Commit 55bc1af3 authored May 07, 2021 by Jakub Kicinski

Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter fixes for net

1) Add SECMARK revision 1 to fix incorrect layout that prevents
   from remove rule with this target, from Phil Sutter.

2) Fix pernet exit path spat in arptables, from Florian Westphal.

3) Missing rcu_read_unlock() for unknown nfnetlink callbacks,
   reported by syzbot, from Eric Dumazet.

4) Missing check for skb_header_pointer() NULL pointer in
   nfnetlink_osf.

5) Remove BUG_ON() after skb_header_pointer() from packet path
   in several conntrack helper and the TCP tracker.

6) Fix memleak in the new object error path of userdata.

7) Avoid overflows in nft_hash_buckets(), reported by syzbot,
   also from Eric.

8) Avoid overflows in 32bit arches, from Eric.

* git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf:
  netfilter: nftables: avoid potential overflows on 32bit arches
  netfilter: nftables: avoid overflows in nft_hash_buckets()
  netfilter: nftables: Fix a memleak from userdata error path in new objects
  netfilter: remove BUG_ON() after skb_header_pointer()
  netfilter: nfnetlink_osf: Fix a missing skb_header_pointer() NULL check
  netfilter: nfnetlink: add a missing rcu_read_unlock()
  netfilter: arptables: use pernet ops struct during unregister
  netfilter: xt_SECMARK: add new revision to fix structure layout
====================

Link: https://lore.kernel.org/r/20210507174739.1850-1-pablo@netfilter.org


Signed-off-by: Jakub Kicinski <kuba@kernel.org>

parents e4d4a272 6c8774a9

include/linux/netfilter_arp/arp_tables.h

+1 −2

Original line number	Diff line number	Diff line
		@@ -53,8 +53,7 @@ int arpt_register_table(struct net net, const struct xt_table table,
		const struct arpt_replace *repl,
		const struct nf_hook_ops *ops);
		void arpt_unregister_table(struct net net, const char name);
		void arpt_unregister_table_pre_exit(struct net net, const char name,
		const struct nf_hook_ops *ops);
		void arpt_unregister_table_pre_exit(struct net net, const char name);
		extern unsigned int arpt_do_table(struct sk_buff *skb,
		const struct nf_hook_state *state,
		struct xt_table *table);

include/uapi/linux/netfilter/xt_SECMARK.h

+6 −0

Original line number	Diff line number	Diff line
		@@ -20,4 +20,10 @@ struct xt_secmark_target_info {
		char secctx[SECMARK_SECCTX_MAX];
		};

		struct xt_secmark_target_info_v1 {
		__u8 mode;
		char secctx[SECMARK_SECCTX_MAX];
		__u32 secid;
		};

		#endif /_XT_SECMARK_H_target /

net/ipv4/netfilter/arp_tables.c

+2 −3

Original line number	Diff line number	Diff line
		@@ -1556,13 +1556,12 @@ int arpt_register_table(struct net *net,
		return ret;
		}

		void arpt_unregister_table_pre_exit(struct net net, const char name,
		const struct nf_hook_ops *ops)
		void arpt_unregister_table_pre_exit(struct net net, const char name)
		{
		struct xt_table *table = xt_find_table(net, NFPROTO_ARP, name);

		if (table)
		nf_unregister_net_hooks(net, ops, hweight32(table->valid_hooks));
		nf_unregister_net_hooks(net, table->ops, hweight32(table->valid_hooks));
		}
		EXPORT_SYMBOL(arpt_unregister_table_pre_exit);

net/ipv4/netfilter/arptable_filter.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -54,7 +54,7 @@ static int __net_init arptable_filter_table_init(struct net *net)

		static void __net_exit arptable_filter_net_pre_exit(struct net *net)
		{
		arpt_unregister_table_pre_exit(net, "filter", arpfilter_ops);
		arpt_unregister_table_pre_exit(net, "filter");
		}

		static void __net_exit arptable_filter_net_exit(struct net *net)

net/netfilter/nf_conntrack_ftp.c

+4 −1

Original line number	Diff line number	Diff line
		@@ -413,7 +413,10 @@ static int help(struct sk_buff *skb,

		spin_lock_bh(&nf_ftp_lock);
		fb_ptr = skb_header_pointer(skb, dataoff, datalen, ftp_buffer);
		BUG_ON(fb_ptr == NULL);
		if (!fb_ptr) {
		spin_unlock_bh(&nf_ftp_lock);
		return NF_ACCEPT;
		}

		ends_in_nl = (fb_ptr[datalen - 1] == '\n');
		seq = ntohl(th->seq) + datalen;