Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/ https://git.shady.money/linux/atom?h=v5.4 2019-11-04T19:58:32Z 2019-11-04T19:58:32Z Lukas Wunner lukas@wunner.de 2019-10-31T10:06:24Z urn:sha1:250367c59e6ba0d79d702a059712d66edacd4a1a Invoking the following commands on a 32-bit architecture with strict alignment requirements (such as an ARMv7-based Raspberry Pi) results in an alignment exception: # nft add table ip test-ip4 # nft add chain ip test-ip4 output { type filter hook output priority 0; } # nft add rule ip test-ip4 output quota 1025 bytes Alignment trap: not handling instruction e1b26f9f at [<7f4473f8>] Unhandled fault: alignment exception (0x001) at 0xb832e824 Internal error: : 1 [#1] PREEMPT SMP ARM Hardware name: BCM2835 [<7f4473fc>] (nft_quota_do_init [nft_quota]) [<7f447448>] (nft_quota_init [nft_quota]) [<7f4260d0>] (nf_tables_newrule [nf_tables]) [<7f4168dc>] (nfnetlink_rcv_batch [nfnetlink]) [<7f416bd0>] (nfnetlink_rcv [nfnetlink]) [<8078b334>] (netlink_unicast) [<8078b664>] (netlink_sendmsg) [<8071b47c>] (sock_sendmsg) [<8071bd18>] (___sys_sendmsg) [<8071ce3c>] (__sys_sendmsg) [<8071ce94>] (sys_sendmsg) The reason is that nft_quota_do_init() calls atomic64_set() on an atomic64_t which is only aligned to 32-bit, not 64-bit, because it succeeds struct nft_expr in memory which only contains a 32-bit pointer. Fix by aligning the nft_expr private data to 64-bit. Fixes: 96518518cc41 ("netfilter: add nftables") Signed-off-by: Lukas Wunner <lukas@wunner.de> Cc: stable@vger.kernel.org # v3.13+ Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-25T09:01:19Z Laura Garcia Liebana nevola@gmail.com 2019-09-24T12:42:44Z urn:sha1:9b05b6e11d5e93a3a517cadc12b9836e0470c255 The deletion of a flowtable after a flush in the same transaction results in EBUSY. This patch adds an activation and deactivation of flowtables in order to update the _use_ counter. Signed-off-by: Laura Garcia Liebana <nevola@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-20T08:20:02Z Pablo Neira Ayuso pablo@netfilter.org 2019-09-16T16:33:08Z urn:sha1:ad652f3811d8644d547506154ec9a9c22c8771cd Default policy is defined as a unsigned 8-bit field, do not use a negative value to leave it unset, use this new NFT_CHAIN_POLICY_UNSET instead. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-13T10:48:09Z Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:18Z urn:sha1:0d32e7048d927418300b9f5415ca546e44621ef1 Two inline functions defined in nf_conntrack_timestamp.h, `nf_ct_tstamp_enabled` and `nf_ct_set_tstamp`, are not called anywhere. Remove them. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-13T10:47:41Z Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:17Z urn:sha1:1f1475f38b6830f40daa5d2e5290b926bcb63981 nf_conntrack_zones.h was wrapped in a CONFIG_NF_CONNTRACK check in order to fix compilation failures: 37ee3d5b3e97 ("netfilter: nf_defrag_ipv4: fix compilation error with NF_CONNTRACK=n") Subsequent changes mean that these failures will no longer occur and the check is unnecessary. Remove it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-13T10:47:36Z Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:16Z urn:sha1:f19438bdd4bfbfdaac441034c1aaecf02c116e68 `struct nf_hook_ops`, `struct nf_hook_state` and the `nf_hookfn` function typedef appear in function and struct declarations and definitions in a number of netfilter headers. The structs and typedef themselves are defined by linux/netfilter.h but only when CONFIG_NETFILTER is enabled. Define them unconditionally and add forward declarations in order to remove CONFIG_NETFILTER conditionals from the other headers. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-13T10:47:18Z Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:15Z urn:sha1:51a21be42ad8c2a343eb0d44813e38918b6a4df7 There is a superfluous `#if IS_ENABLED(CONFIG_NF_CONNTRACK)` check wrapping some function declarations. Remove it. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-13T10:47:11Z Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:14Z urn:sha1:261db6c2fbd64a2e649fdfa5f75cf161c384d110 Move some `struct nf_conntrack` code from linux/skbuff.h to linux/nf_conntrack_common.h. Together with a couple of helpers for getting and setting skb->_nfct, it allows us to remove CONFIG_NF_CONNTRACK checks from net/netfilter/nf_conntrack.h. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-13T10:47:11Z Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:13Z urn:sha1:f1815650b547db745bef35f74395e113fcf62cac The real br_nf_pre_routing_ipv6 function, defined when CONFIG_IPV6 is enabled, expects `void *priv`, not `const struct nf_hook_ops *ops`. Update the stub br_nf_pre_routing_ipv6, defined when CONFIG_IPV6 is disabled, to match. Fixes: 06198b34a3e0 ("netfilter: Pass priv instead of nf_hook_ops to netfilter hooks") Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2019-09-13T10:47:10Z Jeremy Sowden jeremy@azazel.net 2019-09-13T08:13:12Z urn:sha1:22e81d7416d04355a7dfa248f187feba641c199e nf_conntrack_synproxy.h contains three inline functions. The contents of two of them are wrapped in CONFIG_NETFILTER_SYNPROXY checks and just return NULL if it is not enabled. The third does nothing if they return NULL, so wrap its contents as well. nf_ct_timeout_data is only called if CONFIG_NETFILTER_TIMEOUT is enabled. Wrap its contents in a CONFIG_NETFILTER_TIMEOUT check like the other inline functions in nf_conntrack_timeout.h. Signed-off-by: Jeremy Sowden <jeremy@azazel.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>