Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf

Pablo Neira Ayuso says:

====================
Netfilter/IPVS fixes for net

This patchset contains four nf_tables fixes, one IPVS fix due to
missing updates in the interaction with the new sedadj conntrack
extension that was added to support the netfilter synproxy code,
and a couple of one-liners to fix netnamespace netfilter issues.
More specifically, they are:

* Fix ipv6_find_hdr() call without offset being explicitly initialized
  in nft_exthdr, as required by that function, from Daniel Borkmann.

* Fix oops in nfnetlink_log when using netns and unloading the kernel
  module, from Gao feng.

* Fix BUG_ON in nf_ct_timestamp extension after netns is destroyed,
  from Helmut Schaa.

* Fix crash in IPVS due to missing sequence adjustment extension being
  allocated in the conntrack, from Jesper Dangaard Brouer.

* Add bugtrap to spot a warning in case you deference sequence adjustment
  conntrack area when not available, this should help to catch similar
  invalid dereferences in the Netfilter tree, also from Jesper.

* Fix incomplete dumping of sets in nf_tables when retrieving by family,
  from me.

* Fix oops when updating the table state (dormant <-> active) and having
  user (not base ) chains, from me.

* Fix wrong validation in set element data that results in returning
  -EINVAL when using the nf_tables dictionary feature with mappings,
  also from me.

We don't usually have this amount of fixes by this time (as we're already
in -rc5 of the development cycle), although half of them are related to
nf_tables which is a relatively new thing, and I also believe that holidays
have also delayed the flight of bugfixes to mainstream a bit.
====================

Signed-off-by: David S. Miller <davem@davemloft.net>

6 files changed, 33 insertions, 8 deletions

diff --git a/net/netfilter/ipvs/ip_vs_nfct.c b/net/netfilter/ipvs/ip_vs_nfct.c
index c8beafd401aa..5a355a46d1dc 100644
--- a/net/netfilter/ipvs/ip_vs_nfct.c
+++ b/net/netfilter/ipvs/ip_vs_nfct.c
@@ -63,6 +63,7 @@
 #include <net/ip_vs.h>
 #include <net/netfilter/nf_conntrack_core.h>
 #include <net/netfilter/nf_conntrack_expect.h>
+#include <net/netfilter/nf_conntrack_seqadj.h>
 #include <net/netfilter/nf_conntrack_helper.h>
 #include <net/netfilter/nf_conntrack_zones.h>
 
@@ -97,6 +98,11 @@ ip_vs_update_conntrack(struct sk_buff *skb, struct ip_vs_conn *cp, int outin)
         if (CTINFO2DIR(ctinfo) != IP_CT_DIR_ORIGINAL)
                 return;
 
+        /* Applications may adjust TCP seqs */
+        if (cp->app && nf_ct_protonum(ct) == IPPROTO_TCP &&
+            !nfct_seqadj(ct) && !nfct_seqadj_ext_add(ct))
+                return;
+
         /*
          * The connection is not yet in the hashtable, so we update it.
          * CIP->VIP will remain the same, so leave the tuple in
diff --git a/net/netfilter/nf_conntrack_seqadj.c b/net/netfilter/nf_conntrack_seqadj.c
index 17c1bcb182c6..b2d38da67822 100644
--- a/net/netfilter/nf_conntrack_seqadj.c
+++ b/net/netfilter/nf_conntrack_seqadj.c
@@ -36,6 +36,11 @@ int nf_ct_seqadj_set(struct nf_conn *ct, enum ip_conntrack_info ctinfo,
         if (off == 0)
                 return 0;
 
+        if (unlikely(!seqadj)) {
+                WARN(1, "Wrong seqadj usage, missing nfct_seqadj_ext_add()\n");
+                return 0;
+        }
+
         set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
 
         spin_lock_bh(&ct->lock);
diff --git a/net/netfilter/nf_conntrack_timestamp.c b/net/netfilter/nf_conntrack_timestamp.c
index 902fb0a6b38a..7a394df0deb7 100644
--- a/net/netfilter/nf_conntrack_timestamp.c
+++ b/net/netfilter/nf_conntrack_timestamp.c
@@ -97,7 +97,6 @@ int nf_conntrack_tstamp_pernet_init(struct net *net)
 void nf_conntrack_tstamp_pernet_fini(struct net *net)
 {
         nf_conntrack_tstamp_fini_sysctl(net);
-        nf_ct_extend_unregister(&tstamp_extend);
 }
 
 int nf_conntrack_tstamp_init(void)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index f93b7d06f4be..71a9f49a768b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -312,6 +312,9 @@ static int nf_tables_table_enable(struct nft_table *table)
         int err, i = 0;
 
         list_for_each_entry(chain, &table->chains, list) {
+                if (!(chain->flags & NFT_BASE_CHAIN))
+                        continue;
+
                 err = nf_register_hook(&nft_base_chain(chain)->ops);
                 if (err < 0)
                         goto err;
@@ -321,6 +324,9 @@ static int nf_tables_table_enable(struct nft_table *table)
         return 0;
 err:
         list_for_each_entry(chain, &table->chains, list) {
+                if (!(chain->flags & NFT_BASE_CHAIN))
+                        continue;
+
                 if (i-- <= 0)
                         break;
 
@@ -333,8 +339,10 @@ static int nf_tables_table_disable(struct nft_table *table)
 {
         struct nft_chain *chain;
 
-        list_for_each_entry(chain, &table->chains, list)
-                nf_unregister_hook(&nft_base_chain(chain)->ops);
+        list_for_each_entry(chain, &table->chains, list) {
+                if (chain->flags & NFT_BASE_CHAIN)
+                        nf_unregister_hook(&nft_base_chain(chain)->ops);
+        }
 
         return 0;
 }
@@ -2098,17 +2106,21 @@ static int nf_tables_dump_sets_all(struct nft_ctx *ctx, struct sk_buff *skb,
                                    struct netlink_callback *cb)
 {
         const struct nft_set *set;
-        unsigned int idx = 0, s_idx = cb->args[0];
+        unsigned int idx, s_idx = cb->args[0];
         struct nft_table *table, *cur_table = (struct nft_table *)cb->args[2];
 
         if (cb->args[1])
                 return skb->len;
 
         list_for_each_entry(table, &ctx->afi->tables, list) {
-                if (cur_table && cur_table != table)
-                        continue;
+                if (cur_table) {
+                        if (cur_table != table)
+                                continue;
 
+                        cur_table = NULL;
+                }
                 ctx->table = table;
+                idx = 0;
                 list_for_each_entry(set, &ctx->table->sets, list) {
                         if (idx < s_idx)
                                 goto cont;
@@ -2370,7 +2382,9 @@ static int nf_tables_bind_check_setelem(const struct nft_ctx *ctx,
         enum nft_registers dreg;
 
         dreg = nft_type_to_reg(set->dtype);
-        return nft_validate_data_load(ctx, dreg, &elem->data, set->dtype);
+        return nft_validate_data_load(ctx, dreg, &elem->data,
+                                      set->dtype == NFT_DATA_VERDICT ?
+                                      NFT_DATA_VERDICT : NFT_DATA_VALUE);
 }
 
 int nf_tables_bind_set(const struct nft_ctx *ctx, struct nft_set *set,
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 3c4b69e5fe17..a155d19a225e 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -1053,6 +1053,7 @@ static void __net_exit nfnl_log_net_exit(struct net *net)
 #ifdef CONFIG_PROC_FS
         remove_proc_entry("nfnetlink_log", net->nf.proc_netfilter);
 #endif
+        nf_log_unset(net, &nfulnl_logger);
 }
 
 static struct pernet_operations nfnl_log_net_ops = {
diff --git a/net/netfilter/nft_exthdr.c b/net/netfilter/nft_exthdr.c
index 8e0bb75e7c51..55c939f5371f 100644
--- a/net/netfilter/nft_exthdr.c
+++ b/net/netfilter/nft_exthdr.c
@@ -31,7 +31,7 @@ static void nft_exthdr_eval(const struct nft_expr *expr,
 {
         struct nft_exthdr *priv = nft_expr_priv(expr);
         struct nft_data *dest = &data[priv->dreg];
-        unsigned int offset;
+        unsigned int offset = 0;
         int err;
 
         err = ipv6_find_hdr(pkt->skb, &offset, priv->type, NULL, NULL);