1. 30 12月, 2013 2 次提交
  2. 29 12月, 2013 3 次提交
    • D
      Merge tag 'batman-adv-fix-for-davem' of git://git.open-mesh.org/linux-merge · 8eb9bff0
      David S. Miller 提交于
      Included changes:
      
      - reset netfilter-bridge state when removing the batman-adv
        header from an incoming packet. This prevents netfilter
        bridge from being fooled when the same packet enters a
        bridge twice (or more): the first time within the
        batman-adv header and the second time without.
      
      - adjust the packet layout to prevent any architecture from
        adding padding bytes. All the structs sent over the wire
        now have size multiple of 4bytes (unless pack(2) is used).
      
      - fix access to the inner vlan_eth header when reading the
        VID in the rx path.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8eb9bff0
    • D
      Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · a72338a0
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter/IPVS fixes for net
      
      This patchset contains four nf_tables fixes, one IPVS fix due to
      missing updates in the interaction with the new sedadj conntrack
      extension that was added to support the netfilter synproxy code,
      and a couple of one-liners to fix netnamespace netfilter issues.
      More specifically, they are:
      
      * Fix ipv6_find_hdr() call without offset being explicitly initialized
        in nft_exthdr, as required by that function, from Daniel Borkmann.
      
      * Fix oops in nfnetlink_log when using netns and unloading the kernel
        module, from Gao feng.
      
      * Fix BUG_ON in nf_ct_timestamp extension after netns is destroyed,
        from Helmut Schaa.
      
      * Fix crash in IPVS due to missing sequence adjustment extension being
        allocated in the conntrack, from Jesper Dangaard Brouer.
      
      * Add bugtrap to spot a warning in case you deference sequence adjustment
        conntrack area when not available, this should help to catch similar
        invalid dereferences in the Netfilter tree, also from Jesper.
      
      * Fix incomplete dumping of sets in nf_tables when retrieving by family,
        from me.
      
      * Fix oops when updating the table state (dormant <-> active) and having
        user (not base ) chains, from me.
      
      * Fix wrong validation in set element data that results in returning
        -EINVAL when using the nf_tables dictionary feature with mappings,
        also from me.
      
      We don't usually have this amount of fixes by this time (as we're already
      in -rc5 of the development cycle), although half of them are related to
      nf_tables which is a relatively new thing, and I also believe that holidays
      have also delayed the flight of bugfixes to mainstream a bit.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a72338a0
    • P
      netfilter: nf_tables: fix wrong datatype in nft_validate_data_load() · 2ee0d3c8
      Pablo Neira Ayuso 提交于
      This patch fixes dictionary mappings, eg.
      
       add rule ip filter input meta dnat set tcp dport map { 22 => 1.1.1.1, 23 => 2.2.2.2 }
      
      The kernel was returning -EINVAL in nft_validate_data_load() since
      the type of the set element data that is passed was the real userspace
      datatype instead of NFT_DATA_VALUE.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      2ee0d3c8
  3. 28 12月, 2013 16 次提交
    • A
      batman-adv: fix vlan header access · 2b1e2cb3
      Antonio Quartulli 提交于
      When batadv_get_vid() is invoked in interface_rx() the
      batman-adv header has already been removed, therefore
      the header_len argument has to be 0.
      
      Introduced by c018ad3d
      ("batman-adv: add the VLAN ID attribute to the TT entry")
      Signed-off-by: NAntonio Quartulli <antonio@meshcoding.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      2b1e2cb3
    • A
      batman-adv: clean nf state when removing protocol header · 55883fd1
      Antonio Quartulli 提交于
      If an interface enslaved into batman-adv is a bridge (or a
      virtual interface built on top of a bridge) the nf_bridge
      member of the skbs reaching the soft-interface is filled
      with the state about "netfilter bridge" operations.
      
      Then, if one of such skbs is locally delivered, the nf_bridge
      member should be cleaned up to avoid that the old state
      could mess up with other "netfilter bridge" operations when
      entering a second bridge.
      This is needed because batman-adv is an encapsulation
      protocol.
      
      However at the moment skb->nf_bridge is not released at all
      leading to bogus "netfilter bridge" behaviours.
      
      Fix this by cleaning the netfilter state of the skb before
      it gets delivered to the upper layer in interface_rx().
      Signed-off-by: NAntonio Quartulli <antonio@meshcoding.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      55883fd1
    • A
      batman-adv: fix alignment for batadv_tvlv_tt_change · ca663046
      Antonio Quartulli 提交于
      Make struct batadv_tvlv_tt_change a multiple 4 bytes long
      to avoid padding on any architecture.
      Signed-off-by: NAntonio Quartulli <antonio@meshcoding.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      ca663046
    • S
      batman-adv: fix size of batadv_bla_claim_dst · 2f7a3182
      Simon Wunderlich 提交于
      Since this is a mac address and always 48 bit, and we can assume that
      it is always aligned to 2-byte boundaries, add a pack(2) pragma.
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <antonio@meshcoding.com>
      2f7a3182
    • A
      batman-adv: fix size of batadv_icmp_header · 27a417e6
      Antonio Quartulli 提交于
      struct batadv_icmp_header currently has a size of 17, which
      will be padded to 20 on some architectures. Fix this by
      unrolling the header into the parent structures.
      
      Moreover keep the ICMP parsing functions as generic as they
      are now by using a stub icmp_header struct during packet
      parsing.
      Signed-off-by: NAntonio Quartulli <antonio@meshcoding.com>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      27a417e6
    • S
      batman-adv: fix header alignment by unrolling batadv_header · a40d9b07
      Simon Wunderlich 提交于
      The size of the batadv_header of 3 is problematic on some architectures
      which automatically pad all structures to a 32 bit boundary. To not lose
      performance by packing this struct, better embed it into the various
      host structures.
      Reported-by: NRussell King <linux@arm.linux.org.uk>
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <antonio@meshcoding.com>
      a40d9b07
    • S
      batman-adv: fix alignment for batadv_coded_packet · 46b76e0b
      Simon Wunderlich 提交于
      The compiler may decide to pad the structure, and then it does not
      have the expected size of 46 byte. Fix this by moving it in the
      pragma pack(2) part of the code.
      Signed-off-by: NSimon Wunderlich <sw@simonwunderlich.de>
      Signed-off-by: NMarek Lindner <mareklindner@neomailbox.ch>
      Signed-off-by: NAntonio Quartulli <antonio@meshcoding.com>
      46b76e0b
    • P
      netfilter: nf_tables: fix oops when updating table with user chains · d2012975
      Pablo Neira Ayuso 提交于
      This patch fixes a crash while trying to deactivate a table that
      contains user chains. You can reproduce it via:
      
      % nft add table table1
      % nft add chain table1 chain1
      % nft-table-upd ip table1 dormant
      
      [  253.021026] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030
      [  253.021114] IP: [<ffffffff8134cebd>] nf_register_hook+0x35/0x6f
      [  253.021167] PGD 30fa5067 PUD 30fa2067 PMD 0
      [  253.021208] Oops: 0000 [#1] SMP
      [...]
      [  253.023305] Call Trace:
      [  253.023331]  [<ffffffffa0885020>] nf_tables_newtable+0x11c/0x258 [nf_tables]
      [  253.023385]  [<ffffffffa0878592>] nfnetlink_rcv_msg+0x1f4/0x226 [nfnetlink]
      [  253.023438]  [<ffffffffa0878418>] ? nfnetlink_rcv_msg+0x7a/0x226 [nfnetlink]
      [  253.023491]  [<ffffffffa087839e>] ? nfnetlink_bind+0x45/0x45 [nfnetlink]
      [  253.023542]  [<ffffffff8134b47e>] netlink_rcv_skb+0x3c/0x88
      [  253.023586]  [<ffffffffa0878973>] nfnetlink_rcv+0x3af/0x3e4 [nfnetlink]
      [  253.023638]  [<ffffffff813fb0d4>] ? _raw_read_unlock+0x22/0x34
      [  253.023683]  [<ffffffff8134af17>] netlink_unicast+0xe2/0x161
      [  253.023727]  [<ffffffff8134b29a>] netlink_sendmsg+0x304/0x332
      [  253.023773]  [<ffffffff8130d250>] __sock_sendmsg_nosec+0x25/0x27
      [  253.023820]  [<ffffffff8130fb93>] sock_sendmsg+0x5a/0x7b
      [  253.023861]  [<ffffffff8130d5d5>] ? copy_from_user+0x2a/0x2c
      [  253.023905]  [<ffffffff8131066f>] ? move_addr_to_kernel+0x35/0x60
      [  253.023952]  [<ffffffff813107b3>] SYSC_sendto+0x119/0x15c
      [  253.023995]  [<ffffffff81401107>] ? sysret_check+0x1b/0x56
      [  253.024039]  [<ffffffff8108dc30>] ? trace_hardirqs_on_caller+0x140/0x1db
      [  253.024090]  [<ffffffff8120164e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
      [  253.024141]  [<ffffffff81310caf>] SyS_sendto+0x9/0xb
      [  253.026219]  [<ffffffff814010e2>] system_call_fastpath+0x16/0x1b
      Reported-by: NAlex Wei <alex.kern.mentor@gmail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      d2012975
    • P
      netfilter: nf_tables: fix dumping with large number of sets · e38195bf
      Pablo Neira Ayuso 提交于
      If not table name is specified, the dumping of the existing sets
      may be incomplete with a sufficiently large number of sets and
      tables. This patch fixes missing reset of the cursors after
      finding the location of the last object that has been included
      in the previous multi-part message.
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      e38195bf
    • L
      ipv6: release dst properly in ipip6_tunnel_xmit · 6a9eadcc
      Li RongQing 提交于
      if a dst is not attached to anywhere, it should be released before
      exit ipip6_tunnel_xmit, otherwise cause dst memory leakage.
      
      Fixes: 61c1db7f ("ipv6: sit: add GSO/TSO support")
      Signed-off-by: NLi RongQing <roy.qing.li@gmail.com>
      Acked-by: NEric Dumazet <edumazet@google.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6a9eadcc
    • D
      netxen: Correct off-by-one errors in bounds checks · 4710b2ba
      David Gibson 提交于
      netxen_process_lro() contains two bounds checks.  One for the ring number
      against the number of rings, and one for the Rx buffer ID against the
      array of receive buffers.
      
      Both of these have off-by-one errors, using > instead of >=. The correct
      versions are used in netxen_process_rcv(), they're just wrong in
      netxen_process_lro().
      Signed-off-by: NDavid Gibson <david@gibson.dropbear.id.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4710b2ba
    • D
      net: Add some clarification to skb_tx_timestamp() comment. · 73409f3b
      David S. Miller 提交于
      We've seen so many instances of people invoking skb_tx_timestamp()
      after the device already has been given the packet, that it's worth
      being a little bit more verbose and explicit in this comment.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      73409f3b
    • E
      arc_emac: fix potential use after free · 37ec274e
      Eric Dumazet 提交于
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      
      skb_tx_timestamp(skb) should be called _before_ TX completion
      has a chance to trigger, otherwise it is too late and we access
      freed memory.
      
      Fixes: e4f2379d ("ethernet/arc/arc_emac - Add new driver")
      From: Eric Dumazet <edumazet@google.com>
      Cc: Alexey Brodkin <Alexey.Brodkin@synopsys.com>
      Cc: Richard Cochran <richardcochran@gmail.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      37ec274e
    • N
      tg3: Expand 4g_overflow_test workaround to skb fragments of any size. · 37567910
      Nithin Sujir 提交于
      The current driver assumes that an skb fragment can only be upto jumbo
      size. Presumably this was a fast-path optimization. This assumption is
      no longer true as fragments can be upto 32k.
      
      v2: Remove unnecessary parantheses per Eric Dumazet.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NNithin Nayak Sujir <nsujir@broadcom.com>
      Signed-off-by: NMichael Chan <mchan@broadcom.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      37567910
    • J
      net_sched: act: Dont increment refcnt on replace · 1a29321e
      Jamal Hadi Salim 提交于
       This is a bug fix. The existing code tries to kill many
       birds with one stone: Handling binding of actions to
       filters, new actions and replacing of action
       attributes. A simple test case to illustrate:
      
      XXXX
       moja@fe1:~$ sudo tc actions add action drop index 12
       moja@fe1:~$ actions get action gact index 12
       action order 1: gact action drop
        random type none pass val 0
        index 12 ref 1 bind 0
       moja@fe1:~$ sudo tc actions replace action ok index 12
       moja@fe1:~$ actions get action gact index 12
       action order 1: gact action drop
        random type none pass val 0
        index 12 ref 2 bind 0
      XXXX
      
      The above shows the refcounf being wrongly incremented on replace.
      There are more complex scenarios with binding of actions to filters
      that i am leaving out that didnt work as well...
      Signed-off-by: NJamal Hadi Salim <jhs@mojatatu.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      1a29321e
    • S
      rds: prevent dereference of a NULL device · c2349758
      Sasha Levin 提交于
      Binding might result in a NULL device, which is dereferenced
      causing this BUG:
      
      [ 1317.260548] BUG: unable to handle kernel NULL pointer dereference at 000000000000097
      4
      [ 1317.261847] IP: [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
      [ 1317.263315] PGD 418bcb067 PUD 3ceb21067 PMD 0
      [ 1317.263502] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
      [ 1317.264179] Dumping ftrace buffer:
      [ 1317.264774]    (ftrace buffer empty)
      [ 1317.265220] Modules linked in:
      [ 1317.265824] CPU: 4 PID: 836 Comm: trinity-child46 Tainted: G        W    3.13.0-rc4-
      next-20131218-sasha-00013-g2cebb9b-dirty #4159
      [ 1317.267415] task: ffff8803ddf33000 ti: ffff8803cd31a000 task.ti: ffff8803cd31a000
      [ 1317.268399] RIP: 0010:[<ffffffff84225f52>]  [<ffffffff84225f52>] rds_ib_laddr_check+
      0x82/0x110
      [ 1317.269670] RSP: 0000:ffff8803cd31bdf8  EFLAGS: 00010246
      [ 1317.270230] RAX: 0000000000000000 RBX: ffff88020b0dd388 RCX: 0000000000000000
      [ 1317.270230] RDX: ffffffff8439822e RSI: 00000000000c000a RDI: 0000000000000286
      [ 1317.270230] RBP: ffff8803cd31be38 R08: 0000000000000000 R09: 0000000000000000
      [ 1317.270230] R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000
      [ 1317.270230] R13: 0000000054086700 R14: 0000000000a25de0 R15: 0000000000000031
      [ 1317.270230] FS:  00007ff40251d700(0000) GS:ffff88022e200000(0000) knlGS:000000000000
      0000
      [ 1317.270230] CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
      [ 1317.270230] CR2: 0000000000000974 CR3: 00000003cd478000 CR4: 00000000000006e0
      [ 1317.270230] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      [ 1317.270230] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000090602
      [ 1317.270230] Stack:
      [ 1317.270230]  0000000054086700 5408670000a25de0 5408670000000002 0000000000000000
      [ 1317.270230]  ffffffff84223542 00000000ea54c767 0000000000000000 ffffffff86d26160
      [ 1317.270230]  ffff8803cd31be68 ffffffff84223556 ffff8803cd31beb8 ffff8800c6765280
      [ 1317.270230] Call Trace:
      [ 1317.270230]  [<ffffffff84223542>] ? rds_trans_get_preferred+0x42/0xa0
      [ 1317.270230]  [<ffffffff84223556>] rds_trans_get_preferred+0x56/0xa0
      [ 1317.270230]  [<ffffffff8421c9c3>] rds_bind+0x73/0xf0
      [ 1317.270230]  [<ffffffff83e4ce62>] SYSC_bind+0x92/0xf0
      [ 1317.270230]  [<ffffffff812493f8>] ? context_tracking_user_exit+0xb8/0x1d0
      [ 1317.270230]  [<ffffffff8119313d>] ? trace_hardirqs_on+0xd/0x10
      [ 1317.270230]  [<ffffffff8107a852>] ? syscall_trace_enter+0x32/0x290
      [ 1317.270230]  [<ffffffff83e4cece>] SyS_bind+0xe/0x10
      [ 1317.270230]  [<ffffffff843a6ad0>] tracesys+0xdd/0xe2
      [ 1317.270230] Code: 00 8b 45 cc 48 8d 75 d0 48 c7 45 d8 00 00 00 00 66 c7 45 d0 02 00
      89 45 d4 48 89 df e8 78 49 76 ff 41 89 c4 85 c0 75 0c 48 8b 03 <80> b8 74 09 00 00 01 7
      4 06 41 bc 9d ff ff ff f6 05 2a b6 c2 02
      [ 1317.270230] RIP  [<ffffffff84225f52>] rds_ib_laddr_check+0x82/0x110
      [ 1317.270230]  RSP <ffff8803cd31bdf8>
      [ 1317.270230] CR2: 0000000000000974
      Signed-off-by: NSasha Levin <sasha.levin@oracle.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      c2349758
  4. 27 12月, 2013 3 次提交
    • J
      ipvs: correct usage/allocation of seqadj ext in ipvs · b25adce1
      Jesper Dangaard Brouer 提交于
      The IPVS FTP helper ip_vs_ftp could trigger an OOPS in nf_ct_seqadj_set,
      after commit 41d73ec0 (netfilter: nf_conntrack: make sequence number
      adjustments usuable without NAT).
      
      This is because, the seqadj ext is now allocated dynamically, and the
      IPVS code didn't handle this situation.  Fix this in the IPVS nfct
      code by invoking the alloc function nfct_seqadj_ext_add().
      
      Fixes: 41d73ec0 (netfilter: nf_conntrack: make sequence number adjustments usuable without NAT)
      Suggested-by: NJulian Anastasov <ja@ssi.bg>
      Signed-off-by: NJesper Dangaard Brouer <brouer@redhat.com>
      Acked-by: NJulian Anastasov <ja@ssi.bg>
      Signed-off-by: NSimon Horman <horms@verge.net.au>
      b25adce1
    • J
      netfilter: WARN about wrong usage of sequence number adjustments · db12cf27
      Jesper Dangaard Brouer 提交于
      Since commit 41d73ec0 (netfilter: nf_conntrack: make sequence
      number adjustments usuable without NAT), the sequence number extension
      is dynamically allocated.
      
      Instead of dying, give a WARN splash, in case of wrong usage of the
      seqadj code, e.g. when forgetting to allocate via nfct_seqadj_ext_add().
      
      Wrong usage have been seen in the IPVS code path.
      Signed-off-by: NJesper Dangaard Brouer <brouer@redhat.com>
      Acked-by: NJulian Anastasov <ja@ssi.bg>
      Signed-off-by: NSimon Horman <horms@verge.net.au>
      db12cf27
    • F
      macvlan: fix netdev feature propagation from lower device · 797f87f8
      Florian Westphal 提交于
      There are inconsistencies wrt. feature propagation/inheritance between
      macvlan and the underlying interface.
      
      When a feature is turned off on the real device before a macvlan is
      created on top, these will remain enabled on the macvlan device, whereas
      turning off the feature on the lower device after macvlan creation the
      kernel will propagate the changes to the macvlan.
      
      The second issue is that, when propagating changes from underlying device
      to the macvlan interface, macvlan can erronously lose its NETIF_F_LLTX flag,
      as features are anded with the underlying device.
      
      However, LLTX should be kept since it has no dependencies on physical
      hardware (LLTX is set on macvlan creation regardless of the lower
      device properties, see 8ffab51b
      (macvlan: lockless tx path).
      
      The LLTX flag is now forced regardless of user settings in absence of
      layer2 hw acceleration (a6cc0cfa,
      net: Add layer 2 hardware acceleration operations for macvlan devices).
      
      Use netdev_increment_features to rebuild the feature set on capability
      changes on either the lower device or on the macvlan interface.
      
      As pointed out by Ben Hutchings, use netdev_update_features on
      NETDEV_FEAT_CHANGE event (it calls macvlan_fix_features/netdev_features_change
      if needed).
      Signed-off-by: NFlorian Westphal <fw@strlen.de>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      797f87f8
  5. 23 12月, 2013 11 次提交
  6. 22 12月, 2013 2 次提交
    • D
      Merge branch 'for-davem' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless · 6eb3c282
      David S. Miller 提交于
      John W. Linville says:
      
      ====================
      Please consider pulling this batch of fixes for the 3.13 stream...
      
      For the mac80211 bits, Johannes says:
      
      "Here's a fix for another potential radiotap parser buffer overrun thanks
      to Evan Huus, and a fix for a cfg80211 warning in a certain corner case
      (reconnecting to the same BSS)."
      
      For the bluetooth bits, Gustavo says:
      
      "Two patches in this pull request. An important fix from Marcel in the
      permission check for HCI User Channels, there was a extra check for
      CAP_NET_RAW, and it was now removed. These channels should only require
      CAP_NET_ADMIN. The other patch is a device id addition."
      
      On top of that...
      
      Sujith Manoharan provides a workaround for a hardware problem that
      can result in lost interrupts.
      
      Larry Finger fixes an oops when unloading the rtlwifi driver (Red
      Hat bug 852761).
      
      Mathy Vanhoef fixes a somewhat minor MAC address privacy issue
      (CVE-2013-4579).
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      6eb3c282
    • H
      hyperv: Fix race between probe and open calls · a68f9614
      Haiyang Zhang 提交于
      Moving the register_netdev to the end of probe to prevent
      possible open call happens before NetVSP is connected.
      Signed-off-by: NHaiyang Zhang <haiyangz@microsoft.com>
      Reviewed-by: NK. Y. Srinivasan <kys@microsoft.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      a68f9614
  7. 21 12月, 2013 1 次提交
  8. 20 12月, 2013 2 次提交
    • H
      netfilter: nf_ct_timestamp: Fix BUG_ON after netns deletion · 443d20fd
      Helmut Schaa 提交于
      When having nf_conntrack_timestamp enabled deleting a netns
      can lead to the following BUG being triggered:
      
      [63836.660000] Kernel bug detected[#1]:
      [63836.660000] CPU: 0 PID: 0 Comm: swapper Not tainted 3.10.18 #14
      [63836.660000] task: 802d9420 ti: 802d2000 task.ti: 802d2000
      [63836.660000] $ 0   : 00000000 00000000 00000000 00000000
      [63836.660000] $ 4   : 00000001 00000004 00000020 00000020
      [63836.660000] $ 8   : 00000000 80064910 00000000 00000000
      [63836.660000] $12   : 0bff0002 00000001 00000000 0a0a0abe
      [63836.660000] $16   : 802e70a0 85f29d80 00000000 00000004
      [63836.660000] $20   : 85fb62a0 00000002 802d3bc0 85fb62a0
      [63836.660000] $24   : 00000000 87138110
      [63836.660000] $28   : 802d2000 802d3b40 00000014 871327cc
      [63836.660000] Hi    : 000005ff
      [63836.660000] Lo    : f2edd000
      [63836.660000] epc   : 87138794 __nf_ct_ext_add_length+0xe8/0x1ec [nf_conntrack]
      [63836.660000]     Not tainted
      [63836.660000] ra    : 871327cc nf_conntrack_in+0x31c/0x7b8 [nf_conntrack]
      [63836.660000] Status: 1100d403 KERNEL EXL IE
      [63836.660000] Cause : 00800034
      [63836.660000] PrId  : 0001974c (MIPS 74Kc)
      [63836.660000] Modules linked in: ath9k ath9k_common pppoe ppp_async iptable_nat ath9k_hw ath pppox ppp_generic nf_nat_ipv4 nf_conntrack_ipv4 mac80211 ipt_MASQUERADE cfg80211 xt_time xt_tcpudp xt_state xt_quota xt_policy xt_pkttype xt_owner xt_nat xt_multiport xt_mark xh
      [63836.660000] Process swapper (pid: 0, threadinfo=802d2000, task=802d9420, tls=00000000)
      [63836.660000] Stack : 802e70a0 871323d4 00000005 87080234 802e70a0 86d2a840 00000000 00000000
      [63836.660000] Call Trace:
      [63836.660000] [<87138794>] __nf_ct_ext_add_length+0xe8/0x1ec [nf_conntrack]
      [63836.660000] [<871327cc>] nf_conntrack_in+0x31c/0x7b8 [nf_conntrack]
      [63836.660000] [<801ff63c>] nf_iterate+0x90/0xec
      [63836.660000] [<801ff730>] nf_hook_slow+0x98/0x164
      [63836.660000] [<80205968>] ip_rcv+0x3e8/0x40c
      [63836.660000] [<801d9754>] __netif_receive_skb_core+0x624/0x6a4
      [63836.660000] [<801da124>] process_backlog+0xa4/0x16c
      [63836.660000] [<801d9bb4>] net_rx_action+0x10c/0x1e0
      [63836.660000] [<8007c5a4>] __do_softirq+0xd0/0x1bc
      [63836.660000] [<8007c730>] do_softirq+0x48/0x68
      [63836.660000] [<8007c964>] irq_exit+0x54/0x70
      [63836.660000] [<80060830>] ret_from_irq+0x0/0x4
      [63836.660000] [<8006a9f8>] r4k_wait_irqoff+0x18/0x1c
      [63836.660000] [<8009cfb8>] cpu_startup_entry+0xa4/0x104
      [63836.660000] [<802eb918>] start_kernel+0x394/0x3ac
      [63836.660000]
      [63836.660000]
      Code: 00821021  8c420000  2c440001 <00040336> 90440011  92350010  90560010  2485ffff  02a5a821
      [63837.040000] ---[ end trace ebf660c3ce3b55e7 ]---
      [63837.050000] Kernel panic - not syncing: Fatal exception in interrupt
      [63837.050000] Rebooting in 3 seconds..
      
      Fix this by not unregistering the conntrack extension in the per-netns
      cleanup code.
      
      This bug was introduced in (73f4001a netfilter: nf_ct_tstamp: move
      initialization out of pernet_operations).
      Signed-off-by: NHelmut Schaa <helmut.schaa@googlemail.com>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      443d20fd
    • D
      netfilter: nft_exthdr: call ipv6_find_hdr() with explicitly initialized offset · 540436c8
      Daniel Borkmann 提交于
      In nft's nft_exthdr_eval() routine we process IPv6 extension header
      through invoking ipv6_find_hdr(), but we call it with an uninitialized
      offset variable that contains some stack value. In ipv6_find_hdr()
      we then test if the value of offset != 0 and call skb_header_pointer()
      on that offset in order to map struct ipv6hdr into it. Fix it up by
      initializing offset to 0 as it was probably intended to be.
      
      Fixes: 96518518 ("netfilter: add nftables")
      Signed-off-by: NDaniel Borkmann <dborkman@redhat.com>
      Cc: Hannes Frederic Sowa <hannes@stressinduktion.org>
      Signed-off-by: NPablo Neira Ayuso <pablo@netfilter.org>
      540436c8