* [PATCH] Netfilter/IPVS updates for stable 3.4 onwards
@ 2012-10-11 10:07 pablo
2012-10-11 10:07 ` [PATCH 1/3] ipvs: fix oops in ip_vs_dst_event on rmmod pablo
` (3 more replies)
0 siblings, 4 replies; 12+ messages in thread
From: pablo @ 2012-10-11 10:07 UTC (permalink / raw)
To: stable; +Cc: netfilter-devel
From: Pablo Neira Ayuso <pablo@netfilter.org>
Hi!
The following patchset contain fixes for stable 3.4 onwards.
The selected three patches are:
283283c ipvs: fix oops in ip_vs_dst_event on rmmod
66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events
a73f89a netfilter: ipset: timeout fixing bug broke SET target special timeout value [REQUIRES 127f559 netfilter: ipset: fix timeout value overflow bug]
Please, cherry-pick them. Thanks!
^ permalink raw reply [flat|nested] 12+ messages in thread* [PATCH 1/3] ipvs: fix oops in ip_vs_dst_event on rmmod 2012-10-11 10:07 [PATCH] Netfilter/IPVS updates for stable 3.4 onwards pablo @ 2012-10-11 10:07 ` pablo 2012-10-11 10:07 ` [PATCH 2/3] netfilter: nf_conntrack: fix racy timer handling with reliable events pablo ` (2 subsequent siblings) 3 siblings, 0 replies; 12+ messages in thread From: pablo @ 2012-10-11 10:07 UTC (permalink / raw) To: stable; +Cc: netfilter-devel From: Julian Anastasov <ja@ssi.bg> After commit 39f618b4fd95ae243d940ec64c961009c74e3333 (3.4) "ipvs: reset ipvs pointer in netns" we can oops in ip_vs_dst_event on rmmod ip_vs because ip_vs_control_cleanup is called after the ipvs_core_ops subsys is unregistered and net->ipvs is NULL. Fix it by exiting early from ip_vs_dst_event if ipvs is NULL. It is safe because all services and dests for the net are already freed. Signed-off-by: Julian Anastasov <ja@ssi.bg> Signed-off-by: Simon Horman <horms@verge.net.au> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- net/netfilter/ipvs/ip_vs_ctl.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/net/netfilter/ipvs/ip_vs_ctl.c b/net/netfilter/ipvs/ip_vs_ctl.c index d43e3c1..84444dd 100644 --- a/net/netfilter/ipvs/ip_vs_ctl.c +++ b/net/netfilter/ipvs/ip_vs_ctl.c @@ -1521,11 +1521,12 @@ static int ip_vs_dst_event(struct notifier_block *this, unsigned long event, { struct net_device *dev = ptr; struct net *net = dev_net(dev); + struct netns_ipvs *ipvs = net_ipvs(net); struct ip_vs_service *svc; struct ip_vs_dest *dest; unsigned int idx; - if (event != NETDEV_UNREGISTER) + if (event != NETDEV_UNREGISTER || !ipvs) return NOTIFY_DONE; IP_VS_DBG(3, "%s() dev=%s\n", __func__, dev->name); EnterFunction(2); @@ -1551,7 +1552,7 @@ static int ip_vs_dst_event(struct notifier_block *this, unsigned long event, } } - list_for_each_entry(dest, &net_ipvs(net)->dest_trash, n_list) { + list_for_each_entry(dest, &ipvs->dest_trash, n_list) { __ip_vs_dev_reset(dest, dev); } mutex_unlock(&__ip_vs_mutex); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 2/3] netfilter: nf_conntrack: fix racy timer handling with reliable events 2012-10-11 10:07 [PATCH] Netfilter/IPVS updates for stable 3.4 onwards pablo 2012-10-11 10:07 ` [PATCH 1/3] ipvs: fix oops in ip_vs_dst_event on rmmod pablo @ 2012-10-11 10:07 ` pablo 2012-10-11 10:07 ` [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo 2012-10-11 19:09 ` [PATCH] Netfilter/IPVS updates for stable 3.4 onwards David Miller 3 siblings, 0 replies; 12+ messages in thread From: pablo @ 2012-10-11 10:07 UTC (permalink / raw) To: stable; +Cc: netfilter-devel From: Pablo Neira <pablo@netfilter.org> Existing code assumes that del_timer returns true for alive conntrack entries. However, this is not true if reliable events are enabled. In that case, del_timer may return true for entries that were just inserted in the dying list. Note that packets / ctnetlink may hold references to conntrack entries that were just inserted to such list. This patch fixes the issue by adding an independent timer for event delivery. This increases the size of the ecache extension. Still we can revisit this later and use variable size extensions to allocate this area on demand. Tested-by: Oliver Smith <olipro@8.c.9.b.0.7.4.0.1.0.0.2.ip6.arpa> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- include/net/netfilter/nf_conntrack_ecache.h | 1 + net/netfilter/nf_conntrack_core.c | 16 +++++++++++----- 2 files changed, 12 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_ecache.h b/include/net/netfilter/nf_conntrack_ecache.h index e1ce104..4a045cd 100644 --- a/include/net/netfilter/nf_conntrack_ecache.h +++ b/include/net/netfilter/nf_conntrack_ecache.h @@ -18,6 +18,7 @@ struct nf_conntrack_ecache { u16 ctmask; /* bitmask of ct events to be delivered */ u16 expmask; /* bitmask of expect events to be delivered */ u32 pid; /* netlink pid of destroyer */ + struct timer_list timeout; }; static inline struct nf_conntrack_ecache * diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index cf48755..2ceec64 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -249,12 +249,15 @@ static void death_by_event(unsigned long ul_conntrack) { struct nf_conn *ct = (void *)ul_conntrack; struct net *net = nf_ct_net(ct); + struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct); + + BUG_ON(ecache == NULL); if (nf_conntrack_event(IPCT_DESTROY, ct) < 0) { /* bad luck, let's retry again */ - ct->timeout.expires = jiffies + + ecache->timeout.expires = jiffies + (random32() % net->ct.sysctl_events_retry_timeout); - add_timer(&ct->timeout); + add_timer(&ecache->timeout); return; } /* we've got the event delivered, now it's dying */ @@ -268,6 +271,9 @@ static void death_by_event(unsigned long ul_conntrack) void nf_ct_insert_dying_list(struct nf_conn *ct) { struct net *net = nf_ct_net(ct); + struct nf_conntrack_ecache *ecache = nf_ct_ecache_find(ct); + + BUG_ON(ecache == NULL); /* add this conntrack to the dying list */ spin_lock_bh(&nf_conntrack_lock); @@ -275,10 +281,10 @@ void nf_ct_insert_dying_list(struct nf_conn *ct) &net->ct.dying); spin_unlock_bh(&nf_conntrack_lock); /* set a new timer to retry event delivery */ - setup_timer(&ct->timeout, death_by_event, (unsigned long)ct); - ct->timeout.expires = jiffies + + setup_timer(&ecache->timeout, death_by_event, (unsigned long)ct); + ecache->timeout.expires = jiffies + (random32() % net->ct.sysctl_events_retry_timeout); - add_timer(&ct->timeout); + add_timer(&ecache->timeout); } EXPORT_SYMBOL_GPL(nf_ct_insert_dying_list); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-10-11 10:07 [PATCH] Netfilter/IPVS updates for stable 3.4 onwards pablo 2012-10-11 10:07 ` [PATCH 1/3] ipvs: fix oops in ip_vs_dst_event on rmmod pablo 2012-10-11 10:07 ` [PATCH 2/3] netfilter: nf_conntrack: fix racy timer handling with reliable events pablo @ 2012-10-11 10:07 ` pablo 2012-10-11 19:09 ` [PATCH] Netfilter/IPVS updates for stable 3.4 onwards David Miller 3 siblings, 0 replies; 12+ messages in thread From: pablo @ 2012-10-11 10:07 UTC (permalink / raw) To: stable; +Cc: netfilter-devel From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> The patch "127f559 netfilter: ipset: fix timeout value overflow bug" broke the SET target when no timeout was specified. Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- This patch requires: commit 127f559127f5175e4bec3dab725a34845d956591 Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Date: Mon May 7 02:35:44 2012 +0000 netfilter: ipset: fix timeout value overflow bug Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz) --- net/netfilter/xt_set.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c index 035960e..c6f7db7 100644 --- a/net/netfilter/xt_set.c +++ b/net/netfilter/xt_set.c @@ -16,6 +16,7 @@ #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_set.h> +#include <linux/netfilter/ipset/ip_set_timeout.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); @@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) info->del_set.flags, 0, UINT_MAX); /* Normalize to fit into jiffies */ - if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) + if (add_opt.timeout != IPSET_NO_TIMEOUT && + add_opt.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.timeout = UINT_MAX/MSEC_PER_SEC; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, par, &add_opt); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH] Netfilter/IPVS updates for stable 3.4 onwards 2012-10-11 10:07 [PATCH] Netfilter/IPVS updates for stable 3.4 onwards pablo ` (2 preceding siblings ...) 2012-10-11 10:07 ` [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo @ 2012-10-11 19:09 ` David Miller 3 siblings, 0 replies; 12+ messages in thread From: David Miller @ 2012-10-11 19:09 UTC (permalink / raw) To: pablo; +Cc: stable, netfilter-devel From: pablo@netfilter.org Date: Thu, 11 Oct 2012 12:07:31 +0200 > From: Pablo Neira Ayuso <pablo@netfilter.org> > > Hi! > > The following patchset contain fixes for stable 3.4 onwards. > > The selected three patches are: > > 283283c ipvs: fix oops in ip_vs_dst_event on rmmod > 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events > a73f89a netfilter: ipset: timeout fixing bug broke SET target special timeout value [REQUIRES 127f559 netfilter: ipset: fix timeout value overflow bug] > > Please, cherry-pick them. Thanks! Acked-by: David S. Miller <davem@davemloft.net> ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH] Netfilter/IPVS updates for stable 3.4 onwards @ 2012-10-11 10:17 pablo 2012-10-11 10:17 ` [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo 0 siblings, 1 reply; 12+ messages in thread From: pablo @ 2012-10-11 10:17 UTC (permalink / raw) To: stable; +Cc: netfilter-devel From: Pablo Neira Ayuso <pablo@netfilter.org> Hi! The following patchset contain fixes for stable 3.4 onwards. The selected three patches are: 283283c ipvs: fix oops in ip_vs_dst_event on rmmod 66b6aaf netfilter: nf_conntrack: fix racy timer handling with reliable events a73f89a netfilter: ipset: timeout fixing bug broke SET target special timeout value [REQUIRES 127f559 netfilter: ipset: fix timeout value overflow bug] Please, cherry-pick them. Thanks! ^ permalink raw reply [flat|nested] 12+ messages in thread
* [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-10-11 10:17 pablo @ 2012-10-11 10:17 ` pablo 2012-10-15 23:22 ` Greg KH 0 siblings, 1 reply; 12+ messages in thread From: pablo @ 2012-10-11 10:17 UTC (permalink / raw) To: stable; +Cc: netfilter-devel From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> The patch "127f559 netfilter: ipset: fix timeout value overflow bug" broke the SET target when no timeout was specified. Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> --- This patch requires: commit 127f559127f5175e4bec3dab725a34845d956591 Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> Date: Mon May 7 02:35:44 2012 +0000 netfilter: ipset: fix timeout value overflow bug Large timeout parameters could result wrong timeout values due to an overflow at msec to jiffies conversion (reported by Andreas Herz) --- net/netfilter/xt_set.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/netfilter/xt_set.c b/net/netfilter/xt_set.c index 035960e..c6f7db7 100644 --- a/net/netfilter/xt_set.c +++ b/net/netfilter/xt_set.c @@ -16,6 +16,7 @@ #include <linux/netfilter/x_tables.h> #include <linux/netfilter/xt_set.h> +#include <linux/netfilter/ipset/ip_set_timeout.h> MODULE_LICENSE("GPL"); MODULE_AUTHOR("Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>"); @@ -310,7 +311,8 @@ set_target_v2(struct sk_buff *skb, const struct xt_action_param *par) info->del_set.flags, 0, UINT_MAX); /* Normalize to fit into jiffies */ - if (add_opt.timeout > UINT_MAX/MSEC_PER_SEC) + if (add_opt.timeout != IPSET_NO_TIMEOUT && + add_opt.timeout > UINT_MAX/MSEC_PER_SEC) add_opt.timeout = UINT_MAX/MSEC_PER_SEC; if (info->add_set.index != IPSET_INVALID_ID) ip_set_add(info->add_set.index, skb, par, &add_opt); -- 1.7.10.4 ^ permalink raw reply related [flat|nested] 12+ messages in thread
* Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-10-11 10:17 ` [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo @ 2012-10-15 23:22 ` Greg KH 2012-10-15 23:27 ` Greg KH 0 siblings, 1 reply; 12+ messages in thread From: Greg KH @ 2012-10-15 23:22 UTC (permalink / raw) To: pablo; +Cc: stable, netfilter-devel On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote: > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug" > broke the SET target when no timeout was specified. > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > --- > > This patch requires: > > commit 127f559127f5175e4bec3dab725a34845d956591 > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > Date: Mon May 7 02:35:44 2012 +0000 > > netfilter: ipset: fix timeout value overflow bug > > Large timeout parameters could result wrong timeout values due to > an overflow at msec to jiffies conversion (reported by Andreas Herz) This patch doesn't apply to the 3.0.y series, care to provide a backport, and a backported version of the original patch above that needs it? thanks, greg k-h ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-10-15 23:22 ` Greg KH @ 2012-10-15 23:27 ` Greg KH 2012-10-15 23:40 ` Greg KH 0 siblings, 1 reply; 12+ messages in thread From: Greg KH @ 2012-10-15 23:27 UTC (permalink / raw) To: pablo; +Cc: stable, netfilter-devel On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote: > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote: > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug" > > broke the SET target when no timeout was specified. > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > --- > > > > This patch requires: > > > > commit 127f559127f5175e4bec3dab725a34845d956591 > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > Date: Mon May 7 02:35:44 2012 +0000 > > > > netfilter: ipset: fix timeout value overflow bug > > > > Large timeout parameters could result wrong timeout values due to > > an overflow at msec to jiffies conversion (reported by Andreas Herz) > > This patch doesn't apply to the 3.0.y series, care to provide a > backport, and a backported version of the original patch above that > needs it? Oh wait, should I apply the 3.0.y specific patches first? I'll go do that and see if these two then apply here... thanks, greg k-h ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-10-15 23:27 ` Greg KH @ 2012-10-15 23:40 ` Greg KH 2012-10-16 9:36 ` Pablo Neira Ayuso 0 siblings, 1 reply; 12+ messages in thread From: Greg KH @ 2012-10-15 23:40 UTC (permalink / raw) To: pablo; +Cc: stable, netfilter-devel On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote: > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote: > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote: > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug" > > > broke the SET target when no timeout was specified. > > > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > > --- > > > > > > This patch requires: > > > > > > commit 127f559127f5175e4bec3dab725a34845d956591 > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > Date: Mon May 7 02:35:44 2012 +0000 > > > > > > netfilter: ipset: fix timeout value overflow bug > > > > > > Large timeout parameters could result wrong timeout values due to > > > an overflow at msec to jiffies conversion (reported by Andreas Herz) > > > > This patch doesn't apply to the 3.0.y series, care to provide a > > backport, and a backported version of the original patch above that > > needs it? > > Oh wait, should I apply the 3.0.y specific patches first? I'll go do > that and see if these two then apply here... Nope, doesn't apply. Care to backport both of these patches for 3.0.y and send them to us? thanks, greg k-h ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-10-15 23:40 ` Greg KH @ 2012-10-16 9:36 ` Pablo Neira Ayuso 2012-10-16 16:32 ` Greg KH 2012-10-17 2:09 ` Ben Hutchings 0 siblings, 2 replies; 12+ messages in thread From: Pablo Neira Ayuso @ 2012-10-16 9:36 UTC (permalink / raw) To: Greg KH; +Cc: stable, netfilter-devel On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote: > On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote: > > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote: > > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote: > > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug" > > > > broke the SET target when no timeout was specified. > > > > > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> > > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > > > --- > > > > > > > > This patch requires: > > > > > > > > commit 127f559127f5175e4bec3dab725a34845d956591 > > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > Date: Mon May 7 02:35:44 2012 +0000 > > > > > > > > netfilter: ipset: fix timeout value overflow bug > > > > > > > > Large timeout parameters could result wrong timeout values due to > > > > an overflow at msec to jiffies conversion (reported by Andreas Herz) > > > > > > This patch doesn't apply to the 3.0.y series, care to provide a > > > backport, and a backported version of the original patch above that > > > needs it? > > > > Oh wait, should I apply the 3.0.y specific patches first? I'll go do > > that and see if these two then apply here... > > Nope, doesn't apply. Care to backport both of these patches for 3.0.y > and send them to us? I can send you the backport for 3.2 but not for 3.0. That fix is for one feature that was added in 3.1, so no way to make it for 3.0 :-) Let me know. ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-10-16 9:36 ` Pablo Neira Ayuso @ 2012-10-16 16:32 ` Greg KH 2012-10-17 2:09 ` Ben Hutchings 1 sibling, 0 replies; 12+ messages in thread From: Greg KH @ 2012-10-16 16:32 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: stable, netfilter-devel On Tue, Oct 16, 2012 at 11:36:53AM +0200, Pablo Neira Ayuso wrote: > On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote: > > On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote: > > > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote: > > > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote: > > > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > > > > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug" > > > > > broke the SET target when no timeout was specified. > > > > > > > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> > > > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > > > > --- > > > > > > > > > > This patch requires: > > > > > > > > > > commit 127f559127f5175e4bec3dab725a34845d956591 > > > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > > Date: Mon May 7 02:35:44 2012 +0000 > > > > > > > > > > netfilter: ipset: fix timeout value overflow bug > > > > > > > > > > Large timeout parameters could result wrong timeout values due to > > > > > an overflow at msec to jiffies conversion (reported by Andreas Herz) > > > > > > > > This patch doesn't apply to the 3.0.y series, care to provide a > > > > backport, and a backported version of the original patch above that > > > > needs it? > > > > > > Oh wait, should I apply the 3.0.y specific patches first? I'll go do > > > that and see if these two then apply here... > > > > Nope, doesn't apply. Care to backport both of these patches for 3.0.y > > and send them to us? > > I can send you the backport for 3.2 but not for 3.0. > > That fix is for one feature that was added in 3.1, so no way to make it > for 3.0 :-) Ah, ok, no worries then. greg k-h ^ permalink raw reply [flat|nested] 12+ messages in thread
* Re: [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value 2012-10-16 9:36 ` Pablo Neira Ayuso 2012-10-16 16:32 ` Greg KH @ 2012-10-17 2:09 ` Ben Hutchings 1 sibling, 0 replies; 12+ messages in thread From: Ben Hutchings @ 2012-10-17 2:09 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Greg KH, stable, netfilter-devel [-- Attachment #1: Type: text/plain, Size: 2118 bytes --] On Tue, 2012-10-16 at 11:36 +0200, Pablo Neira Ayuso wrote: > On Mon, Oct 15, 2012 at 04:40:22PM -0700, Greg KH wrote: > > On Mon, Oct 15, 2012 at 04:27:50PM -0700, Greg KH wrote: > > > On Mon, Oct 15, 2012 at 04:22:25PM -0700, Greg KH wrote: > > > > On Thu, Oct 11, 2012 at 12:17:38PM +0200, pablo@netfilter.org wrote: > > > > > From: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > > > > > > > The patch "127f559 netfilter: ipset: fix timeout value overflow bug" > > > > > broke the SET target when no timeout was specified. > > > > > > > > > > Reported-by: Jean-Philippe Menil <jean-philippe.menil@univ-nantes.fr> > > > > > Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > > Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> > > > > > --- > > > > > > > > > > This patch requires: > > > > > > > > > > commit 127f559127f5175e4bec3dab725a34845d956591 > > > > > Author: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu> > > > > > Date: Mon May 7 02:35:44 2012 +0000 > > > > > > > > > > netfilter: ipset: fix timeout value overflow bug > > > > > > > > > > Large timeout parameters could result wrong timeout values due to > > > > > an overflow at msec to jiffies conversion (reported by Andreas Herz) > > > > > > > > This patch doesn't apply to the 3.0.y series, care to provide a > > > > backport, and a backported version of the original patch above that > > > > needs it? > > > > > > Oh wait, should I apply the 3.0.y specific patches first? I'll go do > > > that and see if these two then apply here... > > > > Nope, doesn't apply. Care to backport both of these patches for 3.0.y > > and send them to us? > > I can send you the backport for 3.2 but not for 3.0. > > That fix is for one feature that was added in 3.1, so no way to make it > for 3.0 :-) > > Let me know. I look after 3.2. I don't think the original timeout overflow bug is important enough for a stable update, so I don't intend to apply either of these. Ben. -- Ben Hutchings No political challenge can be met by shopping. - George Monbiot [-- Attachment #2: This is a digitally signed message part --] [-- Type: application/pgp-signature, Size: 828 bytes --] ^ permalink raw reply [flat|nested] 12+ messages in thread
end of thread, other threads:[~2012-10-17 2:11 UTC | newest] Thread overview: 12+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-10-11 10:07 [PATCH] Netfilter/IPVS updates for stable 3.4 onwards pablo 2012-10-11 10:07 ` [PATCH 1/3] ipvs: fix oops in ip_vs_dst_event on rmmod pablo 2012-10-11 10:07 ` [PATCH 2/3] netfilter: nf_conntrack: fix racy timer handling with reliable events pablo 2012-10-11 10:07 ` [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo 2012-10-11 19:09 ` [PATCH] Netfilter/IPVS updates for stable 3.4 onwards David Miller -- strict thread matches above, loose matches on Subject: below -- 2012-10-11 10:17 pablo 2012-10-11 10:17 ` [PATCH 3/3] netfilter: ipset: timeout fixing bug broke SET target special timeout value pablo 2012-10-15 23:22 ` Greg KH 2012-10-15 23:27 ` Greg KH 2012-10-15 23:40 ` Greg KH 2012-10-16 9:36 ` Pablo Neira Ayuso 2012-10-16 16:32 ` Greg KH 2012-10-17 2:09 ` Ben Hutchings
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).