From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 00/19] Netfilter fixes for net
Date: Tue, 20 Feb 2018 17:38:47 +0100 [thread overview]
Message-ID: <20180220163906.12380-1-pablo@netfilter.org> (raw)
Hi David,
The following patchset contains large batch with Netfilter fixes for
your net tree, mostly due to syzbot report fixups and pr_err()
ratelimiting, more specifically, they are:
1) Get rid of superfluous unnecessary check in x_tables before vmalloc(),
we don't hit BUG there anymore, patch from Michal Hock, suggested by
Andrew Morton.
2) Race condition in proc file creation in ipt_CLUSTERIP, from Cong Wang.
3) Drop socket lock that results in circular locking dependency, patch
from Paolo Abeni.
4) Drop packet if case of malformed blob that makes backpointer jump
in x_tables, from Florian Westphal.
5) Fix refcount leak due to race in ipt_CLUSTERIP in
clusterip_config_find_get(), from Cong Wang.
6) Several patches to ratelimit pr_err() for x_tables since this can be
a problem where CAP_NET_ADMIN semantics can protect us in untrusted
namespace, from Florian Westphal.
7) Missing .gitignore update for new autogenerated asn1 state machine
for the SNMP NAT helper, from Zhu Lingshan.
8) Missing timer initialization in xt_LED, from Paolo Abeni.
9) Do not allow negative port range in NAT, also from Paolo.
10) Lock imbalance in the xt_hashlimit rate match mode, patch from
Eric Dumazet.
11) Initialize workqueue before timer in the idletimer match,
from Eric Dumazet.
You can pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks!
P.S: If I can get net.git merge into net-next.git, I'll appreciate
since I have people willing to bang me here with patches that
have dependencies with this batch. Thanks again!
----------------------------------------------------------------
The following changes since commit 5c487bb9adddbc1d23433e09d2548759375c2b52:
tcp: tracepoint: only call trace_tcp_send_reset with full socket (2018-02-07 22:00:42 -0500)
are available in the git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to cfc2c740533368b96e2be5e0a4e8c3cace7d9814:
netfilter: IDLETIMER: be syzkaller friendly (2018-02-19 18:28:59 +0100)
----------------------------------------------------------------
Cong Wang (2):
netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation
netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()
Eric Dumazet (2):
netfilter: xt_hashlimit: fix lock imbalance
netfilter: IDLETIMER: be syzkaller friendly
Florian Westphal (10):
netfilter: add back stackpointer size checks
netfilter: x_tables: remove pr_info where possible
netfilter: x_tables: use pr ratelimiting in xt core
netfilter: xt_CT: use pr ratelimiting
netfilter: xt_NFQUEUE: use pr ratelimiting
netfilter: xt_set: use pr ratelimiting
netfilter: bridge: use pr ratelimiting
netfilter: x_tables: rate-limit table mismatch warnings
netfilter: x_tables: use pr ratelimiting in matches/targets
netfilter: x_tables: use pr ratelimiting in all remaining spots
Michal Hocko (1):
netfilter: x_tables: remove size check
Paolo Abeni (3):
netfilter: drop outermost socket lock in getsockopt()
netfilter: x_tables: fix missing timer initialization in xt_LED
netfilter: nat: cope with negative port range
Zhu Lingshan (1):
.gitignore: ignore ASN.1 auto generated files
.gitignore | 4 ++
net/bridge/netfilter/ebt_among.c | 10 ++---
net/bridge/netfilter/ebt_limit.c | 4 +-
net/ipv4/ip_sockglue.c | 7 +---
net/ipv4/netfilter/arp_tables.c | 4 ++
net/ipv4/netfilter/ip_tables.c | 7 +++-
net/ipv4/netfilter/ipt_CLUSTERIP.c | 20 ++++++----
net/ipv4/netfilter/ipt_ECN.c | 12 +++---
net/ipv4/netfilter/ipt_REJECT.c | 4 +-
net/ipv4/netfilter/ipt_rpfilter.c | 6 +--
net/ipv6/ipv6_sockglue.c | 10 +----
net/ipv6/netfilter/ip6_tables.c | 4 ++
net/ipv6/netfilter/ip6t_REJECT.c | 4 +-
net/ipv6/netfilter/ip6t_rpfilter.c | 6 +--
net/ipv6/netfilter/ip6t_srh.c | 6 ++-
net/netfilter/nf_nat_proto_common.c | 7 +++-
net/netfilter/x_tables.c | 74 +++++++++++++++++--------------------
net/netfilter/xt_AUDIT.c | 4 +-
net/netfilter/xt_CHECKSUM.c | 8 ++--
net/netfilter/xt_CONNSECMARK.c | 10 ++---
net/netfilter/xt_CT.c | 25 +++++++------
net/netfilter/xt_DSCP.c | 4 +-
net/netfilter/xt_HL.c | 13 ++-----
net/netfilter/xt_HMARK.c | 27 ++++++++------
net/netfilter/xt_IDLETIMER.c | 9 +++--
net/netfilter/xt_LED.c | 16 ++++----
net/netfilter/xt_NFQUEUE.c | 8 ++--
net/netfilter/xt_SECMARK.c | 18 +++++----
net/netfilter/xt_TCPMSS.c | 10 ++---
net/netfilter/xt_TPROXY.c | 6 +--
net/netfilter/xt_addrtype.c | 33 ++++++++---------
net/netfilter/xt_bpf.c | 4 +-
net/netfilter/xt_cgroup.c | 8 ++--
net/netfilter/xt_cluster.c | 8 ++--
net/netfilter/xt_connbytes.c | 4 +-
net/netfilter/xt_connlabel.c | 7 ++--
net/netfilter/xt_connmark.c | 8 ++--
net/netfilter/xt_conntrack.c | 4 +-
net/netfilter/xt_dscp.c | 4 +-
net/netfilter/xt_ecn.c | 4 +-
net/netfilter/xt_hashlimit.c | 26 +++++++------
net/netfilter/xt_helper.c | 4 +-
net/netfilter/xt_ipcomp.c | 2 +-
net/netfilter/xt_ipvs.c | 3 +-
net/netfilter/xt_l2tp.c | 22 ++++++-----
net/netfilter/xt_limit.c | 4 +-
net/netfilter/xt_nat.c | 5 ++-
net/netfilter/xt_nfacct.c | 6 ++-
net/netfilter/xt_physdev.c | 4 +-
net/netfilter/xt_policy.c | 23 +++++++-----
net/netfilter/xt_recent.c | 14 +++----
net/netfilter/xt_set.c | 50 ++++++++++++-------------
net/netfilter/xt_socket.c | 10 +++--
net/netfilter/xt_state.c | 4 +-
net/netfilter/xt_time.c | 6 +--
55 files changed, 314 insertions(+), 300 deletions(-)
next reply other threads:[~2018-02-20 16:39 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-20 16:38 Pablo Neira Ayuso [this message]
2018-02-20 16:38 ` [PATCH 01/19] netfilter: x_tables: remove size check Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 02/19] netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 03/19] netfilter: drop outermost socket lock in getsockopt() Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 04/19] netfilter: add back stackpointer size checks Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 05/19] netfilter: ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 06/19] netfilter: x_tables: remove pr_info where possible Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 07/19] netfilter: x_tables: use pr ratelimiting in xt core Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 08/19] netfilter: xt_CT: use pr ratelimiting Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 09/19] netfilter: xt_NFQUEUE: " Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 10/19] netfilter: xt_set: " Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 11/19] netfilter: bridge: " Pablo Neira Ayuso
2018-02-20 16:38 ` [PATCH 12/19] netfilter: x_tables: rate-limit table mismatch warnings Pablo Neira Ayuso
2018-02-20 16:39 ` [PATCH 13/19] netfilter: x_tables: use pr ratelimiting in matches/targets Pablo Neira Ayuso
2018-02-20 16:39 ` [PATCH 14/19] netfilter: x_tables: use pr ratelimiting in all remaining spots Pablo Neira Ayuso
2018-02-20 16:39 ` [PATCH 15/19] .gitignore: ignore ASN.1 auto generated files Pablo Neira Ayuso
2018-02-20 16:39 ` [PATCH 16/19] netfilter: x_tables: fix missing timer initialization in xt_LED Pablo Neira Ayuso
2018-02-20 16:39 ` [PATCH 17/19] netfilter: nat: cope with negative port range Pablo Neira Ayuso
2018-02-20 16:39 ` [PATCH 18/19] netfilter: xt_hashlimit: fix lock imbalance Pablo Neira Ayuso
2018-02-20 16:39 ` [PATCH 19/19] netfilter: IDLETIMER: be syzkaller friendly Pablo Neira Ayuso
2018-02-21 19:56 ` [PATCH 00/19] Netfilter fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180220163906.12380-1-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).