From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: [PATCH 0/9] Netfilter fixes for net Date: Wed, 13 Jun 2018 12:56:51 +0200 Message-ID: <20180613105700.12894-1-pablo@netfilter.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Cc: davem@davemloft.net, netdev@vger.kernel.org To: netfilter-devel@vger.kernel.org Return-path: Received: from mail.us.es ([193.147.175.20]:36712 "EHLO mail.us.es" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934436AbeFMK5K (ORCPT ); Wed, 13 Jun 2018 06:57:10 -0400 Received: from antivirus1-rhel7.int (unknown [192.168.2.11]) by mail.us.es (Postfix) with ESMTP id 794331392B4 for ; Wed, 13 Jun 2018 12:55:47 +0200 (CEST) Received: from antivirus1-rhel7.int (localhost [127.0.0.1]) by antivirus1-rhel7.int (Postfix) with ESMTP id 62702DA840 for ; Wed, 13 Jun 2018 12:55:47 +0200 (CEST) Sender: netdev-owner@vger.kernel.org List-ID: Hi David, The following patchset contains Netfilter patches for your net tree: 1) Fix NULL pointer dereference from nf_nat_decode_session() if NAT is not loaded, from Prashant Bhole. 2) Fix socket extension module autoload. 3) Don't bogusly reject sets with the NFT_SET_EVAL flag set on from the dynset extension. 4) Fix races with nf_tables module removal and netns exit path, patches from Florian Westphal. 5) Don't hit BUG_ON if jumpstack goes too deep, instead hit WARN_ON_ONCE, from Taehee Yoo. 6) Another NULL pointer dereference from ctnetlink, again if NAT is not loaded, from Florian Westphal. 7) Fix x_tables match list corruption in xt_connmark module removal path, also from Florian. 8) nf_conncount doesn't properly deal with conntrack zones, hence garbage collector may get rid of entries in a different zone. From Yi-Hung Wei. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Thanks. ---------------------------------------------------------------- The following changes since commit 6892286e9c09925780fe2cb6db3585b56b71fe8e: tcp: Do not reload skb pointer after skb_gro_receive(). (2018-06-11 20:00:56 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD for you to fetch changes up to 21ba8847f857028dc83a0f341e16ecc616e34740: netfilter: nf_conncount: Fix garbage collection with zones (2018-06-12 20:07:07 +0200) ---------------------------------------------------------------- Florian Westphal (4): netfilter: nf_tables: fix module unload race netfilter: nf_tables: close race between netns exit and rmmod netfilter: ctnetlink: avoid null pointer dereference netfilter: xt_connmark: fix list corruption on rmmod Pablo Neira Ayuso (2): netfilter: nft_socket: fix module autoload netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL Prashant Bhole (1): netfilter: fix null-ptr-deref in nf_nat_decode_session Taehee Yoo (1): netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() Yi-Hung Wei (1): netfilter: nf_conncount: Fix garbage collection with zones include/linux/netfilter.h | 2 +- include/net/netfilter/nf_conntrack_count.h | 3 ++- include/uapi/linux/netfilter/nf_tables.h | 2 +- net/netfilter/nf_conncount.c | 13 +++++++++---- net/netfilter/nf_conntrack_netlink.c | 3 ++- net/netfilter/nf_tables_api.c | 25 +++++++++++++++++++------ net/netfilter/nf_tables_core.c | 3 ++- net/netfilter/nfnetlink.c | 10 +++++++--- net/netfilter/nft_chain_filter.c | 5 +++++ net/netfilter/nft_connlimit.c | 2 +- net/netfilter/nft_dynset.c | 4 +--- net/netfilter/nft_socket.c | 1 + net/netfilter/xt_connmark.c | 2 +- 13 files changed, 52 insertions(+), 23 deletions(-)