Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a08ce73b authored by David S. Miller's avatar David S. Miller
Browse files

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 



Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

The following patchset contains Netfilter/IPVS fixes for your net tree:

1) Reject non-null terminated helper names from xt_CT, from Gao Feng.

2) Fix KASAN splat due to out-of-bound access from commit phase, from
   Alexey Kodanev.

3) Missing conntrack hook registration on IPVS FTP helper, from Julian
   Anastasov.

4) Incorrect skbuff allocation size in bridge nft_reject, from Taehee Yoo.

5) Fix inverted check on packet xmit to non-local addresses, also from
   Julian.

6) Fix ebtables alignment compat problems, from Alin Nastac.

7) Hook mask checks are not correct in xt_set, from Serhey Popovych.

8) Fix timeout listing of element in ipsets, from Jozsef.

9) Cap maximum timeout value in ipset, also from Jozsef.

10) Don't allow family option for hash:mac sets, from Florent Fourcot.

11) Restrict ebtables to work with NFPROTO_BRIDGE targets only, this
    Florian.

12) Another bug reported by KASAN in the rbtree set backend, from
    Taehee Yoo.

13) Missing __IPS_MAX_BIT update doesn't include IPS_OFFLOAD_BIT.
    From Gao Feng.

14) Missing initialization of match/target in ebtables, from Florian
    Westphal.

15) Remove useless nft_dup.h file in include path, from C. Labbe.
====================

Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 349b71d6 d8e87fc6

include/linux/netfilter/ipset/ip_set_timeout.h

+14 −6
Original line number Diff line number Diff line
@@ -23,6 +23,9 @@ 
/* Set is defined with timeout support: timeout value may be 0 */

#define IPSET_NO_TIMEOUT	UINT_MAX



/* Max timeout value, see msecs_to_jiffies() in jiffies.h */

#define IPSET_MAX_TIMEOUT	(UINT_MAX >> 1)/MSEC_PER_SEC



#define ip_set_adt_opt_timeout(opt, set)	\

((opt)->ext.timeout != IPSET_NO_TIMEOUT ? (opt)->ext.timeout : (set)->timeout)
@@ -32,11 +35,10 @@ ip_set_timeout_uget(struct nlattr *tb) 
	unsigned int timeout = ip_set_get_h32(tb);



	/* Normalize to fit into jiffies */

	if (timeout > UINT_MAX/MSEC_PER_SEC)

		timeout = UINT_MAX/MSEC_PER_SEC;

	if (timeout > IPSET_MAX_TIMEOUT)

		timeout = IPSET_MAX_TIMEOUT;



	/* Userspace supplied TIMEOUT parameter: adjust crazy size */

	return timeout == IPSET_NO_TIMEOUT ? IPSET_NO_TIMEOUT - 1 : timeout;

	return timeout;

}



static inline bool
@@ -65,8 +67,14 @@ ip_set_timeout_set(unsigned long *timeout, u32 value) 
static inline u32

ip_set_timeout_get(const unsigned long *timeout)

{

	return *timeout == IPSET_ELEM_PERMANENT ? 0 :

		jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;

	u32 t;



	if (*timeout == IPSET_ELEM_PERMANENT)

		return 0;



	t = jiffies_to_msecs(*timeout - jiffies)/MSEC_PER_SEC;

	/* Zero value in userspace means no timeout */

	return t == 0 ? 1 : t;

}



#endif	/* __KERNEL__ */

include/net/ip_vs.h

+30 −0
Original line number Diff line number Diff line
@@ -631,6 +631,7 @@ struct ip_vs_service { 


	/* alternate persistence engine */

	struct ip_vs_pe __rcu	*pe;

	int			conntrack_afmask;



	struct rcu_head		rcu_head;

};
@@ -1611,6 +1612,35 @@ static inline bool ip_vs_conn_uses_conntrack(struct ip_vs_conn *cp, 
	return false;

}



static inline int ip_vs_register_conntrack(struct ip_vs_service *svc)

{

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

	int afmask = (svc->af == AF_INET6) ? 2 : 1;

	int ret = 0;



	if (!(svc->conntrack_afmask & afmask)) {

		ret = nf_ct_netns_get(svc->ipvs->net, svc->af);

		if (ret >= 0)

			svc->conntrack_afmask |= afmask;

	}

	return ret;

#else

	return 0;

#endif

}



static inline void ip_vs_unregister_conntrack(struct ip_vs_service *svc)

{

#if IS_ENABLED(CONFIG_NF_CONNTRACK)

	int afmask = (svc->af == AF_INET6) ? 2 : 1;



	if (svc->conntrack_afmask & afmask) {

		nf_ct_netns_put(svc->ipvs->net, svc->af);

		svc->conntrack_afmask &= ~afmask;

	}

#endif

}



static inline int

ip_vs_dest_conn_overhead(struct ip_vs_dest *dest)

{

include/net/netfilter/nft_dup.h

deleted100644 → 0
+0 −10
Original line number Diff line number Diff line 
/* SPDX-License-Identifier: GPL-2.0 */

#ifndef _NFT_DUP_H_

#define _NFT_DUP_H_



struct nft_dup_inet {

	enum nft_registers	sreg_addr:8;

	enum nft_registers	sreg_dev:8;

};



#endif /* _NFT_DUP_H_ */

include/uapi/linux/netfilter/nf_conntrack_common.h

+1 −1
Original line number Diff line number Diff line
@@ -112,7 +112,7 @@ enum ip_conntrack_status { 
				 IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |

				 IPS_SEQ_ADJUST | IPS_TEMPLATE | IPS_OFFLOAD),



	__IPS_MAX_BIT = 14,

	__IPS_MAX_BIT = 15,

};



/* Connection tracking event types */

net/bridge/netfilter/ebtables.c

+20 −5
Original line number Diff line number Diff line
@@ -411,6 +411,12 @@ ebt_check_watcher(struct ebt_entry_watcher *w, struct xt_tgchk_param *par, 
	watcher = xt_request_find_target(NFPROTO_BRIDGE, w->u.name, 0);

	if (IS_ERR(watcher))

		return PTR_ERR(watcher);



	if (watcher->family != NFPROTO_BRIDGE) {

		module_put(watcher->me);

		return -ENOENT;

	}



	w->u.watcher = watcher;



	par->target   = watcher;
@@ -709,6 +715,8 @@ ebt_check_entry(struct ebt_entry *e, struct net *net, 
	}

	i = 0;



	memset(&mtpar, 0, sizeof(mtpar));

	memset(&tgpar, 0, sizeof(tgpar));

	mtpar.net	= tgpar.net       = net;

	mtpar.table     = tgpar.table     = name;

	mtpar.entryinfo = tgpar.entryinfo = e;
@@ -730,6 +738,13 @@ ebt_check_entry(struct ebt_entry *e, struct net *net, 
		goto cleanup_watchers;

	}



	/* Reject UNSPEC, xtables verdicts/return values are incompatible */

	if (target->family != NFPROTO_BRIDGE) {

		module_put(target->me);

		ret = -ENOENT;

		goto cleanup_watchers;

	}



	t->u.target = target;

	if (t->u.target == &ebt_standard_target) {

		if (gap < sizeof(struct ebt_standard_target)) {
@@ -1605,16 +1620,16 @@ struct compat_ebt_entry_mwt { 
		compat_uptr_t ptr;

	} u;

	compat_uint_t match_size;

	compat_uint_t data[0];

	compat_uint_t data[0] __attribute__ ((aligned (__alignof__(struct compat_ebt_replace))));

};



/* account for possible padding between match_size and ->data */

static int ebt_compat_entry_padsize(void)

{

	BUILD_BUG_ON(XT_ALIGN(sizeof(struct ebt_entry_match)) <

			COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt)));

	return (int) XT_ALIGN(sizeof(struct ebt_entry_match)) -

			COMPAT_XT_ALIGN(sizeof(struct compat_ebt_entry_mwt));

	BUILD_BUG_ON(sizeof(struct ebt_entry_match) <

			sizeof(struct compat_ebt_entry_mwt));

	return (int) sizeof(struct ebt_entry_match) -

			sizeof(struct compat_ebt_entry_mwt);

}



static int ebt_compat_match_offset(const struct xt_match *match,