[PATCH net 0/2] Netfilter/IPVS fixes for net

[PATCH net 0/2] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains two Netfilter/IPVS fixes for net:

Patch #1 fixes SCTP checksumming for IPVS with gso packets,
	 from Ismael Luceno.

Patch #2 honor dormant flag from netdev event path to fix a possible
	 double hook unregistration.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-25

Thanks.

----------------------------------------------------------------

The following changes since commit a9176f7c66f0f438dfd9a1a6c86ca7b73280a494:

  Merge branch 'mlxsw-fixes' (2024-04-19 20:43:17 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-04-25

for you to fetch changes up to 8e30abc9ace4f0add4cd761dfdbfaebae5632dd2:

  netfilter: nf_tables: honor table dormant flag from netdev release event path (2024-04-25 10:42:57 +0200)

----------------------------------------------------------------
netfilter pull request 24-04-25

----------------------------------------------------------------
Ismael Luceno (1):
      ipvs: Fix checksumming on GSO of SCTP packets

Pablo Neira Ayuso (1):
      netfilter: nf_tables: honor table dormant flag from netdev release event path

 net/netfilter/ipvs/ip_vs_proto_sctp.c | 6 ++++--
 net/netfilter/nft_chain_filter.c      | 4 +++-
 2 files changed, 7 insertions(+), 3 deletions(-)

[PATCH net 1/2] ipvs: Fix checksumming on GSO of SCTP packets

[Pablo Neira Ayuso]

From: Ismael Luceno <iluceno@suse.de>

It was observed in the wild that pairs of consecutive packets would leave
the IPVS with the same wrong checksum, and the issue only went away when
disabling GSO.

IPVS needs to avoid computing the SCTP checksum when using GSO.

Fixes: 90017accff61 ("sctp: Add GSO support")
Co-developed-by: Firo Yang <firo.yang@suse.com>
Signed-off-by: Ismael Luceno <iluceno@suse.de>
Tested-by: Andreas Taschner <andreas.taschner@suse.com>
Acked-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/ipvs/ip_vs_proto_sctp.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipvs/ip_vs_proto_sctp.c b/net/netfilter/ipvs/ip_vs_proto_sctp.c
index a0921adc31a9..1e689c714127 100644
--- a/net/netfilter/ipvs/ip_vs_proto_sctp.c
+++ b/net/netfilter/ipvs/ip_vs_proto_sctp.c
@@ -126,7 +126,8 @@ sctp_snat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
 	if (sctph->source != cp->vport || payload_csum ||
 	    skb->ip_summed == CHECKSUM_PARTIAL) {
 		sctph->source = cp->vport;
-		sctp_nat_csum(skb, sctph, sctphoff);
+		if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb))
+			sctp_nat_csum(skb, sctph, sctphoff);
 	} else {
 		skb->ip_summed = CHECKSUM_UNNECESSARY;
 	}
@@ -174,7 +175,8 @@ sctp_dnat_handler(struct sk_buff *skb, struct ip_vs_protocol *pp,
 	    (skb->ip_summed == CHECKSUM_PARTIAL &&
 	     !(skb_dst(skb)->dev->features & NETIF_F_SCTP_CRC))) {
 		sctph->dest = cp->dport;
-		sctp_nat_csum(skb, sctph, sctphoff);
+		if (!skb_is_gso(skb) || !skb_is_gso_sctp(skb))
+			sctp_nat_csum(skb, sctph, sctphoff);
 	} else if (skb->ip_summed != CHECKSUM_PARTIAL) {
 		skb->ip_summed = CHECKSUM_UNNECESSARY;
 	}
-- 
2.30.2

Re: [PATCH net 1/2] ipvs: Fix checksumming on GSO of SCTP packets

[patchwork-bot+netdevbpf]

Hello:

This series was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu, 25 Apr 2024 11:01:48 +0200 you wrote:
> From: Ismael Luceno <iluceno@suse.de>
> 
> It was observed in the wild that pairs of consecutive packets would leave
> the IPVS with the same wrong checksum, and the issue only went away when
> disabling GSO.
> 
> IPVS needs to avoid computing the SCTP checksum when using GSO.
> 
> [...]

Here is the summary with links:
  - [net,1/2] ipvs: Fix checksumming on GSO of SCTP packets
    https://git.kernel.org/netdev/net/c/e10d3ba4d434
  - [net,2/2] netfilter: nf_tables: honor table dormant flag from netdev release event path
    https://git.kernel.org/netdev/net/c/8e30abc9ace4

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 2/2] netfilter: nf_tables: honor table dormant flag from netdev release event path

[Pablo Neira Ayuso]

Check for table dormant flag otherwise netdev release event path tries
to unregister an already unregistered hook.

[524854.857999] ------------[ cut here ]------------
[524854.858010] WARNING: CPU: 0 PID: 3386599 at net/netfilter/core.c:501 __nf_unregister_net_hook+0x21a/0x260
[...]
[524854.858848] CPU: 0 PID: 3386599 Comm: kworker/u32:2 Not tainted 6.9.0-rc3+ #365
[524854.858869] Workqueue: netns cleanup_net
[524854.858886] RIP: 0010:__nf_unregister_net_hook+0x21a/0x260
[524854.858903] Code: 24 e8 aa 73 83 ff 48 63 43 1c 83 f8 01 0f 85 3d ff ff ff e8 98 d1 f0 ff 48 8b 3c 24 e8 8f 73 83 ff 48 63 43 1c e9 26 ff ff ff <0f> 0b 48 83 c4 18 48 c7 c7 00 68 e9 82 5b 5d 41 5c 41 5d 41 5e 41
[524854.858914] RSP: 0018:ffff8881e36d79e0 EFLAGS: 00010246
[524854.858926] RAX: 0000000000000000 RBX: ffff8881339ae790 RCX: ffffffff81ba524a
[524854.858936] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffff8881c8a16438
[524854.858945] RBP: ffff8881c8a16438 R08: 0000000000000001 R09: ffffed103c6daf34
[524854.858954] R10: ffff8881e36d79a7 R11: 0000000000000000 R12: 0000000000000005
[524854.858962] R13: ffff8881c8a16000 R14: 0000000000000000 R15: ffff8881351b5a00
[524854.858971] FS:  0000000000000000(0000) GS:ffff888390800000(0000) knlGS:0000000000000000
[524854.858982] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[524854.858991] CR2: 00007fc9be0f16f4 CR3: 00000001437cc004 CR4: 00000000001706f0
[524854.859000] Call Trace:
[524854.859006]  <TASK>
[524854.859013]  ? __warn+0x9f/0x1a0
[524854.859027]  ? __nf_unregister_net_hook+0x21a/0x260
[524854.859044]  ? report_bug+0x1b1/0x1e0
[524854.859060]  ? handle_bug+0x3c/0x70
[524854.859071]  ? exc_invalid_op+0x17/0x40
[524854.859083]  ? asm_exc_invalid_op+0x1a/0x20
[524854.859100]  ? __nf_unregister_net_hook+0x6a/0x260
[524854.859116]  ? __nf_unregister_net_hook+0x21a/0x260
[524854.859135]  nf_tables_netdev_event+0x337/0x390 [nf_tables]
[524854.859304]  ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]
[524854.859461]  ? packet_notifier+0xb3/0x360
[524854.859476]  ? _raw_spin_unlock_irqrestore+0x11/0x40
[524854.859489]  ? dcbnl_netdevice_event+0x35/0x140
[524854.859507]  ? __pfx_nf_tables_netdev_event+0x10/0x10 [nf_tables]
[524854.859661]  notifier_call_chain+0x7d/0x140
[524854.859677]  unregister_netdevice_many_notify+0x5e1/0xae0

Fixes: d54725cd11a5 ("netfilter: nf_tables: support for multiple devices per netdev hook")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_chain_filter.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nft_chain_filter.c b/net/netfilter/nft_chain_filter.c
index 274b6f7e6bb5..d170758a1eb5 100644
--- a/net/netfilter/nft_chain_filter.c
+++ b/net/netfilter/nft_chain_filter.c
@@ -338,7 +338,9 @@ static void nft_netdev_event(unsigned long event, struct net_device *dev,
 		return;
 
 	if (n > 1) {
-		nf_unregister_net_hook(ctx->net, &found->ops);
+		if (!(ctx->chain->table->flags & NFT_TABLE_F_DORMANT))
+			nf_unregister_net_hook(ctx->net, &found->ops);
+
 		list_del_rcu(&found->list);
 		kfree_rcu(found, rcu);
 		return;
-- 
2.30.2

[PATCH net 0/2] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contain Netfilter/IPVS fixes for net:

1) Fix KMSAN uninit-value in do_output_route4, reported by syzbot.
   Patch from Julian Anastasov.

2) ipset hashtable set type breaks up the hashtable into regions of
   2^10 buckets. Fix the macro that determines the hashtable lock
   region to protect concurrent updates. From Jozsef Kadlecsik.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-05-08

Thanks.

----------------------------------------------------------------

The following changes since commit 9540984da649d46f699c47f28c68bbd3c9d99e4c:

  Merge tag 'wireless-2025-05-06' of https://git.kernel.org/pub/scm/linux/kernel/git/wireless/wireless (2025-05-06 19:06:50 -0700)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-05-08

for you to fetch changes up to 8478a729c0462273188263136880480729e9efca:

  netfilter: ipset: fix region locking in hash types (2025-05-07 23:57:31 +0200)

----------------------------------------------------------------
netfilter pull request 25-05-08

----------------------------------------------------------------
Jozsef Kadlecsik (1):
      netfilter: ipset: fix region locking in hash types

Julian Anastasov (1):
      ipvs: fix uninit-value for saddr in do_output_route4

 net/netfilter/ipset/ip_set_hash_gen.h |  2 +-
 net/netfilter/ipvs/ip_vs_xmit.c       | 27 ++++++++-------------------
 2 files changed, 9 insertions(+), 20 deletions(-)

[PATCH net 0/2] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso]

Hi,

The following series contains two fixes for Netfilter/IPVS:

1) Possible build failure in IPVS on systems with less than 512MB
   memory due to incorrect use of clamp(), from David Laight.

2) Fix bogus lockdep nesting splat with ipset list:set type,
   from Phil Sutter.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-12-19

Thanks.

----------------------------------------------------------------

The following changes since commit 954a2b40719a21e763a1bba2f0da92347e058fce:

  rtnetlink: Try the outer netns attribute in rtnl_get_peer_net(). (2024-12-17 17:54:18 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-12-19

for you to fetch changes up to 70b6f46a4ed8bd56c85ffff22df91e20e8c85e33:

  netfilter: ipset: Fix for recursive locking warning (2024-12-19 00:28:47 +0100)

----------------------------------------------------------------
netfilter pull request 24-12-19

----------------------------------------------------------------
David Laight (1):
      ipvs: Fix clamp() of ip_vs_conn_tab on small memory systems

Phil Sutter (1):
      netfilter: ipset: Fix for recursive locking warning

 net/netfilter/ipset/ip_set_list_set.c | 3 +++
 net/netfilter/ipvs/ip_vs_conn.c       | 4 ++--
 2 files changed, 5 insertions(+), 2 deletions(-)

[PATCH net 0/2] Netfilter/IPVS fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter/IPVS fixes for net:

1) Fix mac address UAF reported by KASAN in nfnetlink_queue,
   from Florian Westphal.

2) Autoload genetlink IPVS on demand, from Thomas Weissschuh.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 64222515138e43da1fcf288f0289ef1020427b87:

  Merge tag 'drm-fixes-2021-10-22' of git://anongit.freedesktop.org/drm/drm (2021-10-21 19:06:08 -1000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD

for you to fetch changes up to 2199f562730dd1382946e0a2532afc38cd444129:

  ipvs: autoload ipvs on genl access (2021-10-22 14:10:17 +0200)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nfnetlink_queue: fix OOB when mac header was cleared

Thomas Weißschuh (1):
      ipvs: autoload ipvs on genl access

 net/netfilter/ipvs/ip_vs_ctl.c  | 2 ++
 net/netfilter/nfnetlink_queue.c | 2 +-
 2 files changed, 3 insertions(+), 1 deletion(-)