From: Florian Westphal <fw@strlen.de>
To: <netdev@vger.kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
<netfilter-devel@vger.kernel.org>
Subject: [PATCH net 0/9] netfilter fixes for net
Date: Wed, 16 Aug 2023 00:29:50 +0200 [thread overview]
Message-ID: <20230815223011.7019-1-fw@strlen.de> (raw)
Hello,
These are netfilter fixes for the *net* tree.
First patch resolves a false-positive lockdep splat:
rcu_dereference is used outside of rcu read lock. Let lockdep
validate that the transaction mutex is locked.
Second patch fixes a kdoc warning added in previous PR.
Third patch fixes a memory leak:
The catchall element isn't disabled correctly, this allows
userspace to deactivate the element again. This results in refcount
underflow which in turn prevents memory release. This was always
broken since the feature was added in 5.13.
Patch 4 fixes an incorrect change in the previous pull request:
Adding a duplicate key to a set should work if the duplicate key
has expired, restore this behaviour. All from myself.
Patch #5 resolves an old historic artifact in sctp conntrack:
a 300ms timeout for shutdown_ack. Increase this to 3s. From Xin Long.
Patch #6 fixes a sysctl data race in ipvs, two threads can clobber the
sysctl value, from Sishuai Gong. This is a day-0 bug that predates git
history.
Patches 7, 8 and 9, from Pablo Neira Ayuso, are also followups
for the previous GC rework in nf_tables: The netlink notifier and the
netns exit path must both increment the gc worker seqcount, else worker
may encounter stale (free'd) pointers.
The following changes since commit e4dd0d3a2f64b8bd8029ec70f52bdbebd0644408:
net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled (2023-08-15 20:24:04 +0100)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-08-16
for you to fetch changes up to 23185c6aed1ffb8fc44087880ba2767aba493779:
netfilter: nft_dynset: disallow object maps (2023-08-16 00:05:15 +0200)
----------------------------------------------------------------
nf pull request 2023-08-16
----------------------------------------------------------------
Florian Westphal (4):
netfilter: nf_tables: fix false-positive lockdep splat
netfilter: nf_tables: fix kdoc warnings after gc rework
netfilter: nf_tables: deactivate catchall elements in next generation
netfilter: nf_tables: don't fail inserts if duplicate has expired
Pablo Neira Ayuso (3):
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nft_dynset: disallow object maps
Sishuai Gong (1):
ipvs: fix racy memcpy in proc_do_sync_threshold
Xin Long (1):
netfilter: set default timeout to 3 secs for sctp shutdown send and recv state
Documentation/networking/nf_conntrack-sysctl.rst | 4 +--
include/net/netfilter/nf_tables.h | 1 +
net/netfilter/ipvs/ip_vs_ctl.c | 4 +++
net/netfilter/nf_conntrack_proto_sctp.c | 6 ++--
net/netfilter/nf_tables_api.c | 44 +++++++++++++++++++++---
net/netfilter/nft_dynset.c | 3 ++
net/netfilter/nft_set_pipapo.c | 38 +++++++++-----------
7 files changed, 69 insertions(+), 31 deletions(-)
next reply other threads:[~2023-08-15 22:31 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-08-15 22:29 Florian Westphal [this message]
2023-08-15 22:29 ` [PATCH net 1/9] netfilter: nf_tables: fix false-positive lockdep splat Florian Westphal
2023-08-16 10:20 ` patchwork-bot+netdevbpf
2023-08-15 22:29 ` [PATCH net 2/9] netfilter: nf_tables: fix kdoc warnings after gc rework Florian Westphal
2023-08-15 22:29 ` [PATCH net 3/9] netfilter: nf_tables: deactivate catchall elements in next generation Florian Westphal
2023-08-15 22:29 ` [PATCH net 4/9] netfilter: nf_tables: don't fail inserts if duplicate has expired Florian Westphal
2023-08-15 22:29 ` [PATCH net 5/9] netfilter: set default timeout to 3 secs for sctp shutdown send and recv state Florian Westphal
2023-08-15 22:29 ` [PATCH net 6/9] ipvs: fix racy memcpy in proc_do_sync_threshold Florian Westphal
2023-08-15 22:29 ` [PATCH net 7/9] netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path Florian Westphal
2023-08-15 22:29 ` [PATCH net 8/9] netfilter: nf_tables: GC transaction race with netns dismantle Florian Westphal
2023-08-15 22:29 ` [PATCH net 9/9] netfilter: nft_dynset: disallow object maps Florian Westphal
-- strict thread matches above, loose matches on Subject: below --
2023-09-13 21:57 [PATCH net 0/9] Netfilter fixes for net Pablo Neira Ayuso
2021-08-06 11:51 Pablo Neira Ayuso
2021-03-19 1:05 Pablo Neira Ayuso
2021-03-06 12:12 Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230815223011.7019-1-fw@strlen.de \
--to=fw@strlen.de \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).