* [PATCH net 1/5] netfilter: nf_tables: fix spurious set element insertion failure
@ 2023-07-20 19:29 Florian Westphal
0 siblings, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2023-07-20 19:29 UTC (permalink / raw)
To: netfilter-devel; +Cc: Florian Westphal
On some platforms there is a padding hole in the nft_verdict
structure, between the verdict code and the chain pointer.
On element insertion, if the new element clashes with an existing one and
NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as
the data associated with duplicated element is the same as the existing
one. The data equality check uses memcmp.
For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT
padding area leads to spurious failure even if the verdict data is the
same.
This then makes the insertion fail with 'already exists' error, even
though the new "key : data" matches an existing entry and userspace
told the kernel that it doesn't want to receive an error indication.
Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_tables_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 237f739da3ca..79c7eee33dcd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10517,6 +10517,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
if (!tb[NFTA_VERDICT_CODE])
return -EINVAL;
+
+ /* zero padding hole for memcmp */
+ memset(data, 0, sizeof(*data));
data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
switch (data->verdict.code) {
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* [PATCH net 0/5] Netfilter fixes for net:
@ 2023-07-20 16:51 Florian Westphal
2023-07-20 16:51 ` [PATCH net 1/5] netfilter: nf_tables: fix spurious set element insertion failure Florian Westphal
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2023-07-20 16:51 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel
The following patchset contains Netfilter fixes for net:
1. Fix spurious -EEXIST error from userspace due to
padding holes, this was broken since 4.9 days
when 'ignore duplicate entries on insert' feature was
added.
2. Fix a sched-while-atomic bug, present since 5.19.
3. Properly remove elements if they lack an "end range".
nft userspace always sets an end range attribute, even
when its the same as the start, but the abi doesn't
have such a restriction. Always broken since it was
added in 5.6, all three from myself.
4 + 5: Bound chain needs to be skipped in netns release
and on rule flush paths, from Pablo Neira.
The following changes since commit ac528649f7c63bc233cc0d33cff11f767cc666e3:
Merge branch 'net-support-stp-on-bridge-in-non-root-netns' (2023-07-20 10:46:33 +0200)
are available in the Git repository at:
https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-23-07-20
for you to fetch changes up to 6eaf41e87a223ae6f8e7a28d6e78384ad7e407f8:
netfilter: nf_tables: skip bound chain on rule flush (2023-07-20 17:21:11 +0200)
----------------------------------------------------------------
netfilter pull request 2023-07-20
----------------------------------------------------------------
Florian Westphal (3):
netfilter: nf_tables: fix spurious set element insertion failure
netfilter: nf_tables: can't schedule in nft_chain_validate
netfilter: nft_set_pipapo: fix improper element removal
Pablo Neira Ayuso (2):
netfilter: nf_tables: skip bound chain in netns release path
netfilter: nf_tables: skip bound chain on rule flush
net/netfilter/nf_tables_api.c | 12 ++++++++++--
net/netfilter/nft_set_pipapo.c | 6 +++++-
2 files changed, 15 insertions(+), 3 deletions(-)
^ permalink raw reply [flat|nested] 3+ messages in thread* [PATCH net 1/5] netfilter: nf_tables: fix spurious set element insertion failure
2023-07-20 16:51 [PATCH net 0/5] Netfilter fixes for net: Florian Westphal
@ 2023-07-20 16:51 ` Florian Westphal
2023-07-20 20:00 ` patchwork-bot+netdevbpf
0 siblings, 1 reply; 3+ messages in thread
From: Florian Westphal @ 2023-07-20 16:51 UTC (permalink / raw)
To: netdev
Cc: Paolo Abeni, David S. Miller, Eric Dumazet, Jakub Kicinski,
netfilter-devel
On some platforms there is a padding hole in the nft_verdict
structure, between the verdict code and the chain pointer.
On element insertion, if the new element clashes with an existing one and
NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as
the data associated with duplicated element is the same as the existing
one. The data equality check uses memcmp.
For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT
padding area leads to spurious failure even if the verdict data is the
same.
This then makes the insertion fail with 'already exists' error, even
though the new "key : data" matches an existing entry and userspace
told the kernel that it doesn't want to receive an error indication.
Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_tables_api.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 237f739da3ca..79c7eee33dcd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10517,6 +10517,9 @@ static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
if (!tb[NFTA_VERDICT_CODE])
return -EINVAL;
+
+ /* zero padding hole for memcmp */
+ memset(data, 0, sizeof(*data));
data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
switch (data->verdict.code) {
--
2.41.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [PATCH net 1/5] netfilter: nf_tables: fix spurious set element insertion failure
2023-07-20 16:51 ` [PATCH net 1/5] netfilter: nf_tables: fix spurious set element insertion failure Florian Westphal
@ 2023-07-20 20:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2023-07-20 20:00 UTC (permalink / raw)
To: Florian Westphal; +Cc: netdev, pabeni, davem, edumazet, kuba, netfilter-devel
Hello:
This series was applied to netdev/net.git (main)
by Florian Westphal <fw@strlen.de>:
On Thu, 20 Jul 2023 18:51:33 +0200 you wrote:
> On some platforms there is a padding hole in the nft_verdict
> structure, between the verdict code and the chain pointer.
>
> On element insertion, if the new element clashes with an existing one and
> NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as
> the data associated with duplicated element is the same as the existing
> one. The data equality check uses memcmp.
>
> [...]
Here is the summary with links:
- [net,1/5] netfilter: nf_tables: fix spurious set element insertion failure
https://git.kernel.org/netdev/net/c/ddbd8be68941
- [net,2/5] netfilter: nf_tables: can't schedule in nft_chain_validate
https://git.kernel.org/netdev/net/c/314c82841602
- [net,3/5] netfilter: nft_set_pipapo: fix improper element removal
https://git.kernel.org/netdev/net/c/87b5a5c20940
- [net,4/5] netfilter: nf_tables: skip bound chain in netns release path
https://git.kernel.org/netdev/net/c/751d460ccff3
- [net,5/5] netfilter: nf_tables: skip bound chain on rule flush
https://git.kernel.org/netdev/net/c/6eaf41e87a22
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2023-07-20 20:00 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-20 19:29 [PATCH net 1/5] netfilter: nf_tables: fix spurious set element insertion failure Florian Westphal
-- strict thread matches above, loose matches on Subject: below --
2023-07-20 16:51 [PATCH net 0/5] Netfilter fixes for net: Florian Westphal
2023-07-20 16:51 ` [PATCH net 1/5] netfilter: nf_tables: fix spurious set element insertion failure Florian Westphal
2023-07-20 20:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).