From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 6.1 38/81] netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext
Date: Mon, 6 Jan 2025 16:16:10 +0100 [thread overview]
Message-ID: <20250106151130.876187789@linuxfoundation.org> (raw)
In-Reply-To: <20250106151129.433047073@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4 ]
Access to genmask field in struct nft_set_ext results in unaligned
atomic read:
[ 72.130109] Unable to handle kernel paging request at virtual address ffff0000c2bb708c
[ 72.131036] Mem abort info:
[ 72.131213] ESR = 0x0000000096000021
[ 72.131446] EC = 0x25: DABT (current EL), IL = 32 bits
[ 72.132209] SET = 0, FnV = 0
[ 72.133216] EA = 0, S1PTW = 0
[ 72.134080] FSC = 0x21: alignment fault
[ 72.135593] Data abort info:
[ 72.137194] ISV = 0, ISS = 0x00000021, ISS2 = 0x00000000
[ 72.142351] CM = 0, WnR = 0, TnD = 0, TagAccess = 0
[ 72.145989] GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0
[ 72.150115] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000237d27000
[ 72.154893] [ffff0000c2bb708c] pgd=0000000000000000, p4d=180000023ffff403, pud=180000023f84b403, pmd=180000023f835403,
+pte=0068000102bb7707
[ 72.163021] Internal error: Oops: 0000000096000021 [#1] SMP
[...]
[ 72.170041] CPU: 7 UID: 0 PID: 54 Comm: kworker/7:0 Tainted: G E 6.13.0-rc3+ #2
[ 72.170509] Tainted: [E]=UNSIGNED_MODULE
[ 72.170720] Hardware name: QEMU QEMU Virtual Machine, BIOS edk2-stable202302-for-qemu 03/01/2023
[ 72.171192] Workqueue: events_power_efficient nft_rhash_gc [nf_tables]
[ 72.171552] pstate: 21400005 (nzCv daif +PAN -UAO -TCO +DIT -SSBS BTYPE=--)
[ 72.171915] pc : nft_rhash_gc+0x200/0x2d8 [nf_tables]
[ 72.172166] lr : nft_rhash_gc+0x128/0x2d8 [nf_tables]
[ 72.172546] sp : ffff800081f2bce0
[ 72.172724] x29: ffff800081f2bd40 x28: ffff0000c2bb708c x27: 0000000000000038
[ 72.173078] x26: ffff0000c6780ef0 x25: ffff0000c643df00 x24: ffff0000c6778f78
[ 72.173431] x23: 000000000000001a x22: ffff0000c4b1f000 x21: ffff0000c6780f78
[ 72.173782] x20: ffff0000c2bb70dc x19: ffff0000c2bb7080 x18: 0000000000000000
[ 72.174135] x17: ffff0000c0a4e1c0 x16: 0000000000003000 x15: 0000ac26d173b978
[ 72.174485] x14: ffffffffffffffff x13: 0000000000000030 x12: ffff0000c6780ef0
[ 72.174841] x11: 0000000000000000 x10: ffff800081f2bcf8 x9 : ffff0000c3000000
[ 72.175193] x8 : 00000000000004be x7 : 0000000000000000 x6 : 0000000000000000
[ 72.175544] x5 : 0000000000000040 x4 : ffff0000c3000010 x3 : 0000000000000000
[ 72.175871] x2 : 0000000000003a98 x1 : ffff0000c2bb708c x0 : 0000000000000004
[ 72.176207] Call trace:
[ 72.176316] nft_rhash_gc+0x200/0x2d8 [nf_tables] (P)
[ 72.176653] process_one_work+0x178/0x3d0
[ 72.176831] worker_thread+0x200/0x3f0
[ 72.176995] kthread+0xe8/0xf8
[ 72.177130] ret_from_fork+0x10/0x20
[ 72.177289] Code: 54fff984 d503201f d2800080 91003261 (f820303f)
[ 72.177557] ---[ end trace 0000000000000000 ]---
Align struct nft_set_ext to word size to address this and
documentation it.
pahole reports that this increases the size of elements for rhash and
pipapo in 8 bytes on x86_64.
Fixes: 7ffc7481153b ("netfilter: nft_set_hash: skip duplicated elements pending gc run")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index c24b04235d91..d11398aa642e 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -706,15 +706,18 @@ struct nft_set_ext_tmpl {
/**
* struct nft_set_ext - set extensions
*
- * @genmask: generation mask
+ * @genmask: generation mask, but also flags (see NFT_SET_ELEM_DEAD_BIT)
* @offset: offsets of individual extension types
* @data: beginning of extension data
+ *
+ * This structure must be aligned to word size, otherwise atomic bitops
+ * on genmask field can cause alignment failure on some archs.
*/
struct nft_set_ext {
u8 genmask;
u8 offset[NFT_SET_EXT_NUM];
char data[];
-};
+} __aligned(BITS_PER_LONG / 8);
static inline void nft_set_ext_prepare(struct nft_set_ext_tmpl *tmpl)
{
--
2.39.5
next prev parent reply other threads:[~2025-01-06 15:20 UTC|newest]
Thread overview: 93+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-06 15:15 [PATCH 6.1 00/81] 6.1.124-rc1 review Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 01/81] x86/hyperv: Fix hv tsc page based sched_clock for hibernation Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 02/81] selinux: ignore unknown extended permissions Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 03/81] btrfs: fix use-after-free in btrfs_encoded_read_endio() Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 04/81] tracing: Have process_string() also allow arrays Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 05/81] thunderbolt: Add support for Intel Lunar Lake Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 06/81] thunderbolt: Add support for Intel Panther Lake-M/P Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 07/81] thunderbolt: Dont display nvm_version unless upgrade supported Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 08/81] xhci: retry Stop Endpoint on buggy NEC controllers Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 09/81] usb: xhci: Limit Stop Endpoint retries Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 10/81] xhci: Turn NEC specific quirk for handling Stop Endpoint errors generic Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 11/81] net: mctp: handle skb cleanup on sock_queue failures Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 12/81] RDMA/mlx5: Enforce same type port association for multiport RoCE Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 13/81] RDMA/bnxt_re: Add check for path mtu in modify_qp Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 14/81] RDMA/bnxt_re: Fix reporting hw_ver in query_device Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 15/81] RDMA/bnxt_re: Fix max_qp_wrs reported Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 16/81] RDMA/bnxt_re: Fix the locking while accessing the QP table Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 17/81] drm/bridge: adv7511_audio: Update Audio InfoFrame properly Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 18/81] net: dsa: microchip: Fix KSZ9477 set_ageing_time function Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 19/81] net: dsa: microchip: add ksz_rmw8() function Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 20/81] net: dsa: microchip: Fix LAN937X set_ageing_time function Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 21/81] RDMA/hns: Refactor mtr find Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 22/81] RDMA/hns: Remove unused parameters and variables Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 23/81] RDMA/hns: Fix mapping error of zero-hop WQE buffer Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 24/81] RDMA/hns: Fix warning storm caused by invalid input in IO path Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 25/81] RDMA/hns: Fix missing flush CQE for DWQE Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 26/81] net: stmmac: platform: provide devm_stmmac_probe_config_dt() Greg Kroah-Hartman
2025-01-06 15:15 ` [PATCH 6.1 27/81] net: stmmac: dont create a MDIO bus if unnecessary Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 28/81] net: stmmac: restructure the error path of stmmac_probe_config_dt() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 29/81] net: fix memory leak in tcp_conn_request() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 30/81] ipip,ip_tunnel,sit: Add FOU support for externally controlled ipip devices Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 31/81] ip_tunnel: annotate data-races around t->parms.link Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 32/81] ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_bind_dev() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 33/81] ipv4: ip_tunnel: Unmask upper DSCP bits in ip_md_tunnel_xmit() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 34/81] ipv4: ip_tunnel: Unmask upper DSCP bits in ip_tunnel_xmit() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 35/81] net: Fix netns for ip_tunnel_init_flow() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 36/81] netrom: check buffer length before accessing it Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 37/81] drm/i915/dg1: Fix power gate sequence Greg Kroah-Hartman
2025-01-06 15:16 ` Greg Kroah-Hartman [this message]
2025-01-06 15:16 ` [PATCH 6.1 39/81] net: llc: reset skb->transport_header Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 40/81] ALSA: usb-audio: US16x08: Initialize array before use Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 41/81] eth: bcmsysport: fix call balance of priv->clk handling routines Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 42/81] net: mv643xx_eth: fix an OF node reference leak Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 43/81] net: wwan: t7xx: Fix FSM command timeout issue Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 44/81] RDMA/rtrs: Ensure ib_sge list is accessible Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 45/81] net: reenable NETIF_F_IPV6_CSUM offload for BIG TCP packets Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 46/81] net: restrict SO_REUSEPORT to inet sockets Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 47/81] net: wwan: iosm: Properly check for valid exec stage in ipc_mmio_init() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 48/81] af_packet: fix vlan_get_tci() vs MSG_PEEK Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 49/81] af_packet: fix vlan_get_protocol_dgram() " Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 50/81] ila: serialize calls to nf_register_net_hooks() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 51/81] btrfs: rename and export __btrfs_cow_block() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 52/81] btrfs: fix use-after-free when COWing tree bock and tracing is enabled Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 53/81] wifi: mac80211: wake the queues in case of failure in resume Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 54/81] drm/amdkfd: Correct the migration DMA map direction Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 55/81] btrfs: flush delalloc workers queue before stopping cleaner kthread during unmount Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 56/81] ALSA: hda/realtek: Add new alc2xx-fixup-headset-mic model Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 57/81] sound: usb: enable DSD output for ddHiFi TC44C Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 58/81] sound: usb: format: dont warn that raw DSD is unsupported Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 59/81] bpf: fix potential error return Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 60/81] ksmbd: retry iterate_dir in smb2_query_dir Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 61/81] net: usb: qmi_wwan: add Telit FE910C04 compositions Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 62/81] Bluetooth: hci_core: Fix sleeping function called from invalid context Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 63/81] irqchip/gic: Correct declaration of *percpu_base pointer in union gic_base Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 64/81] ARC: build: Try to guess GCC variant of cross compiler Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 65/81] usb: xhci: Avoid queuing redundant Stop Endpoint commands Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 66/81] modpost: fix input MODULE_DEVICE_TABLE() built for 64-bit on 32-bit host Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 67/81] modpost: fix the missed iteration for the max bit in do_input() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 68/81] ALSA hda/realtek: Add quirk for Framework F111:000C Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 69/81] ALSA: seq: oss: Fix races at processing SysEx messages Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 70/81] kcov: mark in_softirq_really() as __always_inline Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 71/81] RDMA/uverbs: Prevent integer overflow issue Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 72/81] pinctrl: mcp23s08: Fix sleeping in atomic context due to regmap locking Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 73/81] sky2: Add device ID 11ab:4373 for Marvell 88E8075 Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 74/81] net/sctp: Prevent autoclose integer overflow in sctp_association_init() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 75/81] drm: adv7511: Drop dsi single lane support Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 76/81] dt-bindings: display: adi,adv7533: Drop " Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 77/81] mm/readahead: fix large folio support in async readahead Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 78/81] mm: vmscan: account for free pages to prevent infinite Loop in throttle_direct_reclaim() Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 79/81] mptcp: fix TCP options overflow Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 80/81] mptcp: fix recvbuffer adjust on sleeping rcvmsg Greg Kroah-Hartman
2025-01-06 15:16 ` [PATCH 6.1 81/81] mptcp: dont always assume copied data in mptcp_cleanup_rbuf() Greg Kroah-Hartman
2025-01-06 18:22 ` [PATCH 6.1 00/81] 6.1.124-rc1 review Pavel Machek
2025-01-06 19:29 ` Florian Fainelli
2025-01-06 22:26 ` Peter Schneider
2025-01-07 0:22 ` SeongJae Park
2025-01-07 7:10 ` Ron Economos
2025-01-07 12:33 ` Mark Brown
2025-01-07 12:36 ` Naresh Kamboju
2025-01-07 12:44 ` Jon Hunter
2025-01-07 20:59 ` [PATCH 6.1] " Hardik Garg
2025-01-07 23:16 ` [PATCH 6.1 00/81] " Shuah Khan
2025-01-08 12:54 ` Muhammad Usama Anjum
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250106151130.876187789@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=pablo@netfilter.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.