8 files changed, 86 insertions, 40 deletions
diff --git a/include/uapi/linux/netfilter/nf_conntrack_common.h b/include/uapi/linux/netfilter/nf_conntrack_common.h
index 6d074d14ee27..6a8e33dd4ecb 100644
--- a/include/uapi/linux/netfilter/nf_conntrack_common.h
+++ b/include/uapi/linux/netfilter/nf_conntrack_common.h
@@ -82,6 +82,10 @@ enum ip_conntrack_status {
        IPS_DYING_BIT = 9,
        IPS_DYING = (1 << IPS_DYING_BIT),
+        /* Bits that cannot be altered from userland. */
+        IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
+                                 IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING),
        /* Connection has fixed timeout. */
        IPS_FIXED_TIMEOUT_BIT = 10,
        IPS_FIXED_TIMEOUT = (1 << IPS_FIXED_TIMEOUT_BIT),
diff --git a/include/uapi/linux/netfilter/nfnetlink_queue.h b/include/uapi/linux/netfilter/nfnetlink_queue.h
index ae30841ff94e..d42f0396fe30 100644
--- a/include/uapi/linux/netfilter/nfnetlink_queue.h
+++ b/include/uapi/linux/netfilter/nfnetlink_queue.h
@@ -36,7 +36,7 @@ enum nfqnl_vlan_attr {
        NFQA_VLAN_TCI,                  /* __be16 skb htons(vlan_tci) */
        __NFQA_VLAN_MAX,
 };
-#define NFQA_VLAN_MAX (__NFQA_VLAN_MAX + 1)
+#define NFQA_VLAN_MAX (__NFQA_VLAN_MAX - 1)
 enum nfqnl_attr_type {
        NFQA_UNSPEC,
diff --git a/net/netfilter/ipset/ip_set_hash_gen.h b/net/netfilter/ipset/ip_set_hash_gen.h
index 1b05d4a7d5a1..f236c0bc7b3f 100644
--- a/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/net/netfilter/ipset/ip_set_hash_gen.h
@@ -897,7 +897,7 @@ mtype_del(struct ip_set *set, void *value, const struct ip_set_ext *ext,
                                        continue;
                                data = ahash_data(n, j, dsize);
                                memcpy(tmp->value + k * dsize, data, dsize);
-                                set_bit(j, tmp->used);
+                                set_bit(k, tmp->used);
                                k++;
                        }
                        tmp->pos = k;
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 51077c53d76b..178d4eba013b 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -260,11 +260,14 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
                else
                        prev = e;
        }
+        /* If before/after is used on an empty set */
+        if ((d->before > 0 && !next) ||
+            (d->before < 0 && !prev))
+                return -IPSET_ERR_REF_EXIST;
        /* Re-add already existing element */
        if (n) {
-                if ((d->before > 0 && !next) ||
-                    (d->before < 0 && !prev))
-                        return -IPSET_ERR_REF_EXIST;
                if (!flag_exist)
                        return -IPSET_ERR_EXIST;
                /* Update extensions */
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c
index 7341adf7059d..6dc44d9b4190 100644
--- a/net/netfilter/nf_conntrack_helper.c
+++ b/net/netfilter/nf_conntrack_helper.c
@@ -188,6 +188,26 @@ nf_ct_helper_ext_add(struct nf_conn *ct,
 }
 EXPORT_SYMBOL_GPL(nf_ct_helper_ext_add);
+static struct nf_conntrack_helper *
+nf_ct_lookup_helper(struct nf_conn *ct, struct net *net)
+{
+        if (!net->ct.sysctl_auto_assign_helper) {
+                if (net->ct.auto_assign_helper_warned)
+                        return NULL;
+                if (!__nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple))
+                        return NULL;
+                pr_info("nf_conntrack: default automatic helper assignment "
+                        "has been turned off for security reasons and CT-based "
+                        " firewall rule not found. Use the iptables CT target "
+                        "to attach helpers instead.\n");
+                net->ct.auto_assign_helper_warned = 1;
+                return NULL;
+        }
+        return __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
+}
 int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
                              gfp_t flags)
 {
@@ -213,21 +233,14 @@ int __nf_ct_try_assign_helper(struct nf_conn *ct, struct nf_conn *tmpl,
        }
        help = nfct_help(ct);
-        if (net->ct.sysctl_auto_assign_helper && helper == NULL) {
-                helper = __nf_ct_helper_find(&ct->tuplehash[IP_CT_DIR_REPLY].tuple);
-                if (unlikely(!net->ct.auto_assign_helper_warned && helper)) {
-                        pr_info("nf_conntrack: automatic helper "
-                                "assignment is deprecated and it will "
-                                "be removed soon. Use the iptables CT target "
-                                "to attach helpers instead.\n");
-                        net->ct.auto_assign_helper_warned = true;
-                }
-        }
        if (helper == NULL) {
-                if (help)
+                helper = nf_ct_lookup_helper(ct, net);
-                        RCU_INIT_POINTER(help->helper, NULL);
+                if (helper == NULL) {
-                return 0;
+                        if (help)
+                                RCU_INIT_POINTER(help->helper, NULL);
+                        return 0;
+                }
        }
        if (help == NULL) {
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
index 27540455dc62..6806b5e73567 100644
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1478,14 +1478,23 @@ static int ctnetlink_change_helper(struct nf_conn *ct,
        struct nlattr *helpinfo = NULL;
        int err;
-        /* don't change helper of sibling connections */
-        if (ct->master)
-                return -EBUSY;
        err = ctnetlink_parse_help(cda[CTA_HELP], &helpname, &helpinfo);
        if (err < 0)
                return err;
+        /* don't change helper of sibling connections */
+        if (ct->master) {
+                /* If we try to change the helper to the same thing twice,
+                 * treat the second attempt as a no-op instead of returning
+                 * an error.
+                 */
+                if (help && help->helper &&
+                    !strcmp(help->helper->name, helpname))
+                        return 0;
+                else
+                        return -EBUSY;
+        }
        if (!strcmp(helpname, "")) {
                if (help && help->helper) {
                        /* we had a helper before ... */
@@ -2270,6 +2279,30 @@ nla_put_failure:
 }
 static int
+ctnetlink_update_status(struct nf_conn *ct, const struct nlattr * const cda[])
+{
+        unsigned int status = ntohl(nla_get_be32(cda[CTA_STATUS]));
+        unsigned long d = ct->status ^ status;
+        if (d & IPS_SEEN_REPLY && !(status & IPS_SEEN_REPLY))
+                /* SEEN_REPLY bit can only be set */
+                return -EBUSY;
+        if (d & IPS_ASSURED && !(status & IPS_ASSURED))
+                /* ASSURED bit can only be set */
+                return -EBUSY;
+        /* This check is less strict than ctnetlink_change_status()
+         * because callers often flip IPS_EXPECTED bits when sending
+         * an NFQA_CT attribute to the kernel.  So ignore the
+         * unchangeable bits but do not error out.
+         */
+        ct->status = (status & ~IPS_UNCHANGEABLE_MASK) |
+                     (ct->status & IPS_UNCHANGEABLE_MASK);
+        return 0;
+}
+static int
 ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
 {
        int err;
@@ -2280,7 +2313,7 @@ ctnetlink_glue_parse_ct(const struct nlattr *cda[], struct nf_conn *ct)
                        return err;
        }
        if (cda[CTA_STATUS]) {
-                err = ctnetlink_change_status(ct, cda);
+                err = ctnetlink_update_status(ct, cda);
                if (err < 0)
                        return err;
        }
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index a2148d0bc50e..68eda920160e 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -279,7 +279,7 @@ static void nfnetlink_rcv_batch(struct sk_buff *skb, struct nlmsghdr *nlh,
        struct net *net = sock_net(skb->sk);
        const struct nfnetlink_subsystem *ss;
        const struct nfnl_callback *nc;
-        static LIST_HEAD(err_list);
+        LIST_HEAD(err_list);
        u32 status;
        int err;
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 26ef70c50e3b..2a6dfe8b74d3 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -463,23 +463,16 @@ static u32 xt_hashlimit_len_to_chunks(u32 len)
 /* Precision saver. */
 static u64 user2credits(u64 user, int revision)
 {
-        if (revision == 1) {
+        u64 scale = (revision == 1) ?
-                /* If multiplying would overflow... */
+                XT_HASHLIMIT_SCALE : XT_HASHLIMIT_SCALE_v2;
-                if (user > 0xFFFFFFFF / (HZ*CREDITS_PER_JIFFY_v1))
+        u64 cpj = (revision == 1) ?
-                        /* Divide first. */
+                CREDITS_PER_JIFFY_v1 : CREDITS_PER_JIFFY;
-                        return div64_u64(user, XT_HASHLIMIT_SCALE)
-                                * HZ * CREDITS_PER_JIFFY_v1;
-                return div64_u64(user * HZ * CREDITS_PER_JIFFY_v1,
-                                 XT_HASHLIMIT_SCALE);
-        } else {
-                if (user > 0xFFFFFFFFFFFFFFFFULL / (HZ*CREDITS_PER_JIFFY))
-                        return div64_u64(user, XT_HASHLIMIT_SCALE_v2)
-                                * HZ * CREDITS_PER_JIFFY;
-                return div64_u64(user * HZ * CREDITS_PER_JIFFY,
+        /* Avoid overflow: divide the constant operands first */
-                                 XT_HASHLIMIT_SCALE_v2);
+        if (scale >= HZ * cpj)
-        }
+                return div64_u64(user, div64_u64(scale, HZ * cpj));
+        return user * div64_u64(HZ * cpj, scale);
 }
 static u32 user2credits_byte(u32 user)