From patchwork Mon Jun 24 15:16:26 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 253876 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 0C5752C008F for ; Tue, 25 Jun 2013 01:16:47 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752547Ab3FXPQk (ORCPT ); Mon, 24 Jun 2013 11:16:40 -0400 Received: from mail.us.es ([193.147.175.20]:51605 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752522Ab3FXPQi (ORCPT ); Mon, 24 Jun 2013 11:16:38 -0400 Received: (qmail 30757 invoked from network); 24 Jun 2013 17:16:37 +0200 Received: from unknown (HELO us.es) (192.168.2.13) by us.es with SMTP; 24 Jun 2013 17:16:37 +0200 Received: (qmail 21786 invoked by uid 507); 24 Jun 2013 15:16:37 -0000 X-Qmail-Scanner-Diagnostics: from 127.0.0.1 by antivirus3 (envelope-from , uid 501) with qmail-scanner-2.10 (clamdscan: 0.97.8/17406. spamassassin: 3.3.2. Clear:RC:1(127.0.0.1):SA:0(-97.8/7.5):. Processed in 2.110661 secs); 24 Jun 2013 15:16:37 -0000 X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on antivirus3 X-Spam-Level: X-Spam-Status: No, score=-97.8 required=7.5 tests=BAYES_50,RCVD_IN_PBL, RCVD_IN_RP_RNBL,RDNS_DYNAMIC,USER_IN_WHITELIST autolearn=disabled version=3.3.2 X-Envelope-From: pablo@netfilter.org Received: from unknown (HELO antivirus3) (127.0.0.1) by us.es with SMTP; 24 Jun 2013 15:16:34 -0000 Received: from 192.168.1.13 (192.168.1.13) by antivirus3 (F-Secure/fsigk_smtp/410/antivirus3); Mon, 24 Jun 2013 17:16:34 +0200 (CEST) X-Virus-Status: clean(F-Secure/fsigk_smtp/410/antivirus3) Received: (qmail 9431 invoked from network); 24 Jun 2013 17:16:34 +0200 Received: from 114.233.78.188.dynamic.jazztel.es (HELO localhost.localdomain) (pneira@us.es@188.78.233.114) by us.es with SMTP; 24 Jun 2013 17:16:34 +0200 From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 5/5] netfilter: ipt_ULOG: fix incorrect setting of ulog timer Date: Mon, 24 Jun 2013 17:16:26 +0200 Message-Id: <1372086986-4080-2-git-send-email-pablo@netfilter.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1372086986-4080-1-git-send-email-pablo@netfilter.org> References: <1372086986-4080-1-git-send-email-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Gao feng The parameter of setup_timer should be &ulog->nlgroup[i]. the incorrect parameter will cause kernel panic in ulog_timer. Bug introducted in commit 355430671ad93546b34b4e91bdf720f3a704efa4 "netfilter: ipt_ULOG: add net namespace support for ipt_ULOG" ebt_ULOG doesn't have this problem. [ I have mangled this patch to fix nlgroup != 0 case, we were also crashing there --pablo ] Tested-by: George Spelvin Reported-by: Borislav Petkov Signed-off-by: Gao feng Signed-off-by: Pablo Neira Ayuso --- net/ipv4/netfilter/ipt_ULOG.c | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/net/ipv4/netfilter/ipt_ULOG.c b/net/ipv4/netfilter/ipt_ULOG.c index ff4b781..32b0e97 100644 --- a/net/ipv4/netfilter/ipt_ULOG.c +++ b/net/ipv4/netfilter/ipt_ULOG.c @@ -125,15 +125,16 @@ static void ulog_send(struct ulog_net *ulog, unsigned int nlgroupnum) /* timer function to flush queue in flushtimeout time */ static void ulog_timer(unsigned long data) { + unsigned int groupnum = *((unsigned int *)data); struct ulog_net *ulog = container_of((void *)data, struct ulog_net, - nlgroup[*(unsigned int *)data]); + nlgroup[groupnum]); pr_debug("timer function called, calling ulog_send\n"); /* lock to protect against somebody modifying our structure * from ipt_ulog_target at the same time */ spin_lock_bh(&ulog->lock); - ulog_send(ulog, data); + ulog_send(ulog, groupnum); spin_unlock_bh(&ulog->lock); } @@ -407,8 +408,11 @@ static int __net_init ulog_tg_net_init(struct net *net) spin_lock_init(&ulog->lock); /* initialize ulog_buffers */ - for (i = 0; i < ULOG_MAXNLGROUPS; i++) - setup_timer(&ulog->ulog_buffers[i].timer, ulog_timer, i); + for (i = 0; i < ULOG_MAXNLGROUPS; i++) { + ulog->nlgroup[i] = i; + setup_timer(&ulog->ulog_buffers[i].timer, ulog_timer, + (unsigned long)&ulog->nlgroup[i]); + } ulog->nflognl = netlink_kernel_create(net, NETLINK_NFLOG, &cfg); if (!ulog->nflognl)