AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
89e1f6d2b9
kernel_optimize_test/net/ipv6
History
Liping Zhang 89e1f6d2b9 netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT 
After I add the nft rule "nft add rule filter prerouting reject
with tcp reset", kernel panic happened on my system:
  NULL pointer dereference at ...
  IP: [<ffffffff81b9db2f>] nf_send_reset+0xaf/0x400
  Call Trace:
  [<ffffffff81b9da80>] ? nf_reject_ip_tcphdr_get+0x160/0x160
  [<ffffffffa0928061>] nft_reject_ipv4_eval+0x61/0xb0 [nft_reject_ipv4]
  [<ffffffffa08e836a>] nft_do_chain+0x1fa/0x890 [nf_tables]
  [<ffffffffa08e8170>] ? __nft_trace_packet+0x170/0x170 [nf_tables]
  [<ffffffffa06e0900>] ? nf_ct_invert_tuple+0xb0/0xc0 [nf_conntrack]
  [<ffffffffa07224d4>] ? nf_nat_setup_info+0x5d4/0x650 [nf_nat]
  [...]

Because in the PREROUTING chain, routing information is not exist,
then we will dereference the NULL pointer and oops happen.

So we restrict reject expression to INPUT, FORWARD and OUTPUT chain.
This is consistent with iptables REJECT target.

Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2016-08-25 12:55:34 +02:00
..
ila ila: Fix checksum neutral mapping 2016-06-15 21:40:00 -07:00
netfilter netfilter: nft_reject: restrict to INPUT/FORWARD/OUTPUT 2016-08-25 12:55:34 +02:00
addrconf_core.c
addrconf.c net: ipv6: Remove addresses for failures with strict DAD 2016-08-22 16:59:37 -07:00
addrlabel.c
af_inet6.c Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-07-29 17:38:46 -07:00
ah6.c
anycast.c
calipso.c calipso: fix resource leak on calipso_genopt failure 2016-08-13 14:56:17 -07:00
datagram.c
esp6.c
exthdrs_core.c ipv6: constify the skb pointer of ipv6_find_tlv(). 2016-06-27 15:06:15 -04:00
exthdrs_offload.c
exthdrs.c Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
fib6_rules.c net: Add l3mdev rule 2016-06-08 11:36:02 -07:00
fou6.c
icmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-06-30 05:03:36 -04:00
inet6_connection_sock.c
inet6_hashtables.c
ip6_checksum.c ipv6: fix checksum annotation in udp6_csum_init 2016-06-14 15:26:42 -04:00
ip6_fib.c ipv6: Fix mem leak in rt6i_pcpu 2016-07-05 14:09:23 -07:00
ip6_flowlabel.c
ip6_gre.c gre: set inner_protocol on xmit 2016-08-15 13:37:12 -07:00
ip6_icmp.c ipv6: icmp: add a force_saddr param to icmp6_send() 2016-06-18 22:11:38 -07:00
ip6_input.c net: vrf: ipv6 support for local traffic to local addresses 2016-06-08 00:25:38 -07:00
ip6_offload.c
ip6_offload.h
ip6_output.c net: vrf: Implement get_saddr for IPv6 2016-06-17 21:25:29 -07:00
ip6_tunnel.c
ip6_udp_tunnel.c
ip6_vti.c
ip6mr.c net: ipmr/ip6mr: update lastuse on entry change 2016-07-26 15:18:31 -07:00
ipcomp6.c
ipv6_sockglue.c Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
Kconfig fou: fix IPv6 Kconfig options 2016-05-31 14:07:49 -07:00
Makefile Merge branch 'stable-4.8' of git://git.infradead.org/users/pcmoore/selinux into next 2016-07-07 10:15:34 +10:00
mcast_snoop.c
mcast.c
mip6.c
ndisc.c ipv6: export several functions 2016-06-15 20:41:23 -07:00
netfilter.c
output_core.c
ping.c net: ipv6: Fix ping to link-local addresses. 2016-08-15 12:19:09 -07:00
proc.c
protocol.c
raw.c ipv6: use TOS marks from sockets for routing decision 2016-06-11 15:33:26 -07:00
reassembly.c
route.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-06-30 05:03:36 -04:00
sit.c sit: support MPLS over IPv4 2016-07-09 17:45:56 -04:00
syncookies.c
sysctl_net_ipv6.c calipso: Add a label cache. 2016-06-27 15:06:17 -04:00
tcp_ipv6.c tcp: properly scale window in tcp_v[46]_reqsk_send_ack() 2016-08-23 16:55:49 -07:00
tcpv6_offload.c
tunnel6.c
udp_impl.h
udp_offload.c
udp.c udp: get rid of SLAB_DESTROY_BY_RCU allocations 2016-08-23 17:46:17 -07:00
udplite.c udp: get rid of SLAB_DESTROY_BY_RCU allocations 2016-08-23 17:46:17 -07:00
xfrm6_input.c
xfrm6_mode_beet.c
xfrm6_mode_ro.c
xfrm6_mode_transport.c
xfrm6_mode_tunnel.c
xfrm6_output.c
xfrm6_policy.c net: xfrm: fix old-style declaration 2016-06-16 22:06:30 -07:00
xfrm6_protocol.c
xfrm6_state.c
xfrm6_tunnel.c