* [PATCH net 0/2] Netfilter fixes for net
@ 2025-04-10 10:36 Pablo Neira Ayuso
2025-04-10 10:36 ` [PATCH net 1/2] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Pablo Neira Ayuso
2025-04-10 10:36 ` [PATCH net 2/2] selftests: netfilter: add test case for recent mismatch bug Pablo Neira Ayuso
0 siblings, 2 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2025-04-10 10:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw, horms
Hi,
The following batch contains a Netfilter fix and improved test coverage:
1) Fix AVX2 matching in nft_pipapo, from Florian Westphal.
2) Extend existing test to improve coverage for the aforementioned bug,
also from Florian.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-04-10
Thanks.
----------------------------------------------------------------
The following changes since commit aabc6596ffb377c4c9c8f335124b92ea282c9821:
net: ppp: Add bound checking for skb data on ppp_sync_txmung (2025-04-10 11:24:17 +0200)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-04-10
for you to fetch changes up to 27eb86e22f1067a39f05e8878fd83f00e3311dc3:
selftests: netfilter: add test case for recent mismatch bug (2025-04-10 12:33:55 +0200)
----------------------------------------------------------------
netfilter pull request 25-04-10
----------------------------------------------------------------
Florian Westphal (2):
nft_set_pipapo: fix incorrect avx2 match of 5th field octet
selftests: netfilter: add test case for recent mismatch bug
net/netfilter/nft_set_pipapo_avx2.c | 3 +-
.../selftests/net/netfilter/nft_concat_range.sh | 39 +++++++++++++++++++++-
2 files changed, 40 insertions(+), 2 deletions(-)
^ permalink raw reply [flat|nested] 4+ messages in thread
* [PATCH net 1/2] nft_set_pipapo: fix incorrect avx2 match of 5th field octet
2025-04-10 10:36 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
@ 2025-04-10 10:36 ` Pablo Neira Ayuso
2025-04-10 12:40 ` patchwork-bot+netdevbpf
2025-04-10 10:36 ` [PATCH net 2/2] selftests: netfilter: add test case for recent mismatch bug Pablo Neira Ayuso
1 sibling, 1 reply; 4+ messages in thread
From: Pablo Neira Ayuso @ 2025-04-10 10:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw, horms
From: Florian Westphal <fw@strlen.de>
Given a set element like:
icmpv6 . dead:beef:00ff::1
The value of 'ff' is irrelevant, any address will be matched
as long as the other octets are the same.
This is because of too-early register clobbering:
ymm7 is reloaded with new packet data (pkt[9]) but it still holds data
of an earlier load that wasn't processed yet.
The existing tests in nft_concat_range.sh selftests do exercise this code
path, but do not trigger incorrect matching due to the network prefix
limitation.
Fixes: 7400b063969b ("nft_set_pipapo: Introduce AVX2-based lookup implementation")
Reported-by: sontu mazumdar <sontu21@gmail.com>
Closes: https://lore.kernel.org/netfilter/CANgxkqwnMH7fXra+VUfODT-8+qFLgskq3set1cAzqqJaV4iEZg@mail.gmail.com/T/#t
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_set_pipapo_avx2.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index b8d3c3213efe..c15db28c5ebc 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -994,8 +994,9 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill,
NFT_PIPAPO_AVX2_BUCKET_LOAD8(5, lt, 8, pkt[8], bsize);
NFT_PIPAPO_AVX2_AND(6, 2, 3);
+ NFT_PIPAPO_AVX2_AND(3, 4, 7);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(7, lt, 9, pkt[9], bsize);
- NFT_PIPAPO_AVX2_AND(0, 4, 5);
+ NFT_PIPAPO_AVX2_AND(0, 3, 5);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(1, lt, 10, pkt[10], bsize);
NFT_PIPAPO_AVX2_AND(2, 6, 7);
NFT_PIPAPO_AVX2_BUCKET_LOAD8(3, lt, 11, pkt[11], bsize);
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* [PATCH net 2/2] selftests: netfilter: add test case for recent mismatch bug
2025-04-10 10:36 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
2025-04-10 10:36 ` [PATCH net 1/2] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Pablo Neira Ayuso
@ 2025-04-10 10:36 ` Pablo Neira Ayuso
1 sibling, 0 replies; 4+ messages in thread
From: Pablo Neira Ayuso @ 2025-04-10 10:36 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet, fw, horms
From: Florian Westphal <fw@strlen.de>
Without 'nft_set_pipapo: fix incorrect avx2 match of 5th field octet"
this fails:
TEST: reported issues
Add two elements, flush, re-add 1s [ OK ]
net,mac with reload 0s [ OK ]
net,port,proto 3s [ OK ]
avx2 false match 0s [FAIL]
False match for fe80:dead:01fe:0a02:0b03:6007:8009:a001
Other tests do not detect the kernel bug as they only alter parts in
the /64 netmask.
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
.../net/netfilter/nft_concat_range.sh | 39 ++++++++++++++++++-
1 file changed, 38 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/net/netfilter/nft_concat_range.sh b/tools/testing/selftests/net/netfilter/nft_concat_range.sh
index 47088b005390..1f5979c1510c 100755
--- a/tools/testing/selftests/net/netfilter/nft_concat_range.sh
+++ b/tools/testing/selftests/net/netfilter/nft_concat_range.sh
@@ -27,7 +27,7 @@ TYPES="net_port port_net net6_port port_proto net6_port_mac net6_port_mac_proto
net6_port_net6_port net_port_mac_proto_net"
# Reported bugs, also described by TYPE_ variables below
-BUGS="flush_remove_add reload net_port_proto_match"
+BUGS="flush_remove_add reload net_port_proto_match avx2_mismatch"
# List of possible paths to pktgen script from kernel tree for performance tests
PKTGEN_SCRIPT_PATHS="
@@ -387,6 +387,25 @@ race_repeat 0
perf_duration 0
"
+
+TYPE_avx2_mismatch="
+display avx2 false match
+type_spec inet_proto . ipv6_addr
+chain_spec meta l4proto . ip6 daddr
+dst proto addr6
+src
+start 1
+count 1
+src_delta 1
+tools ping
+proto icmp6
+
+race_repeat 0
+
+perf_duration 0
+"
+
+
# Set template for all tests, types and rules are filled in depending on test
set_template='
flush ruleset
@@ -1629,6 +1648,24 @@ test_bug_net_port_proto_match() {
nft flush ruleset
}
+test_bug_avx2_mismatch()
+{
+ setup veth send_"${proto}" set || return ${ksft_skip}
+
+ local a1="fe80:dead:01ff:0a02:0b03:6007:8009:a001"
+ local a2="fe80:dead:01fe:0a02:0b03:6007:8009:a001"
+
+ nft "add element inet filter test { icmpv6 . $a1 }"
+
+ dst_addr6="$a2"
+ send_icmp6
+
+ if [ "$(count_packets)" -gt "0" ]; then
+ err "False match for $a2"
+ return 1
+ fi
+}
+
test_reported_issues() {
eval test_bug_"${subtest}"
}
--
2.30.2
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net 1/2] nft_set_pipapo: fix incorrect avx2 match of 5th field octet
2025-04-10 10:36 ` [PATCH net 1/2] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Pablo Neira Ayuso
@ 2025-04-10 12:40 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2025-04-10 12:40 UTC (permalink / raw)
To: Pablo Neira Ayuso
Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet, fw, horms
Hello:
This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Thu, 10 Apr 2025 12:36:46 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
>
> Given a set element like:
>
> icmpv6 . dead:beef:00ff::1
>
> The value of 'ff' is irrelevant, any address will be matched
> as long as the other octets are the same.
>
> [...]
Here is the summary with links:
- [net,1/2] nft_set_pipapo: fix incorrect avx2 match of 5th field octet
https://git.kernel.org/netdev/net/c/e042ed950d4e
- [net,2/2] selftests: netfilter: add test case for recent mismatch bug
https://git.kernel.org/netdev/net/c/27eb86e22f10
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2025-04-10 12:40 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-04-10 10:36 [PATCH net 0/2] Netfilter fixes for net Pablo Neira Ayuso
2025-04-10 10:36 ` [PATCH net 1/2] nft_set_pipapo: fix incorrect avx2 match of 5th field octet Pablo Neira Ayuso
2025-04-10 12:40 ` patchwork-bot+netdevbpf
2025-04-10 10:36 ` [PATCH net 2/2] selftests: netfilter: add test case for recent mismatch bug Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).