1. 02 Mar, 2011 1 commit
    • Jan Engelhardt's avatar
      netfilter: nf_log: avoid oops in (un)bind with invalid nfproto values · 9ef0298a
      Jan Engelhardt authored
      Like many other places, we have to check that the array index is
      within allowed limits, or otherwise, a kernel oops and other nastiness
      can ensue when we access memory beyond the end of the array.
      
      [ 5954.115381] BUG: unable to handle kernel paging request at 0000004000000000
      [ 5954.120014] IP:  __find_logger+0x6f/0xa0
      [ 5954.123979]  nf_log_bind_pf+0x2b/0x70
      [ 5954.123979]  nfulnl_recv_config+0xc0/0x4a0 [nfnetlink_log]
      [ 5954.123979]  nfnetlink_rcv_msg+0x12c/0x1b0 [nfnetlink]
      ...
      
      The problem goes back to v2.6.30-rc1~1372~1342~31 where nf_log_bind
      was decoupled from nf_log_register.
      
      Reported-by: Miguel Di Ciurcio Filho <miguel.filho@gmail.com>,
        via irc.freenode.net/#netfilter
      Signed-off-by: default avatarJan Engelhardt <jengelh@medozas.de>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      9ef0298a
  2. 01 Mar, 2011 1 commit
  3. 17 Feb, 2011 2 commits
    • Joerg Marx's avatar
      netfilter: ip6t_LOG: fix a flaw in printing the MAC · 0af320fb
      Joerg Marx authored
      The flaw was in skipping the second byte in MAC header due to increasing
      the pointer AND indexed access starting at '1'.
      Signed-off-by: default avatarJoerg Marx <joerg.marx@secunet.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      0af320fb
    • Florian Westphal's avatar
      netfilter: tproxy: do not assign timewait sockets to skb->sk · d503b30b
      Florian Westphal authored
      Assigning a socket in timewait state to skb->sk can trigger
      kernel oops, e.g. in nfnetlink_log, which does:
      
      if (skb->sk) {
              read_lock_bh(&skb->sk->sk_callback_lock);
              if (skb->sk->sk_socket && skb->sk->sk_socket->file) ...
      
      in the timewait case, accessing sk->sk_callback_lock and sk->sk_socket
      is invalid.
      
      Either all of these spots will need to add a test for sk->sk_state != TCP_TIME_WAIT,
      or xt_TPROXY must not assign a timewait socket to skb->sk.
      
      This does the latter.
      
      If a TW socket is found, assign the tproxy nfmark, but skip the skb->sk assignment,
      thus mimicking behaviour of a '-m socket .. -j MARK/ACCEPT' re-routing rule.
      
      The 'SYN to TW socket' case is left unchanged -- we try to redirect to the
      listener socket.
      
      Cc: Balazs Scheidler <bazsi@balabit.hu>
      Cc: KOVACS Krisztian <hidden@balabit.hu>
      Signed-off-by: default avatarFlorian Westphal <fwestphal@astaro.com>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      d503b30b
  4. 14 Feb, 2011 1 commit
  5. 09 Feb, 2011 1 commit
    • Pablo Neira Ayuso's avatar
      netfilter: nf_conntrack: set conntrack templates again if we return NF_REPEAT · c3174286
      Pablo Neira Ayuso authored
      The TCP tracking code has a special case that allows to return
      NF_REPEAT if we receive a new SYN packet while in TIME_WAIT state.
      
      In this situation, the TCP tracking code destroys the existing
      conntrack to start a new clean session.
      
      [DESTROY] tcp      6 src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925 [ASSURED]
          [NEW] tcp      6 120 SYN_SENT src=192.168.0.2 dst=192.168.1.2 sport=38925 dport=8000 [UNREPLIED] src=192.168.1.2 dst=192.168.1.100 sport=8000 dport=38925
      
      However, this is a problem for the iptables' CT target event filtering
      which will not work in this case since the conntrack template will not
      be there for the new session. To fix this, we reassign the conntrack
      template to the packet if we return NF_REPEAT.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      c3174286
  6. 01 Feb, 2011 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: ecache: always set events bits, filter them later · 3db7e93d
      Pablo Neira Ayuso authored
      For the following rule:
      
      iptables -I PREROUTING -t raw -j CT --ctevents assured
      
      The event delivered looks like the following:
      
       [UPDATE] tcp      6 src=192.168.0.2 dst=192.168.1.2 sport=37041 dport=80 src=192.168.1.2 dst=192.168.1.100 sport=80 dport=37041 [ASSURED]
      
      Note that the TCP protocol state is not included. For that reason
      the CT event filtering is not very useful for conntrackd.
      
      To resolve this issue, instead of conditionally setting the CT events
      bits based on the ctmask, we always set them and perform the filtering
      in the late stage, just before the delivery.
      
      Thus, the event delivered looks like the following:
      
       [UPDATE] tcp      6 432000 ESTABLISHED src=192.168.0.2 dst=192.168.1.2 sport=37041 dport=80 src=192.168.1.2 dst=192.168.1.100 sport=80 dport=37041 [ASSURED]
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      3db7e93d
    • Pablo Neira Ayuso's avatar
      netfilter: arpt_mangle: fix return values of checkentry · 9d0db8b6
      Pablo Neira Ayuso authored
      In 135367b8 "netfilter: xtables: change xt_target.checkentry return type",
      the type returned by checkentry was changed from boolean to int, but the
      return values where not adjusted.
      
      arptables: Input/output error
      
      This broke arptables with the mangle target since it returns true
      under success, which is interpreted by xtables as >0, thus
      returning EIO.
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
      9d0db8b6
  7. 24 Jan, 2011 2 commits
  8. 21 Jan, 2011 2 commits
    • Neil Horman's avatar
      bonding: Ensure that we unshare skbs prior to calling pskb_may_pull · b3053251
      Neil Horman authored
      Recently reported oops:
      
      kernel BUG at net/core/skbuff.c:813!
      invalid opcode: 0000 [#1] SMP
      last sysfs file: /sys/devices/virtual/net/bond0/broadcast
      CPU 8
      Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding
      ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801
      i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2
      ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase
      scsi_transport_sas dm_mod [last unloaded: microcode]
      
      Modules linked in: sit tunnel4 cpufreq_ondemand acpi_cpufreq freq_table bonding
      ipv6 dm_mirror dm_region_hash dm_log cdc_ether usbnet mii serio_raw i2c_i801
      i2c_core iTCO_wdt iTCO_vendor_support shpchp ioatdma i7core_edac edac_core bnx2
      ixgbe dca mdio sg ext4 mbcache jbd2 sd_mod crc_t10dif mptsas mptscsih mptbase
      scsi_transport_sas dm_mod [last unloaded: microcode]
      Pid: 0, comm: swapper Not tainted 2.6.32-71.el6.x86_64 #1 BladeCenter HS22
      -[7870AC1]-
      RIP: 0010:[<ffffffff81405b16>]  [<ffffffff81405b16>]
      pskb_expand_head+0x36/0x1e0
      RSP: 0018:ffff880028303b70  EFLAGS: 00010202
      RAX: 0000000000000002 RBX: ffff880c6458ec80 RCX: 0000000000000020
      RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff880c6458ec80
      RBP: ffff880028303bc0 R08: ffffffff818a6180 R09: ffff880c6458ed64
      R10: ffff880c622b36c0 R11: 0000000000000400 R12: 0000000000000000
      R13: 0000000000000180 R14: ffff880c622b3000 R15: 0000000000000000
      FS:  0000000000000000(0000) GS:ffff880028300000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0018 ES: 0018 CR0: 000000008005003b
      CR2: 00000038653452a4 CR3: 0000000001001000 CR4: 00000000000006e0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
      Process swapper (pid: 0, threadinfo ffff8806649c2000, task ffff880c64f16ab0)
      Stack:
       ffff880028303bc0 ffffffff8104fff9 000000000000001c 0000000100000000
      <0> ffff880000047d80 ffff880c6458ec80 000000000000001c ffff880c6223da00
      <0> ffff880c622b3000 0000000000000000 ffff880028303c10 ffffffff81407f7a
      Call Trace:
      <IRQ>
       [<ffffffff8104fff9>] ? __wake_up_common+0x59/0x90
       [<ffffffff81407f7a>] __pskb_pull_tail+0x2aa/0x360
       [<ffffffffa0244530>] bond_arp_rcv+0x2c0/0x2e0 [bonding]
       [<ffffffff814a0857>] ? packet_rcv+0x377/0x440
       [<ffffffff8140f21b>] netif_receive_skb+0x2db/0x670
       [<ffffffff8140f788>] napi_skb_finish+0x58/0x70
       [<ffffffff8140fc89>] napi_gro_receive+0x39/0x50
       [<ffffffffa01286eb>] ixgbe_clean_rx_irq+0x35b/0x900 [ixgbe]
       [<ffffffffa01290f6>] ixgbe_clean_rxtx_many+0x136/0x240 [ixgbe]
       [<ffffffff8140fe53>] net_rx_action+0x103/0x210
       [<ffffffff81073bd7>] __do_softirq+0xb7/0x1e0
       [<ffffffff810d8740>] ? handle_IRQ_event+0x60/0x170
       [<ffffffff810142cc>] call_softirq+0x1c/0x30
       [<ffffffff81015f35>] do_softirq+0x65/0xa0
       [<ffffffff810739d5>] irq_exit+0x85/0x90
       [<ffffffff814cf915>] do_IRQ+0x75/0xf0
       [<ffffffff81013ad3>] ret_from_intr+0x0/0x11
       <EOI>
       [<ffffffff8101bc01>] ? mwait_idle+0x71/0xd0
       [<ffffffff814cd80a>] ? atomic_notifier_call_chain+0x1a/0x20
       [<ffffffff81011e96>] cpu_idle+0xb6/0x110
       [<ffffffff814c17c8>] start_secondary+0x1fc/0x23f
      
      Resulted from bonding driver registering packet handlers via dev_add_pack and
      then trying to call pskb_may_pull. If another packet handler (like for AF_PACKET
      sockets) gets called first, the delivered skb will have a user count > 1, which
      causes pskb_may_pull to BUG halt when it does its skb_shared check.  Fix this by
      calling skb_share_check prior to the may_pull call sites in the bonding driver
      to clone the skb when needed.  Tested by myself and the reported successfully.
      
      Signed-off-by: Neil Horman
      CC: Andy Gospodarek <andy@greyhouse.net>
      CC: Jay Vosburgh <fubar@us.ibm.com>
      CC: "David S. Miller" <davem@davemloft.net>
      Signed-off-by: default avatarJay Vosburgh <fubar@us.ibm.com>
      Signed-off-by: default avatarAndy Gospodarek <andy@greyhouse.net>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      b3053251
    • Dimitris Michailidis's avatar
      cxgb4: fix reported state of interfaces without link · 6a3c869a
      Dimitris Michailidis authored
      Currently tools like ip and ifconfig report incorrect state for cxgb4
      interfaces that are up but do not have link and do so until first link
      establishment.  This is because the initial netif_carrier_off call is
      before register_netdev and it needs to be after to be fully effective.
      Fix this by moving netif_carrier_off into .ndo_open.
      Signed-off-by: default avatarDimitris Michailidis <dm@chelsio.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      6a3c869a
  9. 20 Jan, 2011 1 commit
  10. 19 Jan, 2011 16 commits
  11. 18 Jan, 2011 3 commits
  12. 17 Jan, 2011 3 commits
  13. 16 Jan, 2011 5 commits