From: Stefano Brivio <sbrivio@redhat.com>
To: Florian Westphal <fw@strlen.de>, sontu21@gmail.com
Cc: <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH nf 2/3] nft_set_pipapo: fix incorrect avx2 match of 5th field octet
Date: Fri, 4 Apr 2025 10:34:47 +0200 [thread overview]
Message-ID: <20250404103447.6f767eed@elisabeth> (raw)
In-Reply-To: <20250404062105.4285-3-fw@strlen.de>
On Fri, 4 Apr 2025 08:20:53 +0200
Florian Westphal <fw@strlen.de> wrote:
> Given a set element like:
>
> icmpv6 . dead:beef:00ff::1
>
> The value of 'ff' is irrelevant, any address will be matched
> as long as the other octets are the same.
>
> This is because of too-early register clobbering:
> ymm7 is reloaded with new packet data (pkt[9]) but it still holds data
> of an earlier load that wasn't processed yet.
>
> The existing tests in nft_concat_range.sh selftests do exercise this code
> path, but do not trigger incorrect matching due to the network prefix
> limitation.
>
> Cc: Stefano Brivio <sbrivio@redhat.com>
> Reported-by: sontu mazumdar <sontu21@gmail.com>
> Closes: https://marc.info/?l=netfilter&m=174369594208899&w=2
> Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
> net/netfilter/nft_set_pipapo_avx2.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
> index 8ce7154b678a..87cb0183cd79 100644
> --- a/net/netfilter/nft_set_pipapo_avx2.c
> +++ b/net/netfilter/nft_set_pipapo_avx2.c
> @@ -1120,8 +1120,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
> NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt, 8, pkt[8], bsize);
>
> NFT_PIPAPO_AVX2_AND(6, 2, 3);
> + NFT_PIPAPO_AVX2_AND(3, 4, 7);
> NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt, 9, pkt[9], bsize);
> - NFT_PIPAPO_AVX2_AND(0, 4, 5);
> + NFT_PIPAPO_AVX2_AND(0, 3, 5);
Ouch, this is embarrassing, so it's great to see 1/3 and the fact that
it doesn't trigger other splats is a big relief.
Thanks Florian for fixing this and thanks Sontu for the detailed
report. I'm still reviewing patches 1/3 and 3/3.
If it matters, for now, for this one,
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
--
Stefano
next prev parent reply other threads:[~2025-04-04 8:34 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-04-04 6:20 [PATCH nf 0/3] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Florian Westphal
2025-04-04 6:20 ` [PATCH nf 1/3] nft_set_pipapo: add avx register usage tracking for NET_DEBUG builds Florian Westphal
2025-04-04 10:40 ` Stefano Brivio
2025-04-04 11:42 ` Florian Westphal
2025-04-04 6:20 ` [PATCH nf 2/3] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Florian Westphal
2025-04-04 8:34 ` Stefano Brivio [this message]
2025-04-04 6:20 ` [PATCH nf 3/3] selftests: netfilter: add test case for recent mismatch bug Florian Westphal
2025-04-04 11:51 ` Stefano Brivio
2025-04-09 9:51 ` sontu mazumdar
2025-04-09 10:13 ` Stefano Brivio
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250404103447.6f767eed@elisabeth \
--to=sbrivio@redhat.com \
--cc=fw@strlen.de \
--cc=netfilter-devel@vger.kernel.org \
--cc=sontu21@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.