[PATCH 0/3] Netfilter fixes for net

[PATCH 0/3] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi David,

The following patchset contain Netfilter simple fixes for your net tree,
two one-liner and one two-liner:

1) Oneliner to fix missing spinlock definition that triggers
   'BUG: spinlock bad magic on CPU#' when spinlock debugging is enabled,
   from Florian Westphal.

2) Fix missing workqueue cancelation on IDLETIMER removal,
   from Liping Zhang.

3) Fix insufficient validation of netlink of NFACCT_QUOTA in
   nfnetlink_acct, from Phil Turnbull.

You can pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks!

----------------------------------------------------------------

The following changes since commit f28f20da704d399fb1e4d8838ffd697a357d9cc8:

  Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net (2016-04-26 16:25:51 -0700)

are available in the git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to eda3fc50daa93b08774a18d51883c5a5d8d85e15:

  netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter (2016-05-05 16:47:08 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: init all_locks to avoid debug warning

Liping Zhang (1):
      netfilter: IDLETIMER: fix race condition when destroy the target

Phil Turnbull (1):
      netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter

 net/netfilter/nf_conntrack_core.c | 2 +-
 net/netfilter/nfnetlink_acct.c    | 2 ++
 net/netfilter/xt_IDLETIMER.c      | 1 +
 3 files changed, 4 insertions(+), 1 deletion(-)

[PATCH 1/3] netfilter: conntrack: init all_locks to avoid debug warning

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

Else we get 'BUG: spinlock bad magic on CPU#' on resize when
spin lock debugging is enabled.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nf_conntrack_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index afde5f5..895d11d 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -66,7 +66,7 @@ EXPORT_SYMBOL_GPL(nf_conntrack_locks);
 __cacheline_aligned_in_smp DEFINE_SPINLOCK(nf_conntrack_expect_lock);
 EXPORT_SYMBOL_GPL(nf_conntrack_expect_lock);
 
-static __read_mostly spinlock_t nf_conntrack_locks_all_lock;
+static __read_mostly DEFINE_SPINLOCK(nf_conntrack_locks_all_lock);
 static __read_mostly bool nf_conntrack_locks_all;
 
 void nf_conntrack_lock(spinlock_t *lock) __acquires(lock)
-- 
2.1.4

[PATCH 2/3] netfilter: IDLETIMER: fix race condition when destroy the target

[Pablo Neira Ayuso]

From: Liping Zhang <liping.zhang@spreadtrum.com>

Workqueue maybe still in running while we destroy the IDLETIMER target,
thus cause a use after free error, add cancel_work_sync() to avoid such
situation.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_IDLETIMER.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/netfilter/xt_IDLETIMER.c b/net/netfilter/xt_IDLETIMER.c
index 29d2c31..daf45da 100644
--- a/net/netfilter/xt_IDLETIMER.c
+++ b/net/netfilter/xt_IDLETIMER.c
@@ -236,6 +236,7 @@ static void idletimer_tg_destroy(const struct xt_tgdtor_param *par)
 
 		list_del(&info->timer->entry);
 		del_timer_sync(&info->timer->timer);
+		cancel_work_sync(&info->timer->work);
 		sysfs_remove_file(idletimer_tg_kobj, &info->timer->attr.attr);
 		kfree(info->timer->attr.attr.name);
 		kfree(info->timer);
-- 
2.1.4

[PATCH 3/3] netfilter: nfnetlink_acct: validate NFACCT_QUOTA parameter

[Pablo Neira Ayuso]

From: Phil Turnbull <phil.turnbull@oracle.com>

If a quota bit is set in NFACCT_FLAGS but the NFACCT_QUOTA parameter is
missing then a NULL pointer dereference is triggered. CAP_NET_ADMIN is
required to trigger the bug.

Signed-off-by: Phil Turnbull <phil.turnbull@oracle.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nfnetlink_acct.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/netfilter/nfnetlink_acct.c b/net/netfilter/nfnetlink_acct.c
index 4c2b4c0..dbd0803 100644
--- a/net/netfilter/nfnetlink_acct.c
+++ b/net/netfilter/nfnetlink_acct.c
@@ -96,6 +96,8 @@ static int nfnl_acct_new(struct net *net, struct sock *nfnl,
 			return -EINVAL;
 		if (flags & NFACCT_F_OVERQUOTA)
 			return -EINVAL;
+		if ((flags & NFACCT_F_QUOTA) && !tb[NFACCT_QUOTA])
+			return -EINVAL;
 
 		size += sizeof(u64);
 	}
-- 
2.1.4

Re: [PATCH 0/3] Netfilter fixes for net

[David Miller]

From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Mon,  9 May 2016 21:52:00 +0200

> The following patchset contain Netfilter simple fixes for your net tree,
> two one-liner and one two-liner:
> 
> 1) Oneliner to fix missing spinlock definition that triggers
>    'BUG: spinlock bad magic on CPU#' when spinlock debugging is enabled,
>    from Florian Westphal.
> 
> 2) Fix missing workqueue cancelation on IDLETIMER removal,
>    from Liping Zhang.
> 
> 3) Fix insufficient validation of netlink of NFACCT_QUOTA in
>    nfnetlink_acct, from Phil Turnbull.

Pulled, thanks.