Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1751711AbdHQF50 (ORCPT <rfc822;w@1wt.eu>);
        Thu, 17 Aug 2017 01:57:26 -0400
Received: from youngberry.canonical.com ([91.189.89.112]:53298 "EHLO
        youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1751616AbdHQF5V (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 17 Aug 2017 01:57:21 -0400
Subject: Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd
 interaction
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org, Eric Leblond <eric@regit.org>,
        Pablo Neira Ayuso <pablo@netfilter.org>,
        "David S. Miller" <davem@davemloft.net>
References: <20170703133334.237346187@linuxfoundation.org>
 <20170703133337.544046981@linuxfoundation.org>
From: Stefan Bader <stefan.bader@canonical.com>
Message-ID: <af23f0c8-c686-1880-0982-63cd74d2c1b1@canonical.com>
Date: Thu, 17 Aug 2017 07:57:07 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101
 Thunderbird/52.2.1
MIME-Version: 1.0
In-Reply-To: <20170703133337.544046981@linuxfoundation.org>
Content-Type: multipart/signed; micalg=pgp-sha512;
 protocol="application/pgp-signature";
 boundary="Ul0qX9QhfdOhL3lSewiw3s5e1rSiFsWF7"
Sender: linux-kernel-owner@vger.kernel.org
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
Content-Length: 4218
Lines: 117

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--Ul0qX9QhfdOhL3lSewiw3s5e1rSiFsWF7
Content-Type: multipart/mixed; boundary="W4UhnjkwgUWaHGBT9h3GKLlM5LbbargDG";
 protected-headers="v1"
From: Stefan Bader <stefan.bader@canonical.com>
To: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
 linux-kernel@vger.kernel.org
Cc: stable@vger.kernel.org, Eric Leblond <eric@regit.org>,
 Pablo Neira Ayuso <pablo@netfilter.org>,
 "David S. Miller" <davem@davemloft.net>
Message-ID: <af23f0c8-c686-1880-0982-63cd74d2c1b1@canonical.com>
Subject: Re: [PATCH 4.4 018/101] netfilter: synproxy: fix conntrackd
 interaction
References: <20170703133334.237346187@linuxfoundation.org>
 <20170703133337.544046981@linuxfoundation.org>
In-Reply-To: <20170703133337.544046981@linuxfoundation.org>

--W4UhnjkwgUWaHGBT9h3GKLlM5LbbargDG
Content-Type: text/plain; charset=utf-8
Content-Language: en-GB
Content-Transfer-Encoding: quoted-printable

On 03.07.2017 15:34, Greg Kroah-Hartman wrote:
> 4.4-stable review patch.  If anyone has any objections, please let me k=
now.

We found that pulling below patch into stable trees without also pulling

commit 9c3f3794926a997b1cab6c42480ff300efa2d162
Author: Liping Zhang <zlpnobody@gmail.com>
Date:   Sat Mar 25 16:35:29 2017 +0800

    netfilter: nf_ct_ext: fix possible panic after nf_ct_extend_unregiste=
r

will result in a regression, at least in 4.4.y[1]. Stable maintainers who=
 picked
up below patch might want to consider picking up above fix.

-Stefan


[1] http://bugs.launchpad.net/bugs/1709032
>=20
> ------------------
>=20
> From: Eric Leblond <eric@regit.org>
>=20
> commit 87e94dbc210a720a34be5c1174faee5c84be963e upstream.
>=20
> This patch fixes the creation of connection tracking entry from
> netlink when synproxy is used. It was missing the addition of
> the synproxy extension.
>=20
> This was causing kernel crashes when a conntrack entry created by
> conntrackd was used after the switch of traffic from active node
> to the passive node.
>=20
> Signed-off-by: Eric Leblond <eric@regit.org>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>=20
> ---
>  net/netfilter/nf_conntrack_netlink.c |    4 ++++
>  1 file changed, 4 insertions(+)
>=20
> --- a/net/netfilter/nf_conntrack_netlink.c
> +++ b/net/netfilter/nf_conntrack_netlink.c
> @@ -45,6 +45,8 @@
>  #include <net/netfilter/nf_conntrack_zones.h>
>  #include <net/netfilter/nf_conntrack_timestamp.h>
>  #include <net/netfilter/nf_conntrack_labels.h>
> +#include <net/netfilter/nf_conntrack_seqadj.h>
> +#include <net/netfilter/nf_conntrack_synproxy.h>
>  #ifdef CONFIG_NF_NAT_NEEDED
>  #include <net/netfilter/nf_nat_core.h>
>  #include <net/netfilter/nf_nat_l4proto.h>
> @@ -1798,6 +1800,8 @@ ctnetlink_create_conntrack(struct net *n
>  	nf_ct_tstamp_ext_add(ct, GFP_ATOMIC);
>  	nf_ct_ecache_ext_add(ct, 0, 0, GFP_ATOMIC);
>  	nf_ct_labels_ext_add(ct);
> +	nfct_seqadj_ext_add(ct);
> +	nfct_synproxy_ext_add(ct);
> =20
>  	/* we must add conntrack extensions before confirmation. */
>  	ct->status |=3D IPS_CONFIRMED;
>=20
>=20



--W4UhnjkwgUWaHGBT9h3GKLlM5LbbargDG--

--Ul0qX9QhfdOhL3lSewiw3s5e1rSiFsWF7
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQIcBAEBCgAGBQJZlTA7AAoJEOhnXe7L7s6jSuQP/AjtkPb8G/HCRwQWqtdiUpk4
sDfmqcSvxsx+Ttc7kJgNmx050TtcIFEdEk0c5vGJtAUIkdZSKlaDq2U4BNSSUzGz
B+SRdYtMVHt3mHKf9lZ2yNiVqHW+jA94CF4/Sojhsa+ZGF/DbzaYQ9guAmGGPmDL
1v+0G6xOckACoQgZEmBp79BrOqlagSXsxovAWz6tOfRPgzYVaMl63E4yoFYlCZhv
jnwpryTokJmMVYLohu8hPHAq9IlxgNuYVUAJ8LALt4rCsiArAH/3bvepQrlC4QTX
G6iP2+bkeGyQEP5AYBsRRyPvmuZHPT3Q0L7xhKxBUGVoZZLlKI2oCHdow5BHUsCY
jcwSfPKfWgqMGhwGZDeEp1BPZd+yrCeG28b//8zu1IB17tvqj1rpWXeIGQ34kl/5
VwObuNoxu68nNuqeaKLSPL362SS9i9aN+SDiVft8JysEvPiLSFnbWFFA+sdbuJMi
CAPs7QBlmLBz47RPGg0B1gkXnMNodB6dSFtku9nvFNX0z8rmqQc4y1XeYQWobXIs
oXag/MGMFKzWoUz7c8ai4iLKbOOQ4g7+z2ejPwUQ0Vp9g3ZmtBt6xo0VJwDWP9Hb
ZxHNXTC2qJEcyrc2L2ZX8ele20iJ5bBZwrGpnTY18e6Q4B1G5KuFJclMCqONXAKB
ubOL4n7l83PbNSXPF17A
=nJ0+
-----END PGP SIGNATURE-----

--Ul0qX9QhfdOhL3lSewiw3s5e1rSiFsWF7--