--
 net/netfilter/xt_addrtype.c         | 33 ++++++++---------
 net/netfilter/xt_bpf.c              |  4 +-
 net/netfilter/xt_cgroup.c           |  8 ++--
 net/netfilter/xt_cluster.c          |  8 ++--
 net/netfilter/xt_connbytes.c        |  4 +-
 net/netfilter/xt_connlabel.c        |  7 ++--
 net/netfilter/xt_connmark.c         |  8 ++--
 net/netfilter/xt_conntrack.c        |  4 +-
 net/netfilter/xt_dscp.c             |  4 +-
 net/netfilter/xt_ecn.c              |  4 +-
 net/netfilter/xt_hashlimit.c        | 26 +++++++------
 net/netfilter/xt_helper.c           |  4 +-
 net/netfilter/xt_ipcomp.c           |  2 +-
 net/netfilter/xt_ipvs.c             |  3 +-
 net/netfilter/xt_l2tp.c             | 22 ++++++-----
 net/netfilter/xt_limit.c            |  4 +-
 net/netfilter/xt_nat.c              |  5 ++-
 net/netfilter/xt_nfacct.c           |  6 ++-
 net/netfilter/xt_physdev.c          |  4 +-
 net/netfilter/xt_policy.c           | 23 +++++++-----
 net/netfilter/xt_recent.c           | 14 +++----
 net/netfilter/xt_set.c              | 50 ++++++++++++-------------
 net/netfilter/xt_socket.c           | 10 +++--
 net/netfilter/xt_state.c            |  4 +-
 net/netfilter/xt_time.c             |  6 +--
 55 files changed, 314 insertions(+), 300 deletions(-)
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Miller Feb. 21, 2018, 7:56 p.m. UTC | #1 
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Tue, 20 Feb 2018 17:38:47 +0100

> The following patchset contains large batch with Netfilter fixes for
> your net tree, mostly due to syzbot report fixups and pr_err()
> ratelimiting, more specifically, they are:
 ...
> You can pull these changes from:
> 
>   git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Pulled, thank you.

> P.S: If I can get net.git merge into net-next.git, I'll appreciate
>      since I have people willing to bang me here with patches that
>      have dependencies with this batch. Thanks again!

That might have to wait until the weekend.  I'll see what I can
do meanwhile.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html