[PATCH net 0/1] Netfilter fixes for net

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix syn-retransmits until initiator gives up when connection is re-used
   due to rst marked as invalid, from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 1f3bd64ad921f051254591fbed04fd30b306cde6:

  net: stmmac: fix invalid call to mdiobus_get_phy() (2023-01-17 13:33:19 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to c410cb974f2ba562920ecb8492ee66945dcf88af:

  netfilter: conntrack: handle tcp challenge acks during connection reuse (2023-01-17 23:00:06 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: handle tcp challenge acks during connection reuse

 net/netfilter/nf_conntrack_proto_tcp.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains Netfilter fixes for net:

1) Fix syn-retransmits until initiator gives up when connection is re-used
   due to rst marked as invalid, from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 1f3bd64ad921f051254591fbed04fd30b306cde6:

  net: stmmac: fix invalid call to mdiobus_get_phy() (2023-01-17 13:33:19 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD

for you to fetch changes up to c410cb974f2ba562920ecb8492ee66945dcf88af:

  netfilter: conntrack: handle tcp challenge acks during connection reuse (2023-01-17 23:00:06 +0100)

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: conntrack: handle tcp challenge acks during connection reuse

 net/netfilter/nf_conntrack_proto_tcp.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains one Netfilter fix:

1) Restore 'ct state untracked' matching with CONFIG_RETPOLINE=y,
   from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git

Thanks.

----------------------------------------------------------------

The following changes since commit 6a341729fb31b4c5df9f74f24b4b1c98410c9b87:

  af_packet: Don't send zero-byte data in packet_sendmsg_spkt(). (2023-05-03 09:20:18 +0100)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-23-05-03

for you to fetch changes up to f057b63bc11d86a98176de31b437e46789f44d8f:

  netfilter: nf_tables: fix ct untracked match breakage (2023-05-03 13:49:08 +0200)

----------------------------------------------------------------
netfilter pull request 23-05-03

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: fix ct untracked match breakage

 net/netfilter/nft_ct_fast.c | 14 ++++++++++----
 1 file changed, 10 insertions(+), 4 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains a oneliner patch to inconditionally flush
workqueue containing stale objects to be released, syzbot managed to
trigger UaF. Patch from Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-07-04

Thanks.

----------------------------------------------------------------

The following changes since commit 8905a2c7d39b921b8a62bcf80da0f8c45ec0e764:

  Merge branch 'net-txgbe-fix-msi-and-intx-interrupts' (2024-07-02 16:07:07 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-07-04

for you to fetch changes up to 9f6958ba2e902f9820c594869bd710ba74b7c4c0:

  netfilter: nf_tables: unconditionally flush pending work before notifier (2024-07-04 00:28:27 +0200)

----------------------------------------------------------------
netfilter pull request 24-07-04

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nf_tables: unconditionally flush pending work before notifier

 net/netfilter/nf_tables_api.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following patchset contains a Netfilter fix for net:

Patch #1 if FPU is busy, then pipapo set backend falls back to standard
         set element lookup. Moreover, disable bh while at this.
	 From Florian Westphal.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-07-24

Thanks.

----------------------------------------------------------------

The following changes since commit 3ba359c0cd6eb5ea772125a7aededb4a2d516684:

  net: bonding: correctly annotate RCU in bond_should_notify_peers() (2024-07-23 15:13:12 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-07-24

for you to fetch changes up to a16909ae9982e931841c456061cb57fbaec9c59e:

  netfilter: nft_set_pipapo_avx2: disable softinterrupts (2024-07-24 10:01:59 +0200)

----------------------------------------------------------------
netfilter pull request 24-07-24

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: nft_set_pipapo_avx2: disable softinterrupts

 net/netfilter/nft_set_pipapo_avx2.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

[PATCH net 1/1] netfilter: nft_set_pipapo_avx2: disable softinterrupts

[Pablo Neira Ayuso]

From: Florian Westphal <fw@strlen.de>

We need to disable softinterrupts, else we get following problem:

1. pipapo_avx2 called from process context; fpu usable
2. preempt_disable() called, pcpu scratchmap in use
3. softirq handles rx or tx, we re-enter pipapo_avx2
4. fpu busy, fallback to generic non-avx version
5. fallback reuses scratch map and index, which are in use
   by the preempted process

Handle this same way as generic version by first disabling
softinterrupts while the scratchmap is in use.

Fixes: f0b3d338064e ("netfilter: nft_set_pipapo_avx2: Add irq_fpu_usable() check, fallback to non-AVX2 version")
Cc: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/nft_set_pipapo_avx2.c | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c
index 8910a5ac7ed1..b8d3c3213efe 100644
--- a/net/netfilter/nft_set_pipapo_avx2.c
+++ b/net/netfilter/nft_set_pipapo_avx2.c
@@ -1139,8 +1139,14 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
 	bool map_index;
 	int i, ret = 0;
 
-	if (unlikely(!irq_fpu_usable()))
-		return nft_pipapo_lookup(net, set, key, ext);
+	local_bh_disable();
+
+	if (unlikely(!irq_fpu_usable())) {
+		bool fallback_res = nft_pipapo_lookup(net, set, key, ext);
+
+		local_bh_enable();
+		return fallback_res;
+	}
 
 	m = rcu_dereference(priv->match);
 
@@ -1155,6 +1161,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
 	scratch = *raw_cpu_ptr(m->scratch);
 	if (unlikely(!scratch)) {
 		kernel_fpu_end();
+		local_bh_enable();
 		return false;
 	}
 
@@ -1235,6 +1242,7 @@ bool nft_pipapo_avx2_lookup(const struct net *net, const struct nft_set *set,
 	if (i % 2)
 		scratch->map_index = !map_index;
 	kernel_fpu_end();
+	local_bh_enable();
 
 	return ret >= 0;
 }
-- 
2.30.2

Re: [PATCH net 1/1] netfilter: nft_set_pipapo_avx2: disable softinterrupts

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Wed, 24 Jul 2024 10:13:05 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> We need to disable softinterrupts, else we get following problem:
> 
> 1. pipapo_avx2 called from process context; fpu usable
> 2. preempt_disable() called, pcpu scratchmap in use
> 3. softirq handles rx or tx, we re-enter pipapo_avx2
> 4. fpu busy, fallback to generic non-avx version
> 5. fallback reuses scratch map and index, which are in use
>    by the preempted process
> 
> [...]

Here is the summary with links:
  - [net,1/1] netfilter: nft_set_pipapo_avx2: disable softinterrupts
    https://git.kernel.org/netdev/net/c/a16909ae9982

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following series contains one fix:

syzkaller managed to triger UaF due to missing reference on netns in
bpf infrastructure, from Florian Westphal.

Florian Westphal (1):
  netfilter: bpf: must hold reference on net namespace

 net/netfilter/nf_bpf_link.c | 4 ++++
 1 file changed, 4 insertions(+)

-- 
2.30.2

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-10-17

Thanks.

----------------------------------------------------------------

The following changes since commit cb560795c8c2ceca1d36a95f0d1b2eafc4074e37:

  Merge branch 'mlx5-misc-fixes-2024-10-15' (2024-10-17 12:14:11 +0200)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-10-17

for you to fetch changes up to 1230fe7ad3974f7bf6c78901473e039b34d4fb1f:

  netfilter: bpf: must hold reference on net namespace (2024-10-17 13:58:57 +0200)

----------------------------------------------------------------
netfilter pull request 24-10-17

----------------------------------------------------------------
Florian Westphal (1):
      netfilter: bpf: must hold reference on net namespace

 net/netfilter/nf_bpf_link.c | 4 ++++
 1 file changed, 4 insertions(+)

Re: [PATCH net 0/1] Netfilter fixes for net

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Pablo Neira Ayuso <pablo@netfilter.org>:

On Thu, 17 Oct 2024 14:34:12 +0200 you wrote:
> Hi,
> 
> The following series contains one fix:
> 
> syzkaller managed to triger UaF due to missing reference on netns in
> bpf infrastructure, from Florian Westphal.
> 
> [...]

Here is the summary with links:
  - [net,1/1] netfilter: bpf: must hold reference on net namespace
    https://git.kernel.org/netdev/net/c/1230fe7ad397

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains one Netfilter fix for net:

1) Fix unaligned atomic read on struct nft_set_ext in nft_set_hash
   backend that causes an alignment failure splat on aarch64. This
   is related to a recent fix and it has been reported via the
   regressions mailing list.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-24-12-25

Thanks.

----------------------------------------------------------------

The following changes since commit b3a69c559899b00ca106767c873680b0adf5882c:

  Merge branch 'mlx5-misc-fixes-2024-12-20' (2024-12-23 10:54:07 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-24-12-25

for you to fetch changes up to 542ed8145e6f9392e3d0a86a0e9027d2ffd183e4:

  netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext (2024-12-25 00:27:49 +0100)

----------------------------------------------------------------
netfilter pull request 24-12-25

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: nft_set_hash: unaligned atomic read on struct nft_set_ext

 include/net/netfilter/nf_tables.h | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains one Netfilter fix:

1) Reject mismatching sum of field_len with set key length which allows
   to create a set without inconsistent pipapo rule width and set key
   length.

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-01-30

Thanks.

----------------------------------------------------------------

The following changes since commit 0a5b8fff01bde1b9908f00004c676f2e2459333b:

  selftests: net: Adapt ethtool mq tests to fix in qdisc graft (2025-01-15 09:28:51 +0000)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-01-30

for you to fetch changes up to 1b9335a8000fb70742f7db10af314104b6ace220:

  netfilter: nf_tables: reject mismatching sum of field_len with set key length (2025-01-30 12:26:11 +0100)

----------------------------------------------------------------
netfilter pull request 25-01-30

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      netfilter: nf_tables: reject mismatching sum of field_len with set key length

 net/netfilter/nf_tables_api.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

[PATCH net 0/1] Netfilter fixes for net

[Pablo Neira Ayuso]

Hi,

The following batch contains one revert for:

1) Revert flowtable entry teardown cycle when skbuff exceeds mtu to
   deal with DF flag unset scenarios. This is reverts a patch coming
   in the previous merge window (available in 6.14-rc releases).

Please, pull these changes from:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git nf-25-02-13

Thanks.

----------------------------------------------------------------

The following changes since commit e589adf5b70c07b1ab974d077046fdbf583b2f36:

  iavf: Fix a locking bug in an error path (2025-02-11 18:02:04 -0800)

are available in the Git repository at:

  git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git tags/nf-25-02-13

for you to fetch changes up to cf56aa8dd26328a9af4ffe7fb0bd8fcfa9407112:

  Revert "netfilter: flowtable: teardown flow if cached mtu is stale" (2025-02-12 10:35:20 +0100)

----------------------------------------------------------------
netfilter pull request 25-02-13

----------------------------------------------------------------
Pablo Neira Ayuso (1):
      Revert "netfilter: flowtable: teardown flow if cached mtu is stale"

 net/netfilter/nf_flow_table_ip.c | 8 ++------
 1 file changed, 2 insertions(+), 6 deletions(-)