* [PATCH net 0/5] Netfilter fixes for net
@ 2022-06-21 8:56 Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 1/5] netfilter: use get_random_u32 instead of prandom Pablo Neira Ayuso
` (4 more replies)
0 siblings, 5 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-21 8:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Use get_random_u32() instead of prandom_u32_state() in nft_meta
and nft_numgen, from Florian Westphal.
2) Incorrect list head in nfnetlink_cttimeout in recent update coming
from previous development cycle. Also from Florian.
3) Incorrect path to pktgen scripts for nft_concat_range.sh selftest.
From Jie2x Zhou.
4) Two fixes for the for nft_fwd and nft_dup egress support, from Florian.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit f5826c8c9d57210a17031af5527056eefdc2b7eb:
net/mlx4_en: Fix wrong return value on ioctl EEPROM query failure (2022-06-07 20:49:58 -0700)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to fcd53c51d03709bc429822086f1e9b3e88904284:
netfilter: nf_dup_netdev: add and use recursion counter (2022-06-21 10:50:41 +0200)
----------------------------------------------------------------
Florian Westphal (4):
netfilter: use get_random_u32 instead of prandom
netfilter: cttimeout: fix slab-out-of-bounds read typo in cttimeout_net_exit
netfilter: nf_dup_netdev: do not push mac header a second time
netfilter: nf_dup_netdev: add and use recursion counter
Jie2x Zhou (1):
selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh
net/netfilter/nf_dup_netdev.c | 25 ++++++++++++++++++----
net/netfilter/nfnetlink_cttimeout.c | 2 +-
net/netfilter/nft_meta.c | 13 ++---------
net/netfilter/nft_numgen.c | 12 +++--------
.../selftests/netfilter/nft_concat_range.sh | 2 +-
5 files changed, 28 insertions(+), 26 deletions(-)
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH net 1/5] netfilter: use get_random_u32 instead of prandom
2022-06-21 8:56 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
@ 2022-06-21 8:56 ` Pablo Neira Ayuso
2022-06-22 5:50 ` patchwork-bot+netdevbpf
2022-06-21 8:56 ` [PATCH net 2/5] netfilter: cttimeout: fix slab-out-of-bounds read typo in cttimeout_net_exit Pablo Neira Ayuso
` (3 subsequent siblings)
4 siblings, 1 reply; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-21 8:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Florian Westphal <fw@strlen.de>
bh might occur while updating per-cpu rnd_state from user context,
ie. local_out path.
BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725
caller is nft_ng_random_eval+0x24/0x54 [nft_numgen]
Call Trace:
check_preemption_disabled+0xde/0xe0
nft_ng_random_eval+0x24/0x54 [nft_numgen]
Use the random driver instead, this also avoids need for local prandom
state. Moreover, prandom now uses the random driver since d4150779e60f
("random32: use real rng for non-deterministic randomness").
Based on earlier patch from Pablo Neira.
Fixes: 6b2faee0ca91 ("netfilter: nft_meta: place prandom handling in a helper")
Fixes: 978d8f9055c3 ("netfilter: nft_numgen: add map lookups for numgen random operations")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nft_meta.c | 13 ++-----------
net/netfilter/nft_numgen.c | 12 +++---------
2 files changed, 5 insertions(+), 20 deletions(-)
diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c
index ac4859241e17..55d2d49c3425 100644
--- a/net/netfilter/nft_meta.c
+++ b/net/netfilter/nft_meta.c
@@ -14,6 +14,7 @@
#include <linux/in.h>
#include <linux/ip.h>
#include <linux/ipv6.h>
+#include <linux/random.h>
#include <linux/smp.h>
#include <linux/static_key.h>
#include <net/dst.h>
@@ -32,8 +33,6 @@
#define NFT_META_SECS_PER_DAY 86400
#define NFT_META_DAYS_PER_WEEK 7
-static DEFINE_PER_CPU(struct rnd_state, nft_prandom_state);
-
static u8 nft_meta_weekday(void)
{
time64_t secs = ktime_get_real_seconds();
@@ -271,13 +270,6 @@ static bool nft_meta_get_eval_ifname(enum nft_meta_keys key, u32 *dest,
return true;
}
-static noinline u32 nft_prandom_u32(void)
-{
- struct rnd_state *state = this_cpu_ptr(&nft_prandom_state);
-
- return prandom_u32_state(state);
-}
-
#ifdef CONFIG_IP_ROUTE_CLASSID
static noinline bool
nft_meta_get_eval_rtclassid(const struct sk_buff *skb, u32 *dest)
@@ -389,7 +381,7 @@ void nft_meta_get_eval(const struct nft_expr *expr,
break;
#endif
case NFT_META_PRANDOM:
- *dest = nft_prandom_u32();
+ *dest = get_random_u32();
break;
#ifdef CONFIG_XFRM
case NFT_META_SECPATH:
@@ -518,7 +510,6 @@ int nft_meta_get_init(const struct nft_ctx *ctx,
len = IFNAMSIZ;
break;
case NFT_META_PRANDOM:
- prandom_init_once(&nft_prandom_state);
len = sizeof(u32);
break;
#ifdef CONFIG_XFRM
diff --git a/net/netfilter/nft_numgen.c b/net/netfilter/nft_numgen.c
index 81b40c663d86..45d3dc9e96f2 100644
--- a/net/netfilter/nft_numgen.c
+++ b/net/netfilter/nft_numgen.c
@@ -9,12 +9,11 @@
#include <linux/netlink.h>
#include <linux/netfilter.h>
#include <linux/netfilter/nf_tables.h>
+#include <linux/random.h>
#include <linux/static_key.h>
#include <net/netfilter/nf_tables.h>
#include <net/netfilter/nf_tables_core.h>
-static DEFINE_PER_CPU(struct rnd_state, nft_numgen_prandom_state);
-
struct nft_ng_inc {
u8 dreg;
u32 modulus;
@@ -135,12 +134,9 @@ struct nft_ng_random {
u32 offset;
};
-static u32 nft_ng_random_gen(struct nft_ng_random *priv)
+static u32 nft_ng_random_gen(const struct nft_ng_random *priv)
{
- struct rnd_state *state = this_cpu_ptr(&nft_numgen_prandom_state);
-
- return reciprocal_scale(prandom_u32_state(state), priv->modulus) +
- priv->offset;
+ return reciprocal_scale(get_random_u32(), priv->modulus) + priv->offset;
}
static void nft_ng_random_eval(const struct nft_expr *expr,
@@ -168,8 +164,6 @@ static int nft_ng_random_init(const struct nft_ctx *ctx,
if (priv->offset + priv->modulus - 1 < priv->offset)
return -EOVERFLOW;
- prandom_init_once(&nft_numgen_prandom_state);
-
return nft_parse_register_store(ctx, tb[NFTA_NG_DREG], &priv->dreg,
NULL, NFT_DATA_VALUE, sizeof(u32));
}
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH net 2/5] netfilter: cttimeout: fix slab-out-of-bounds read typo in cttimeout_net_exit
2022-06-21 8:56 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 1/5] netfilter: use get_random_u32 instead of prandom Pablo Neira Ayuso
@ 2022-06-21 8:56 ` Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 3/5] selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh Pablo Neira Ayuso
` (2 subsequent siblings)
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-21 8:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Florian Westphal <fw@strlen.de>
syzbot reports:
BUG: KASAN: slab-out-of-bounds in __list_del_entry_valid+0xcc/0xf0 lib/list_debug.c:42
[..]
list_del include/linux/list.h:148 [inline]
cttimeout_net_exit+0x211/0x540 net/netfilter/nfnetlink_cttimeout.c:617
Problem is the wrong name of the list member, so container_of() result is wrong.
Reported-by: <syzbot+92968395eedbdbd3617d@syzkaller.appspotmail.com>
Fixes: 78222bacfca9 ("netfilter: cttimeout: decouple unlink and free on netns destruction")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nfnetlink_cttimeout.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
index af15102bc696..f466af4f8531 100644
--- a/net/netfilter/nfnetlink_cttimeout.c
+++ b/net/netfilter/nfnetlink_cttimeout.c
@@ -614,7 +614,7 @@ static void __net_exit cttimeout_net_exit(struct net *net)
nf_ct_untimeout(net, NULL);
- list_for_each_entry_safe(cur, tmp, &pernet->nfct_timeout_freelist, head) {
+ list_for_each_entry_safe(cur, tmp, &pernet->nfct_timeout_freelist, free_head) {
list_del(&cur->free_head);
if (refcount_dec_and_test(&cur->refcnt))
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH net 3/5] selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh
2022-06-21 8:56 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 1/5] netfilter: use get_random_u32 instead of prandom Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 2/5] netfilter: cttimeout: fix slab-out-of-bounds read typo in cttimeout_net_exit Pablo Neira Ayuso
@ 2022-06-21 8:56 ` Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 4/5] netfilter: nf_dup_netdev: do not push mac header a second time Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 5/5] netfilter: nf_dup_netdev: add and use recursion counter Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-21 8:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Jie2x Zhou <jie2x.zhou@intel.com>
Before change:
make -C netfilter
TEST: performance
net,port [SKIP]
perf not supported
port,net [SKIP]
perf not supported
net6,port [SKIP]
perf not supported
port,proto [SKIP]
perf not supported
net6,port,mac [SKIP]
perf not supported
net6,port,mac,proto [SKIP]
perf not supported
net,mac [SKIP]
perf not supported
After change:
net,mac [ OK ]
baseline (drop from netdev hook): 2061098pps
baseline hash (non-ranged entries): 1606741pps
baseline rbtree (match on first field only): 1191607pps
set with 1000 full, ranged entries: 1639119pps
ok 8 selftests: netfilter: nft_concat_range.sh
Fixes: 611973c1e06f ("selftests: netfilter: Introduce tests for sets with range concatenation")
Reported-by: kernel test robot <lkp@intel.com>
Signed-off-by: Jie2x Zhou <jie2x.zhou@intel.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/nft_concat_range.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/testing/selftests/netfilter/nft_concat_range.sh b/tools/testing/selftests/netfilter/nft_concat_range.sh
index b35010cc7f6a..a6991877e50c 100755
--- a/tools/testing/selftests/netfilter/nft_concat_range.sh
+++ b/tools/testing/selftests/netfilter/nft_concat_range.sh
@@ -31,7 +31,7 @@ BUGS="flush_remove_add reload"
# List of possible paths to pktgen script from kernel tree for performance tests
PKTGEN_SCRIPT_PATHS="
- ../../../samples/pktgen/pktgen_bench_xmit_mode_netif_receive.sh
+ ../../../../samples/pktgen/pktgen_bench_xmit_mode_netif_receive.sh
pktgen/pktgen_bench_xmit_mode_netif_receive.sh"
# Definition of set types:
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH net 4/5] netfilter: nf_dup_netdev: do not push mac header a second time
2022-06-21 8:56 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (2 preceding siblings ...)
2022-06-21 8:56 ` [PATCH net 3/5] selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh Pablo Neira Ayuso
@ 2022-06-21 8:56 ` Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 5/5] netfilter: nf_dup_netdev: add and use recursion counter Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-21 8:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Florian Westphal <fw@strlen.de>
Eric reports skb_under_panic when using dup/fwd via bond+egress hook.
Before pushing mac header, we should make sure that we're called from
ingress to put back what was pulled earlier.
In egress case, the MAC header is already there; we should leave skb
alone.
While at it be more careful here: skb might have been altered and
headroom reduced, so add a skb_cow() before so that headroom is
increased if necessary.
nf_do_netdev_egress() assumes skb ownership (it normally ends with
a call to dev_queue_xmit), so we must free the packet on error.
Fixes: f87b9464d152 ("netfilter: nft_fwd_netdev: Support egress hook")
Reported-by: Eric Garver <eric@garver.life>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_dup_netdev.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
index 7873bd1389c3..13b7f6a66086 100644
--- a/net/netfilter/nf_dup_netdev.c
+++ b/net/netfilter/nf_dup_netdev.c
@@ -13,10 +13,16 @@
#include <net/netfilter/nf_tables_offload.h>
#include <net/netfilter/nf_dup_netdev.h>
-static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev)
+static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,
+ enum nf_dev_hooks hook)
{
- if (skb_mac_header_was_set(skb))
+ if (hook == NF_NETDEV_INGRESS && skb_mac_header_was_set(skb)) {
+ if (skb_cow_head(skb, skb->mac_len)) {
+ kfree_skb(skb);
+ return;
+ }
skb_push(skb, skb->mac_len);
+ }
skb->dev = dev;
skb_clear_tstamp(skb);
@@ -33,7 +39,7 @@ void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif)
return;
}
- nf_do_netdev_egress(pkt->skb, dev);
+ nf_do_netdev_egress(pkt->skb, dev, nft_hook(pkt));
}
EXPORT_SYMBOL_GPL(nf_fwd_netdev_egress);
@@ -48,7 +54,7 @@ void nf_dup_netdev_egress(const struct nft_pktinfo *pkt, int oif)
skb = skb_clone(pkt->skb, GFP_ATOMIC);
if (skb)
- nf_do_netdev_egress(skb, dev);
+ nf_do_netdev_egress(skb, dev, nft_hook(pkt));
}
EXPORT_SYMBOL_GPL(nf_dup_netdev_egress);
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [PATCH net 5/5] netfilter: nf_dup_netdev: add and use recursion counter
2022-06-21 8:56 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
` (3 preceding siblings ...)
2022-06-21 8:56 ` [PATCH net 4/5] netfilter: nf_dup_netdev: do not push mac header a second time Pablo Neira Ayuso
@ 2022-06-21 8:56 ` Pablo Neira Ayuso
4 siblings, 0 replies; 7+ messages in thread
From: Pablo Neira Ayuso @ 2022-06-21 8:56 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Florian Westphal <fw@strlen.de>
Now that the egress function can be called from egress hook, we need
to avoid recursive calls into the nf_tables traverser, else crash.
Fixes: f87b9464d152 ("netfilter: nft_fwd_netdev: Support egress hook")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_dup_netdev.c | 19 +++++++++++++++----
1 file changed, 15 insertions(+), 4 deletions(-)
diff --git a/net/netfilter/nf_dup_netdev.c b/net/netfilter/nf_dup_netdev.c
index 13b7f6a66086..a8e2425e43b0 100644
--- a/net/netfilter/nf_dup_netdev.c
+++ b/net/netfilter/nf_dup_netdev.c
@@ -13,20 +13,31 @@
#include <net/netfilter/nf_tables_offload.h>
#include <net/netfilter/nf_dup_netdev.h>
+#define NF_RECURSION_LIMIT 2
+
+static DEFINE_PER_CPU(u8, nf_dup_skb_recursion);
+
static void nf_do_netdev_egress(struct sk_buff *skb, struct net_device *dev,
enum nf_dev_hooks hook)
{
+ if (__this_cpu_read(nf_dup_skb_recursion) > NF_RECURSION_LIMIT)
+ goto err;
+
if (hook == NF_NETDEV_INGRESS && skb_mac_header_was_set(skb)) {
- if (skb_cow_head(skb, skb->mac_len)) {
- kfree_skb(skb);
- return;
- }
+ if (skb_cow_head(skb, skb->mac_len))
+ goto err;
+
skb_push(skb, skb->mac_len);
}
skb->dev = dev;
skb_clear_tstamp(skb);
+ __this_cpu_inc(nf_dup_skb_recursion);
dev_queue_xmit(skb);
+ __this_cpu_dec(nf_dup_skb_recursion);
+ return;
+err:
+ kfree_skb(skb);
}
void nf_fwd_netdev_egress(const struct nft_pktinfo *pkt, int oif)
--
2.30.2
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net 1/5] netfilter: use get_random_u32 instead of prandom
2022-06-21 8:56 ` [PATCH net 1/5] netfilter: use get_random_u32 instead of prandom Pablo Neira Ayuso
@ 2022-06-22 5:50 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 7+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-06-22 5:50 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Tue, 21 Jun 2022 10:56:14 +0200 you wrote:
> From: Florian Westphal <fw@strlen.de>
>
> bh might occur while updating per-cpu rnd_state from user context,
> ie. local_out path.
>
> BUG: using smp_processor_id() in preemptible [00000000] code: nginx/2725
> caller is nft_ng_random_eval+0x24/0x54 [nft_numgen]
> Call Trace:
> check_preemption_disabled+0xde/0xe0
> nft_ng_random_eval+0x24/0x54 [nft_numgen]
>
> [...]
Here is the summary with links:
- [net,1/5] netfilter: use get_random_u32 instead of prandom
https://git.kernel.org/netdev/net/c/b1fd94e70457
- [net,2/5] netfilter: cttimeout: fix slab-out-of-bounds read typo in cttimeout_net_exit
https://git.kernel.org/netdev/net/c/394e771684f7
- [net,3/5] selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh
https://git.kernel.org/netdev/net/c/5d79d8af8dec
- [net,4/5] netfilter: nf_dup_netdev: do not push mac header a second time
https://git.kernel.org/netdev/net/c/574a5b85dc3b
- [net,5/5] netfilter: nf_dup_netdev: add and use recursion counter
https://git.kernel.org/netdev/net/c/fcd53c51d037
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2022-06-22 5:50 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-06-21 8:56 [PATCH net 0/5] Netfilter fixes for net Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 1/5] netfilter: use get_random_u32 instead of prandom Pablo Neira Ayuso
2022-06-22 5:50 ` patchwork-bot+netdevbpf
2022-06-21 8:56 ` [PATCH net 2/5] netfilter: cttimeout: fix slab-out-of-bounds read typo in cttimeout_net_exit Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 3/5] selftests: netfilter: correct PKTGEN_SCRIPT_PATHS in nft_concat_range.sh Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 4/5] netfilter: nf_dup_netdev: do not push mac header a second time Pablo Neira Ayuso
2022-06-21 8:56 ` [PATCH net 5/5] netfilter: nf_dup_netdev: add and use recursion counter Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).