netfilter 00/03: netfilter -stable update

netfilter 00/03: netfilter -stable update

[Patrick McHardy]

[ Sorry for the resend, I forgot to CC netfilter-devel ]

Following are three netfilter patches for -stable, fixing

- a NULL argument to kmem_cache_destroy() in a conntrack error
  path (would cause a BUG_ON)

- incorrect accounting of closed connections in the iptables connlimit match

- incorrect locking in IPv6 connection tracking defragmentation

Please apply, thanks.


 net/ipv6/netfilter/nf_conntrack_reasm.c |    8 +++++---
 net/netfilter/nf_conntrack_expect.c     |    4 ++--
 net/netfilter/xt_connlimit.c            |    3 ++-
 3 files changed, 9 insertions(+), 6 deletions(-)

Alexey Dobriyan (1):
      netfilter: nf_conntrack_expect: fix error path unwind in nf_conntrack_expect_init()

Dong Wei (1):
      netfilter: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state

Jarek Poplawski (1):
      netfilter: nf_conntrack_ipv6: fix inconsistent lock state in nf_ct_frag6_gather()

netfilter 01/03: nf_conntrack_expect: fix error path unwind in nf_conntrack_expect_init()

[Patrick McHardy]

netfilter: nf_conntrack_expect: fix error path unwind in nf_conntrack_expect_init()

Upstream commit 12293bf91126ad253a25e2840b307fdc7c2754c3

Signed-off-by: Alexey Dobriyan <adobriyan@parallels.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

---
commit d025d91021895314ce10cc0ab8e0f627dc1a12fa
tree 585226823a29b62d80781ba2bc605bc7178aa5d3
parent a82a9bfebc74862798a3f6949fe6f6a959c1fd4e
author Alexey Dobriyan <adobriyan@parallels.com> Fri, 06 Jun 2008 19:06:15 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 06 Jun 2008 19:06:15 +0200

 net/netfilter/nf_conntrack_expect.c |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index 684ec9c..d15d70f 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -550,10 +550,10 @@ int __init nf_conntrack_expect_init(void)
 	return 0;
 
 err3:
+	kmem_cache_destroy(nf_ct_expect_cachep);
+err2:
 	nf_ct_free_hashtable(nf_ct_expect_hash, nf_ct_expect_vmalloc,
 			     nf_ct_expect_hsize);
-err2:
-	kmem_cache_destroy(nf_ct_expect_cachep);
 err1:
 	return err;
 }

netfilter 02/03: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state

[Patrick McHardy]

netfilter: xt_connlimit: fix accouning when receive RST packet in ESTABLISHED state

Upstream commit d2ee3f2c4b1db1320c1efb4dcaceeaf6c7e6c2d3:

In xt_connlimit match module, the counter of an IP is decreased when
the TCP packet is go through the chain with ip_conntrack state TW.
Well, it's very natural that the server and client close the socket
with FIN packet. But when the client/server close the socket with RST
packet(using so_linger), the counter for this connection still exsit.
The following patch can fix it which is based on linux-2.6.25.4

Signed-off-by: Dong Wei <dwei.zh@gmail.com>
Acked-by: Jan Engelhardt <jengelh@medozas.de>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 8a39ae5d24374801df08b7aa634ca03080e6b72a
tree 66e43bc28fbc61a0f8a39ca848dfe19d20eb930f
parent d025d91021895314ce10cc0ab8e0f627dc1a12fa
author Dong Wei <dwei.zh@gmail.com> Fri, 06 Jun 2008 19:07:37 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 06 Jun 2008 19:07:37 +0200

 net/netfilter/xt_connlimit.c |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 3b01119..1692338 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -75,7 +75,8 @@ static inline bool already_closed(const struct nf_conn *conn)
 	u_int16_t proto = conn->tuplehash[0].tuple.dst.protonum;
 
 	if (proto == IPPROTO_TCP)
-		return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT;
+		return conn->proto.tcp.state == TCP_CONNTRACK_TIME_WAIT ||
+		       conn->proto.tcp.state == TCP_CONNTRACK_CLOSE;
 	else
 		return 0;
 }

netfilter 03/03: nf_conntrack_ipv6: fix inconsistent lock state in nf_ct_frag6_gather()

[Patrick McHardy]

netfilter: nf_conntrack_ipv6: fix inconsistent lock state in nf_ct_frag6_gather()

Upstream commit b9c698964614f71b9c8afeca163a945b4c2e2d20:

[   63.531438] =================================
[   63.531520] [ INFO: inconsistent lock state ]
[   63.531520] 2.6.26-rc4 #7
[   63.531520] ---------------------------------
[   63.531520] inconsistent {softirq-on-W} -> {in-softirq-W} usage.
[   63.531520] tcpsic6/3864 [HC0[0]:SC1[1]:HE1:SE0] takes:
[   63.531520]  (&q->lock#2){-+..}, at: [<c07175b0>] ipv6_frag_rcv+0xd0/0xbd0
[   63.531520] {softirq-on-W} state was registered at:
[   63.531520]   [<c0143bba>] __lock_acquire+0x3aa/0x1080
[   63.531520]   [<c0144906>] lock_acquire+0x76/0xa0
[   63.531520]   [<c07a8f0b>] _spin_lock+0x2b/0x40
[   63.531520]   [<c0727636>] nf_ct_frag6_gather+0x3f6/0x910
 ...

According to this and another similar lockdep report inet_fragment
locks are taken from nf_ct_frag6_gather() with softirqs enabled, but
these locks are mainly used in softirq context, so disabling BHs is
necessary.

Reported-and-tested-by: Eric Sesterhenn <snakebyte@gmx.de>
Signed-off-by: Jarek Poplawski <jarkao2@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>

---
commit 172060857e309af8d2300eea08b64cc3aea69895
tree 32bd685ce49c758bd0c9e9e93509296e7519903e
parent 8a39ae5d24374801df08b7aa634ca03080e6b72a
author Jarek Poplawski <jarkao2@gmail.com> Fri, 06 Jun 2008 19:07:57 +0200
committer Patrick McHardy <kaber@trash.net> Fri, 06 Jun 2008 19:07:57 +0200

 net/ipv6/netfilter/nf_conntrack_reasm.c |    8 +++++---
 1 files changed, 5 insertions(+), 3 deletions(-)

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index 24c0d03..b8a917b 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -209,7 +209,9 @@ fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst)
 	arg.dst = dst;
 	hash = ip6qhashfn(id, src, dst);
 
+	local_bh_disable();
 	q = inet_frag_find(&nf_init_frags, &nf_frags, &arg, hash);
+	local_bh_enable();
 	if (q == NULL)
 		goto oom;
 
@@ -638,10 +640,10 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb)
 		goto ret_orig;
 	}
 
-	spin_lock(&fq->q.lock);
+	spin_lock_bh(&fq->q.lock);
 
 	if (nf_ct_frag6_queue(fq, clone, fhdr, nhoff) < 0) {
-		spin_unlock(&fq->q.lock);
+		spin_unlock_bh(&fq->q.lock);
 		pr_debug("Can't insert skb to queue\n");
 		fq_put(fq);
 		goto ret_orig;
@@ -652,7 +654,7 @@ struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb)
 		if (ret_skb == NULL)
 			pr_debug("Can't reassemble fragmented packets\n");
 	}
-	spin_unlock(&fq->q.lock);
+	spin_unlock_bh(&fq->q.lock);
 
 	fq_put(fq);
 	return ret_skb;