From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from Chamillionaire.breakpoint.cc ([80.244.247.6]:39778 "EHLO
	Chamillionaire.breakpoint.cc" rhost-flags-OK-OK-OK-OK)
	by vger.kernel.org with ESMTP id S1750850AbcGLI7B (ORCPT
	<rfc822;stable@vger.kernel.org>); Tue, 12 Jul 2016 04:59:01 -0400
Date: Tue, 12 Jul 2016 10:58:54 +0200
From: Florian Westphal <fw@strlen.de>
To: Sasha Levin <sasha.levin@oracle.com>
Cc: stable@vger.kernel.org, stable-commits@vger.kernel.org,
	Florian Westphal <fw@strlen.de>,
	Pablo Neira Ayuso <pablo@netfilter.org>
Subject: Re: [added to the 3.18 stable tree] netfilter: x_tables: validate
 targets of jumps
Message-ID: <20160712085854.GC17163@breakpoint.cc>
References: <1468292479-23684-1-git-send-email-sasha.levin@oracle.com>
 <1468292479-23684-213-git-send-email-sasha.levin@oracle.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <1468292479-23684-213-git-send-email-sasha.levin@oracle.com>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

Sasha Levin <sasha.levin@oracle.com> wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> This patch has been added to the 3.18 stable tree. If you have any
> objections, please let us know.

Note that I got a bug report about a severe performance regression
introduced by this commit

(30 second restore time -> 10 minutes(!))

I am working on this now.

> [ Upstream commit 36472341017529e2b12573093cc0f68719300997 ]
> 
> When we see a jump also check that the offset gets us to beginning of
> a rule (an ipt_entry).
> 
> The extra overhead is negible, even with absurd cases.
> 
> 300k custom rules, 300k jumps to 'next' user chain:
> [ plus one jump from INPUT to first userchain ]:
> 
> Before:
> real    0m24.874s
> user    0m7.532s
> sys     0m16.076s
> 
> After:
> real    0m27.464s
> user    0m7.436s
> sys     0m18.840s

Might be because the dummy ruleset was too small, I'll retry adding
some bogus matches to increase size.