* [PATCH net 0/6] Netfilter fixes for net
@ 2021-07-23 15:54 Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 1/6] netfilter: nf_tables: fix audit memory leak in nf_tables_commit Pablo Neira Ayuso
` (5 more replies)
0 siblings, 6 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Hi,
The following patchset contains Netfilter fixes for net:
1) Memleak in commit audit error path, from Dongliang Mu.
2) Avoid possible false sharing for flowtable timeout updates
and nft_last use.
3) Adjust conntrack timestamp due to garbage collection delay,
from Florian Westphal.
4) Fix nft_nat without layer 3 address for the inet family.
5) Fix compilation warning in nfnl_hook when ingress support
is disabled, from Arnd Bergmann.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit 5f119ba1d5771bbf46d57cff7417dcd84d3084ba:
net: decnet: Fix sleeping inside in af_decnet (2021-07-16 14:06:16 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git HEAD
for you to fetch changes up to 217e26bd87b2930856726b48a4e71c768b8c9bf5:
netfilter: nfnl_hook: fix unused variable warning (2021-07-23 14:45:03 +0200)
----------------------------------------------------------------
Arnd Bergmann (1):
netfilter: nfnl_hook: fix unused variable warning
Dongliang Mu (1):
netfilter: nf_tables: fix audit memory leak in nf_tables_commit
Florian Westphal (1):
netfilter: conntrack: adjust stop timestamp to real expiry value
Pablo Neira Ayuso (3):
netfilter: flowtable: avoid possible false sharing
netfilter: nft_last: avoid possible false sharing
netfilter: nft_nat: allow to specify layer 4 protocol NAT only
net/netfilter/nf_conntrack_core.c | 7 ++++++-
net/netfilter/nf_flow_table_core.c | 6 +++++-
net/netfilter/nf_tables_api.c | 12 ++++++++++++
net/netfilter/nfnetlink_hook.c | 2 ++
net/netfilter/nft_last.c | 20 +++++++++++++-------
net/netfilter/nft_nat.c | 4 +++-
6 files changed, 41 insertions(+), 10 deletions(-)
^ permalink raw reply [flat|nested] 8+ messages in thread
* [PATCH net 1/6] netfilter: nf_tables: fix audit memory leak in nf_tables_commit
2021-07-23 15:54 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
@ 2021-07-23 15:54 ` Pablo Neira Ayuso
2021-07-23 16:50 ` patchwork-bot+netdevbpf
2021-07-23 15:54 ` [PATCH net 2/6] netfilter: flowtable: avoid possible false sharing Pablo Neira Ayuso
` (4 subsequent siblings)
5 siblings, 1 reply; 8+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Dongliang Mu <mudongliangabcd@gmail.com>
In nf_tables_commit, if nf_tables_commit_audit_alloc fails, it does not
free the adp variable.
Fix this by adding nf_tables_commit_audit_free which frees
the linked list with the head node adl.
backtrace:
kmalloc include/linux/slab.h:591 [inline]
kzalloc include/linux/slab.h:721 [inline]
nf_tables_commit_audit_alloc net/netfilter/nf_tables_api.c:8439 [inline]
nf_tables_commit+0x16e/0x1760 net/netfilter/nf_tables_api.c:8508
nfnetlink_rcv_batch+0x512/0xa80 net/netfilter/nfnetlink.c:562
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
nfnetlink_rcv+0x1fa/0x220 net/netfilter/nfnetlink.c:652
netlink_unicast_kernel net/netlink/af_netlink.c:1314 [inline]
netlink_unicast+0x2c7/0x3e0 net/netlink/af_netlink.c:1340
netlink_sendmsg+0x36b/0x6b0 net/netlink/af_netlink.c:1929
sock_sendmsg_nosec net/socket.c:702 [inline]
sock_sendmsg+0x56/0x80 net/socket.c:722
Reported-by: syzbot <syzkaller@googlegroups.com>
Reported-by: kernel test robot <lkp@intel.com>
Fixes: c520292f29b8 ("audit: log nftables configuration change events once per table")
Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 12 ++++++++++++
1 file changed, 12 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index de182d1f7c4e..081437dd75b7 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8445,6 +8445,16 @@ static int nf_tables_commit_audit_alloc(struct list_head *adl,
return 0;
}
+static void nf_tables_commit_audit_free(struct list_head *adl)
+{
+ struct nft_audit_data *adp, *adn;
+
+ list_for_each_entry_safe(adp, adn, adl, list) {
+ list_del(&adp->list);
+ kfree(adp);
+ }
+}
+
static void nf_tables_commit_audit_collect(struct list_head *adl,
struct nft_table *table, u32 op)
{
@@ -8509,6 +8519,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
ret = nf_tables_commit_audit_alloc(&adl, trans->ctx.table);
if (ret) {
nf_tables_commit_chain_prepare_cancel(net);
+ nf_tables_commit_audit_free(&adl);
return ret;
}
if (trans->msg_type == NFT_MSG_NEWRULE ||
@@ -8518,6 +8529,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
ret = nf_tables_commit_chain_prepare(net, chain);
if (ret < 0) {
nf_tables_commit_chain_prepare_cancel(net);
+ nf_tables_commit_audit_free(&adl);
return ret;
}
}
--
2.20.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH net 2/6] netfilter: flowtable: avoid possible false sharing
2021-07-23 15:54 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 1/6] netfilter: nf_tables: fix audit memory leak in nf_tables_commit Pablo Neira Ayuso
@ 2021-07-23 15:54 ` Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 3/6] netfilter: nft_last: " Pablo Neira Ayuso
` (3 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
The flowtable follows the same timeout approach as conntrack, use the
same idiom as in cc16921351d8 ("netfilter: conntrack: avoid same-timeout
update") but also include the fix provided by e37542ba111f ("netfilter:
conntrack: avoid possible false sharing").
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_flow_table_core.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 1e50908b1b7e..551976e4284c 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -331,7 +331,11 @@ EXPORT_SYMBOL_GPL(flow_offload_add);
void flow_offload_refresh(struct nf_flowtable *flow_table,
struct flow_offload *flow)
{
- flow->timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
+ u32 timeout;
+
+ timeout = nf_flowtable_time_stamp + flow_offload_get_timeout(flow);
+ if (READ_ONCE(flow->timeout) != timeout)
+ WRITE_ONCE(flow->timeout, timeout);
if (likely(!nf_flowtable_hw_offload(flow_table)))
return;
--
2.20.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH net 3/6] netfilter: nft_last: avoid possible false sharing
2021-07-23 15:54 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 1/6] netfilter: nf_tables: fix audit memory leak in nf_tables_commit Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 2/6] netfilter: flowtable: avoid possible false sharing Pablo Neira Ayuso
@ 2021-07-23 15:54 ` Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 4/6] netfilter: conntrack: adjust stop timestamp to real expiry value Pablo Neira Ayuso
` (2 subsequent siblings)
5 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
Use the idiom described in:
https://github.com/google/ktsan/wiki/READ_ONCE-and-WRITE_ONCE#it-may-improve-performance
Moreover, prevent a compiler optimization.
Fixes: 836382dc2471 ("netfilter: nf_tables: add last expression")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_last.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nft_last.c b/net/netfilter/nft_last.c
index 8088b99f2ee3..304e33cbed9b 100644
--- a/net/netfilter/nft_last.c
+++ b/net/netfilter/nft_last.c
@@ -48,24 +48,30 @@ static void nft_last_eval(const struct nft_expr *expr,
{
struct nft_last_priv *priv = nft_expr_priv(expr);
- priv->last_jiffies = jiffies;
- priv->last_set = 1;
+ if (READ_ONCE(priv->last_jiffies) != jiffies)
+ WRITE_ONCE(priv->last_jiffies, jiffies);
+ if (READ_ONCE(priv->last_set) == 0)
+ WRITE_ONCE(priv->last_set, 1);
}
static int nft_last_dump(struct sk_buff *skb, const struct nft_expr *expr)
{
struct nft_last_priv *priv = nft_expr_priv(expr);
+ unsigned long last_jiffies = READ_ONCE(priv->last_jiffies);
+ u32 last_set = READ_ONCE(priv->last_set);
__be64 msecs;
- if (time_before(jiffies, priv->last_jiffies))
- priv->last_set = 0;
+ if (time_before(jiffies, last_jiffies)) {
+ WRITE_ONCE(priv->last_set, 0);
+ last_set = 0;
+ }
- if (priv->last_set)
- msecs = nf_jiffies64_to_msecs(jiffies - priv->last_jiffies);
+ if (last_set)
+ msecs = nf_jiffies64_to_msecs(jiffies - last_jiffies);
else
msecs = 0;
- if (nla_put_be32(skb, NFTA_LAST_SET, htonl(priv->last_set)) ||
+ if (nla_put_be32(skb, NFTA_LAST_SET, htonl(last_set)) ||
nla_put_be64(skb, NFTA_LAST_MSECS, msecs, NFTA_LAST_PAD))
goto nla_put_failure;
--
2.20.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH net 4/6] netfilter: conntrack: adjust stop timestamp to real expiry value
2021-07-23 15:54 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2021-07-23 15:54 ` [PATCH net 3/6] netfilter: nft_last: " Pablo Neira Ayuso
@ 2021-07-23 15:54 ` Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 5/6] netfilter: nft_nat: allow to specify layer 4 protocol NAT only Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 6/6] netfilter: nfnl_hook: fix unused variable warning Pablo Neira Ayuso
5 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Florian Westphal <fw@strlen.de>
In case the entry is evicted via garbage collection there is
delay between the timeout value and the eviction event.
This adjusts the stop value based on how much time has passed.
Fixes: b87a2f9199ea82 ("netfilter: conntrack: add gc worker to remove timed-out entries")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_conntrack_core.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 83c52df85870..5c03e5106751 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -670,8 +670,13 @@ bool nf_ct_delete(struct nf_conn *ct, u32 portid, int report)
return false;
tstamp = nf_conn_tstamp_find(ct);
- if (tstamp && tstamp->stop == 0)
+ if (tstamp) {
+ s32 timeout = ct->timeout - nfct_time_stamp;
+
tstamp->stop = ktime_get_real_ns();
+ if (timeout < 0)
+ tstamp->stop -= jiffies_to_nsecs(-timeout);
+ }
if (nf_conntrack_event_report(IPCT_DESTROY, ct,
portid, report) < 0) {
--
2.20.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH net 5/6] netfilter: nft_nat: allow to specify layer 4 protocol NAT only
2021-07-23 15:54 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2021-07-23 15:54 ` [PATCH net 4/6] netfilter: conntrack: adjust stop timestamp to real expiry value Pablo Neira Ayuso
@ 2021-07-23 15:54 ` Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 6/6] netfilter: nfnl_hook: fix unused variable warning Pablo Neira Ayuso
5 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
nft_nat reports a bogus EAFNOSUPPORT if no layer 3 information is specified.
Fixes: d07db9884a5f ("netfilter: nf_tables: introduce nft_validate_register_load()")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_nat.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_nat.c b/net/netfilter/nft_nat.c
index 0840c635b752..be1595d6979d 100644
--- a/net/netfilter/nft_nat.c
+++ b/net/netfilter/nft_nat.c
@@ -201,7 +201,9 @@ static int nft_nat_init(const struct nft_ctx *ctx, const struct nft_expr *expr,
alen = sizeof_field(struct nf_nat_range, min_addr.ip6);
break;
default:
- return -EAFNOSUPPORT;
+ if (tb[NFTA_NAT_REG_ADDR_MIN])
+ return -EAFNOSUPPORT;
+ break;
}
priv->family = family;
--
2.20.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH net 6/6] netfilter: nfnl_hook: fix unused variable warning
2021-07-23 15:54 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
` (4 preceding siblings ...)
2021-07-23 15:54 ` [PATCH net 5/6] netfilter: nft_nat: allow to specify layer 4 protocol NAT only Pablo Neira Ayuso
@ 2021-07-23 15:54 ` Pablo Neira Ayuso
5 siblings, 0 replies; 8+ messages in thread
From: Pablo Neira Ayuso @ 2021-07-23 15:54 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba
From: Arnd Bergmann <arnd@arndb.de>
The only user of this variable is in an #ifdef:
net/netfilter/nfnetlink_hook.c: In function 'nfnl_hook_entries_head':
net/netfilter/nfnetlink_hook.c:177:28: error: unused variable 'netdev' [-Werror=unused-variable]
Fixes: e2cf17d3774c ("netfilter: add new hook nfnl subsystem")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nfnetlink_hook.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nfnetlink_hook.c b/net/netfilter/nfnetlink_hook.c
index 50b4e3c9347a..202f57d17bab 100644
--- a/net/netfilter/nfnetlink_hook.c
+++ b/net/netfilter/nfnetlink_hook.c
@@ -174,7 +174,9 @@ static const struct nf_hook_entries *
nfnl_hook_entries_head(u8 pf, unsigned int hook, struct net *net, const char *dev)
{
const struct nf_hook_entries *hook_head = NULL;
+#ifdef CONFIG_NETFILTER_INGRESS
struct net_device *netdev;
+#endif
switch (pf) {
case NFPROTO_IPV4:
--
2.20.1
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH net 1/6] netfilter: nf_tables: fix audit memory leak in nf_tables_commit
2021-07-23 15:54 ` [PATCH net 1/6] netfilter: nf_tables: fix audit memory leak in nf_tables_commit Pablo Neira Ayuso
@ 2021-07-23 16:50 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 8+ messages in thread
From: patchwork-bot+netdevbpf @ 2021-07-23 16:50 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba
Hello:
This series was applied to netdev/net.git (refs/heads/master):
On Fri, 23 Jul 2021 17:54:07 +0200 you wrote:
> From: Dongliang Mu <mudongliangabcd@gmail.com>
>
> In nf_tables_commit, if nf_tables_commit_audit_alloc fails, it does not
> free the adp variable.
>
> Fix this by adding nf_tables_commit_audit_free which frees
> the linked list with the head node adl.
>
> [...]
Here is the summary with links:
- [net,1/6] netfilter: nf_tables: fix audit memory leak in nf_tables_commit
https://git.kernel.org/netdev/net/c/cfbe3650dd3e
- [net,2/6] netfilter: flowtable: avoid possible false sharing
https://git.kernel.org/netdev/net/c/32c3973d8083
- [net,3/6] netfilter: nft_last: avoid possible false sharing
https://git.kernel.org/netdev/net/c/32953df7a6eb
- [net,4/6] netfilter: conntrack: adjust stop timestamp to real expiry value
https://git.kernel.org/netdev/net/c/30a56a2b8818
- [net,5/6] netfilter: nft_nat: allow to specify layer 4 protocol NAT only
https://git.kernel.org/netdev/net/c/a33f387ecd5a
- [net,6/6] netfilter: nfnl_hook: fix unused variable warning
https://git.kernel.org/netdev/net/c/217e26bd87b2
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2021-07-23 16:50 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-23 15:54 [PATCH net 0/6] Netfilter fixes for net Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 1/6] netfilter: nf_tables: fix audit memory leak in nf_tables_commit Pablo Neira Ayuso
2021-07-23 16:50 ` patchwork-bot+netdevbpf
2021-07-23 15:54 ` [PATCH net 2/6] netfilter: flowtable: avoid possible false sharing Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 3/6] netfilter: nft_last: " Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 4/6] netfilter: conntrack: adjust stop timestamp to real expiry value Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 5/6] netfilter: nft_nat: allow to specify layer 4 protocol NAT only Pablo Neira Ayuso
2021-07-23 15:54 ` [PATCH net 6/6] netfilter: nfnl_hook: fix unused variable warning Pablo Neira Ayuso
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.