From: Jakub Kicinski <kuba@kernel.org>
To: fw@strlen.de
Cc: Jakub Kicinski <kuba@kernel.org>,
edumazet@google.com, davem@davemloft.net, pablo@netfilter.org,
pabeni@redhat.com, netfilter-devel@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [net-next,10/11] netfilter: nft_set_rbtree: validate open interval overlap
Date: Thu, 5 Feb 2026 18:08:16 -0800 [thread overview]
Message-ID: <20260206020816.3174524-1-kuba@kernel.org> (raw)
In-Reply-To: <20260205110905.26629-11-fw@strlen.de>
This is an AI-generated review of your patch. The human sending this
email has considered the AI review valid, or at least plausible.
For local reproduction steps see https://netdev-ai.bots.linux.dev/ai-local.html
---
netfilter: nft_set_rbtree: validate open interval overlap
This patch adds validation for open interval overlaps in the nft_set_rbtree
implementation. It introduces a flag field to struct nft_set_elem to track
when processing the last element in add/delete commands, using this in
combination with a start element cookie to detect partial overlaps.
Fixes: 7c84d41416d8 ("netfilter: nft_set_rbtree: Detect partial overlaps on insertion")
> diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
> --- a/net/netfilter/nft_set_rbtree.c
> +++ b/net/netfilter/nft_set_rbtree.c
[ ... ]
> @@ -459,7 +477,26 @@
> if (rbe_ge && !nft_rbtree_cmp(set, new, rbe_ge) &&
> nft_rbtree_interval_start(rbe_ge) == nft_rbtree_interval_start(new)) {
> *elem_priv = &rbe_ge->priv;
> - nft_rbtree_set_start_cookie(priv, rbe_ge);
> +
> + /* - Corner case: new start element of open interval (which
> + * comes as last element in the batch) overlaps the start of
> + * an existing interval with an end element: partial overlap.
> + */
> + node = rb_first(&priv->root);
> + rbe = __nft_rbtree_next_active(node, genmask);
> + if (nft_rbtree_interval_end(rbe)) {
> + rbe = nft_rbtree_next_active(rbe, genmask);
> + if (nft_rbtree_interval_start(rbe) &&
^^^
Can nft_rbtree_next_active() return NULL here? Looking at the code, if the
tree contains only a null interval end marker, nft_rbtree_next_active()
would return NULL when there are no more active elements. The subsequent
call to nft_rbtree_interval_start(rbe) would then dereference NULL.
Would it be safer to add a NULL check before accessing rbe?
> + !nft_rbtree_cmp(set, new, rbe)) {
> + if (last)
> + return -ENOTEMPTY;
> +
> + /* Maybe open interval? */
> + open_interval = NFT_RBTREE_OPEN_INTERVAL;
> + }
> + }
> + nft_rbtree_set_start_cookie_open(priv, rbe_ge, open_interval);
> +
> return -EEXIST;
> }
next prev parent reply other threads:[~2026-02-06 2:08 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-05 11:08 [PATCH net-next 00/11] netfilter: updates for net-next Florian Westphal
2026-02-05 11:08 ` [PATCH net-next 01/11] netfilter: nft_set_rbtree: don't gc elements on insert Florian Westphal
2026-02-05 11:08 ` [PATCH net-next 02/11] netfilter: nfnetlink_queue: do shared-unconfirmed check before segmentation Florian Westphal
2026-02-05 11:08 ` [PATCH net-next 03/11] selftests: netfilter: nft_queue.sh: add udp fraglist gro test case Florian Westphal
2026-02-05 11:08 ` [PATCH net-next 04/11] netfilter: flowtable: dedicated slab for flow entry Florian Westphal
2026-02-05 11:08 ` [PATCH net-next 05/11] selftests: netfilter: add IPV6_TUNNEL to config Florian Westphal
2026-02-05 11:09 ` [PATCH net-next 06/11] netfilter: nft_set_hash: fix get operation on big endian Florian Westphal
2026-02-05 11:09 ` [PATCH net-next 07/11] netfilter: nft_set_rbtree: fix bogus EEXIST with NLM_F_CREATE with null interval Florian Westphal
2026-02-06 2:08 ` [net-next,07/11] " Jakub Kicinski
2026-02-05 11:09 ` [PATCH net-next 08/11] netfilter: nft_set_rbtree: check for partial overlaps in anonymous sets Florian Westphal
2026-02-06 2:08 ` [net-next,08/11] " Jakub Kicinski
2026-02-05 11:09 ` [PATCH net-next 09/11] netfilter: nft_set_rbtree: validate element belonging to interval Florian Westphal
2026-02-05 11:09 ` [PATCH net-next 10/11] netfilter: nft_set_rbtree: validate open interval overlap Florian Westphal
2026-02-06 2:08 ` Jakub Kicinski [this message]
2026-02-05 11:09 ` [PATCH net-next 11/11] netfilter: nft_counter: fix reset of counters on 32bit archs Florian Westphal
2026-02-06 12:41 ` [PATCH net-next 00/11] netfilter: updates for net-next Florian Westphal
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260206020816.3174524-1-kuba@kernel.org \
--to=kuba@kernel.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox