diff options
| author | David S. Miller <davem@davemloft.net> | 2022-05-27 11:08:12 +0100 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2022-05-27 11:08:12 +0100 |
| commit | 55919b32d14bfa8e47d0fe44f73ba069d1a2b3df (patch) | |
| tree | 16ca1e32a01ce041b933d03b7daf590ef3496223 | |
| parent | 02ded5a173619b11728b8bf75a3fd995a2c1ff28 (diff) | |
| parent | b53c116642502b0c85ecef78bff4f826a7dd4145 (diff) | |
| download | linux-55919b32d14bfa8e47d0fe44f73ba069d1a2b3df.tar.bz2 | |
Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf
Pablo Neira Ayuso says:
====================
Netfilter fixes for net
The following contain more Netfilter fixes for net:
1) syzbot warning in nfnetlink bind, from Florian.
2) Refetch conntrack after __nf_conntrack_confirm(), from Florian Westphal.
3) Move struct nf_ct_timeout back at the bottom of the ctnl_time, to
where it before recent update, also from Florian.
4) Add NL_SET_BAD_ATTR() to nf_tables netlink for proper set element
commands error reporting.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/net/netfilter/nf_conntrack_core.h | 7 | ||||
| -rw-r--r-- | net/netfilter/nf_tables_api.c | 12 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink.c | 24 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_cttimeout.c | 5 |
4 files changed, 23 insertions, 25 deletions
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 6406cfee34c2..37866c8386e2 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h @@ -58,8 +58,13 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb) int ret = NF_ACCEPT; if (ct) { - if (!nf_ct_is_confirmed(ct)) + if (!nf_ct_is_confirmed(ct)) { ret = __nf_conntrack_confirm(skb); + + if (ret == NF_ACCEPT) + ct = (struct nf_conn *)skb_nfct(skb); + } + if (ret == NF_ACCEPT && nf_ct_ecache_exist(ct)) nf_ct_deliver_cached_events(ct); } diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index f296dfe86b62..f4f1d0a2da43 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5348,8 +5348,10 @@ static int nf_tables_getsetelem(struct sk_buff *skb, nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { err = nft_get_set_elem(&ctx, set, attr); - if (err < 0) + if (err < 0) { + NL_SET_BAD_ATTR(extack, attr); break; + } } return err; @@ -6126,8 +6128,10 @@ static int nf_tables_newsetelem(struct sk_buff *skb, nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { err = nft_add_set_elem(&ctx, set, attr, info->nlh->nlmsg_flags); - if (err < 0) + if (err < 0) { + NL_SET_BAD_ATTR(extack, attr); return err; + } } if (nft_net->validate_state == NFT_VALIDATE_DO) @@ -6397,8 +6401,10 @@ static int nf_tables_delsetelem(struct sk_buff *skb, nla_for_each_nested(attr, nla[NFTA_SET_ELEM_LIST_ELEMENTS], rem) { err = nft_del_setelem(&ctx, set, attr); - if (err < 0) + if (err < 0) { + NL_SET_BAD_ATTR(extack, attr); break; + } } return err; } diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c index ad3bbe34ca88..2f7c477fc9e7 100644 --- a/net/netfilter/nfnetlink.c +++ b/net/netfilter/nfnetlink.c @@ -45,7 +45,6 @@ MODULE_DESCRIPTION("Netfilter messages via netlink socket"); static unsigned int nfnetlink_pernet_id __read_mostly; struct nfnl_net { - unsigned int ctnetlink_listeners; struct sock *nfnl; }; @@ -673,18 +672,8 @@ static int nfnetlink_bind(struct net *net, int group) #ifdef CONFIG_NF_CONNTRACK_EVENTS if (type == NFNL_SUBSYS_CTNETLINK) { - struct nfnl_net *nfnlnet = nfnl_pernet(net); - nfnl_lock(NFNL_SUBSYS_CTNETLINK); - - if (WARN_ON_ONCE(nfnlnet->ctnetlink_listeners == UINT_MAX)) { - nfnl_unlock(NFNL_SUBSYS_CTNETLINK); - return -EOVERFLOW; - } - - nfnlnet->ctnetlink_listeners++; - if (nfnlnet->ctnetlink_listeners == 1) - WRITE_ONCE(net->ct.ctnetlink_has_listener, true); + WRITE_ONCE(net->ct.ctnetlink_has_listener, true); nfnl_unlock(NFNL_SUBSYS_CTNETLINK); } #endif @@ -694,15 +683,12 @@ static int nfnetlink_bind(struct net *net, int group) static void nfnetlink_unbind(struct net *net, int group) { #ifdef CONFIG_NF_CONNTRACK_EVENTS - int type = nfnl_group2type[group]; - - if (type == NFNL_SUBSYS_CTNETLINK) { - struct nfnl_net *nfnlnet = nfnl_pernet(net); + if (group <= NFNLGRP_NONE || group > NFNLGRP_MAX) + return; + if (nfnl_group2type[group] == NFNL_SUBSYS_CTNETLINK) { nfnl_lock(NFNL_SUBSYS_CTNETLINK); - WARN_ON_ONCE(nfnlnet->ctnetlink_listeners == 0); - nfnlnet->ctnetlink_listeners--; - if (nfnlnet->ctnetlink_listeners == 0) + if (!nfnetlink_has_listeners(net, group)) WRITE_ONCE(net->ct.ctnetlink_has_listener, false); nfnl_unlock(NFNL_SUBSYS_CTNETLINK); } diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index f069c24c6146..af15102bc696 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c @@ -35,12 +35,13 @@ static unsigned int nfct_timeout_id __read_mostly; struct ctnl_timeout { struct list_head head; + struct list_head free_head; struct rcu_head rcu_head; refcount_t refcnt; char name[CTNL_TIMEOUT_NAME_MAX]; - struct nf_ct_timeout timeout; - struct list_head free_head; + /* must be at the end */ + struct nf_ct_timeout timeout; }; struct nfct_timeout_pernet { |