| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 16 Aug 2023 00:29:50 +0200
From: Florian Westphal <fw@...len.de>
To: <netdev@...r.kernel.org>
Cc: Paolo Abeni <pabeni@...hat.com>,
"David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>,
Jakub Kicinski <kuba@...nel.org>,
<netfilter-devel@...r.kernel.org>
Subject: [PATCH net 0/9] netfilter fixes for net
Hello,
These are netfilter fixes for the *net* tree.
First patch resolves a false-positive lockdep splat:
rcu_dereference is used outside of rcu read lock. Let lockdep
validate that the transaction mutex is locked.
Second patch fixes a kdoc warning added in previous PR.
Third patch fixes a memory leak:
The catchall element isn't disabled correctly, this allows
userspace to deactivate the element again. This results in refcount
underflow which in turn prevents memory release. This was always
broken since the feature was added in 5.13.
Patch 4 fixes an incorrect change in the previous pull request:
Adding a duplicate key to a set should work if the duplicate key
has expired, restore this behaviour. All from myself.
Patch #5 resolves an old historic artifact in sctp conntrack:
a 300ms timeout for shutdown_ack. Increase this to 3s. From Xin Long.
Patch #6 fixes a sysctl data race in ipvs, two threads can clobber the
sysctl value, from Sishuai Gong. This is a day-0 bug that predates git
history.
Patches 7, 8 and 9, from Pablo Neira Ayuso, are also followups
for the previous GC rework in nf_tables: The netlink notifier and the
netns exit path must both increment the gc worker seqcount, else worker
may encounter stale (free'd) pointers.
The following changes since commit e4dd0d3a2f64b8bd8029ec70f52bdbebd0644408:
net: fix the RTO timer retransmitting skb every 1ms if linear option is enabled (2023-08-15 20:24:04 +0100)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-08-16
for you to fetch changes up to 23185c6aed1ffb8fc44087880ba2767aba493779:
netfilter: nft_dynset: disallow object maps (2023-08-16 00:05:15 +0200)
----------------------------------------------------------------
nf pull request 2023-08-16
----------------------------------------------------------------
Florian Westphal (4):
netfilter: nf_tables: fix false-positive lockdep splat
netfilter: nf_tables: fix kdoc warnings after gc rework
netfilter: nf_tables: deactivate catchall elements in next generation
netfilter: nf_tables: don't fail inserts if duplicate has expired
Pablo Neira Ayuso (3):
netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path
netfilter: nf_tables: GC transaction race with netns dismantle
netfilter: nft_dynset: disallow object maps
Sishuai Gong (1):
ipvs: fix racy memcpy in proc_do_sync_threshold
Xin Long (1):
netfilter: set default timeout to 3 secs for sctp shutdown send and recv state
Documentation/networking/nf_conntrack-sysctl.rst | 4 +--
include/net/netfilter/nf_tables.h | 1 +
net/netfilter/ipvs/ip_vs_ctl.c | 4 +++
net/netfilter/nf_conntrack_proto_sctp.c | 6 ++--
net/netfilter/nf_tables_api.c | 44 +++++++++++++++++++++---
net/netfilter/nft_dynset.c | 3 ++
net/netfilter/nft_set_pipapo.c | 38 +++++++++-----------
7 files changed, 69 insertions(+), 31 deletions(-)
Powered by blists - more mailing lists