1. 13 Jul, 2024 11 commits
  2. 12 Jul, 2024 14 commits
  3. 11 Jul, 2024 15 commits
    • Jakub Kicinski's avatar
      Merge branch 'ethtool-use-the-rss-context-xarray-in-ring-deactivation-safety-check' · 6937693d
      Jakub Kicinski authored
      Jakub Kicinski says:
      
      ====================
      ethtool: use the rss context XArray in ring deactivation safety-check
      
      Now that we have an XArray storing information about all extra
      RSS contexts - use it to extend checks already performed using
      ethtool_get_max_rxfh_channel().
      ====================
      
      Link: https://patch.msgid.link/20240710174043.754664-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      6937693d
    • Jakub Kicinski's avatar
      ethtool: use the rss context XArray in ring deactivation safety-check · 24ac7e54
      Jakub Kicinski authored
      ethtool_get_max_rxfh_channel() gets called when user requests
      deactivating Rx channels. Check the additional RSS contexts, too.
      
      While we do track whether RSS context has an indirection
      table explicitly set by the user, no driver looks at that bit.
      Assume drivers won't auto-regenerate the additional tables,
      to be safe.
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Link: https://patch.msgid.link/20240710174043.754664-3-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      24ac7e54
    • Jakub Kicinski's avatar
      ethtool: fail closed if we can't get max channel used in indirection tables · 2899d584
      Jakub Kicinski authored
      Commit 0d1b7d6c ("bnxt: fix crashes when reducing ring count with
      active RSS contexts") proves that allowing indirection table to contain
      channels with out of bounds IDs may lead to crashes. Currently the
      max channel check in the core gets skipped if driver can't fetch
      the indirection table or when we can't allocate memory.
      
      Both of those conditions should be extremely rare but if they do
      happen we should try to be safe and fail the channel change.
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Link: https://patch.msgid.link/20240710174043.754664-2-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      2899d584
    • Jakub Kicinski's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 7c826727
      Jakub Kicinski authored
      Cross-merge networking fixes after downstream PR.
      
      Conflicts:
      
      net/sched/act_ct.c
        26488172 ("net/sched: Fix UAF when resolving a clash")
        3abbd7ed ("act_ct: prepare for stolen verdict coming from conntrack and nat engine")
      
      No adjacent changes.
      Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
      7c826727
    • Colin Ian King's avatar
    • Linus Torvalds's avatar
      Merge tag 'net-6.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net · 51df8e0c
      Linus Torvalds authored
      Pull networking fixes from Paolo Abeni:
       "Including fixes from bpf and netfilter.
      
        Current release - regressions:
      
         - core: fix rc7's __skb_datagram_iter() regression
      
        Current release - new code bugs:
      
         - eth: bnxt: fix crashes when reducing ring count with active RSS
           contexts
      
        Previous releases - regressions:
      
         - sched: fix UAF when resolving a clash
      
         - skmsg: skip zero length skb in sk_msg_recvmsg2
      
         - sunrpc: fix kernel free on connection failure in
           xs_tcp_setup_socket
      
         - tcp: avoid too many retransmit packets
      
         - tcp: fix incorrect undo caused by DSACK of TLP retransmit
      
         - udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().
      
         - eth: ks8851: fix deadlock with the SPI chip variant
      
         - eth: i40e: fix XDP program unloading while removing the driver
      
        Previous releases - always broken:
      
         - bpf:
             - fix too early release of tcx_entry
             - fail bpf_timer_cancel when callback is being cancelled
             - bpf: fix order of args in call to bpf_map_kvcalloc
      
         - netfilter: nf_tables: prefer nft_chain_validate
      
         - ppp: reject claimed-as-LCP but actually malformed packets
      
         - wireguard: avoid unaligned 64-bit memory accesses"
      
      * tag 'net-6.10-rc8' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net: (33 commits)
        net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket
        net/sched: Fix UAF when resolving a clash
        net: ks8851: Fix potential TX stall after interface reopen
        udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port().
        netfilter: nf_tables: prefer nft_chain_validate
        netfilter: nfnetlink_queue: drop bogus WARN_ON
        ethtool: netlink: do not return SQI value if link is down
        ppp: reject claimed-as-LCP but actually malformed packets
        selftests/bpf: Add timer lockup selftest
        net: ethernet: mtk-star-emac: set mac_managed_pm when probing
        e1000e: fix force smbus during suspend flow
        tcp: avoid too many retransmit packets
        bpf: Defer work in bpf_timer_cancel_and_free
        bpf: Fail bpf_timer_cancel when callback is being cancelled
        bpf: fix order of args in call to bpf_map_kvcalloc
        net: ethernet: lantiq_etop: fix double free in detach
        i40e: Fix XDP program unloading while removing the driver
        net: fix rc7's __skb_datagram_iter()
        net: ks8851: Fix deadlock with the SPI chip variant
        octeontx2-af: Fix incorrect value output on error path in rvu_check_rsrc_availability()
        ...
      51df8e0c
    • Linus Torvalds's avatar
      Merge tag 'vfs-6.10-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs · 83ab4b46
      Linus Torvalds authored
      Pull vfs fixes from Christian Brauner:
       "cachefiles:
      
         - Export an existing and add a new cachefile helper to be used in
           filesystems to fix reference count bugs
      
         - Use the newly added fscache_ty_get_volume() helper to get a
           reference count on an fscache_volume to handle volumes that are
           about to be removed cleanly
      
         - After withdrawing a fscache_cache via FSCACHE_CACHE_IS_WITHDRAWN
           wait for all ongoing cookie lookups to complete and for the object
           count to reach zero
      
         - Propagate errors from vfs_getxattr() to avoid an infinite loop in
           cachefiles_check_volume_xattr() because it keeps seeing ESTALE
      
         - Don't send new requests when an object is dropped by raising
           CACHEFILES_ONDEMAND_OJBSTATE_DROPPING
      
         - Cancel all requests for an object that is about to be dropped
      
         - Wait for the ondemand_boject_worker to finish before dropping a
           cachefiles object to prevent use-after-free
      
         - Use cyclic allocation for message ids to better handle id recycling
      
         - Add missing lock protection when iterating through the xarray when
           polling
      
        netfs:
      
         - Use standard logging helpers for debug logging
      
        VFS:
      
         - Fix potential use-after-free in file locks during
           trace_posix_lock_inode(). The tracepoint could fire while another
           task raced it and freed the lock that was requested to be traced
      
         - Only increment the nr_dentry_negative counter for dentries that are
           present on the superblock LRU. Currently, DCACHE_LRU_LIST list is
           used to detect this case. However, the flag is also raised in
           combination with DCACHE_SHRINK_LIST to indicate that dentry->d_lru
           is used. So checking only DCACHE_LRU_LIST will lead to wrong
           nr_dentry_negative count. Fix the check to not count dentries that
           are on a shrink related list
      
        Misc:
      
         - hfsplus: fix an uninitialized value issue in copy_name
      
         - minix: fix minixfs_rename with HIGHMEM. It still uses kunmap() even
           though we switched it to kmap_local_page() a while ago"
      
      * tag 'vfs-6.10-rc8.fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/vfs/vfs:
        minixfs: Fix minixfs_rename with HIGHMEM
        hfsplus: fix uninit-value in copy_name
        vfs: don't mod negative dentry count when on shrinker list
        filelock: fix potential use-after-free in posix_lock_inode
        cachefiles: add missing lock protection when polling
        cachefiles: cyclic allocation of msg_id to avoid reuse
        cachefiles: wait for ondemand_object_worker to finish when dropping object
        cachefiles: cancel all requests for the object that is being dropped
        cachefiles: stop sending new request when dropping object
        cachefiles: propagate errors from vfs_getxattr() to avoid infinite loop
        cachefiles: fix slab-use-after-free in cachefiles_withdraw_cookie()
        cachefiles: fix slab-use-after-free in fscache_withdraw_volume()
        netfs, fscache: export fscache_put_volume() and add fscache_try_get_volume()
        netfs: Switch debug logging to pr_debug()
      83ab4b46
    • Paolo Abeni's avatar
      Merge tag 'nf-24-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · d7c199e7
      Paolo Abeni authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following batch contains Netfilter fixes for net:
      
      Patch #1 fixes a bogus WARN_ON splat in nfnetlink_queue.
      
      Patch #2 fixes a crash due to stack overflow in chain loop detection
      	 by using the existing chain validation routines
      
      Both patches from Florian Westphal.
      
      netfilter pull request 24-07-11
      
      * tag 'nf-24-07-11' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
        netfilter: nf_tables: prefer nft_chain_validate
        netfilter: nfnetlink_queue: drop bogus WARN_ON
      ====================
      
      Link: https://patch.msgid.link/20240711093948.3816-1-pablo@netfilter.orgSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      d7c199e7
    • Paolo Abeni's avatar
      Merge tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf · a819ff0c
      Paolo Abeni authored
      Daniel Borkmann says:
      
      ====================
      pull-request: bpf 2024-07-11
      
      The following pull-request contains BPF updates for your *net* tree.
      
      We've added 4 non-merge commits during the last 2 day(s) which contain
      a total of 4 files changed, 262 insertions(+), 19 deletions(-).
      
      The main changes are:
      
      1) Fixes for a BPF timer lockup and a use-after-free scenario when timers
         are used concurrently, from Kumar Kartikeya Dwivedi.
      
      2) Fix the argument order in the call to bpf_map_kvcalloc() which could
         otherwise lead to a compilation error, from Mohammad Shehar Yaar Tausif.
      
      bpf-for-netdev
      
      * tag 'for-netdev' of https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
        selftests/bpf: Add timer lockup selftest
        bpf: Defer work in bpf_timer_cancel_and_free
        bpf: Fail bpf_timer_cancel when callback is being cancelled
        bpf: fix order of args in call to bpf_map_kvcalloc
      ====================
      
      Link: https://patch.msgid.link/20240711084016.25757-1-daniel@iogearbox.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      a819ff0c
    • Daniel Borkmann's avatar
      net, sunrpc: Remap EPERM in case of connection failure in xs_tcp_setup_socket · 626dfed5
      Daniel Borkmann authored
      When using a BPF program on kernel_connect(), the call can return -EPERM. This
      causes xs_tcp_setup_socket() to loop forever, filling up the syslog and causing
      the kernel to potentially freeze up.
      
      Neil suggested:
      
        This will propagate -EPERM up into other layers which might not be ready
        to handle it. It might be safer to map EPERM to an error we would be more
        likely to expect from the network system - such as ECONNREFUSED or ENETDOWN.
      
      ECONNREFUSED as error seems reasonable. For programs setting a different error
      can be out of reach (see handling in 4fbac77d) in particular on kernels
      which do not have f10d0596 ("bpf: Make BPF_PROG_RUN_ARRAY return -err
      instead of allow boolean"), thus given that it is better to simply remap for
      consistent behavior. UDP does handle EPERM in xs_udp_send_request().
      
      Fixes: d74bad4e ("bpf: Hooks for sys_connect")
      Fixes: 4fbac77d ("bpf: Hooks for sys_bind")
      Co-developed-by: default avatarLex Siegel <usiegl00@gmail.com>
      Signed-off-by: default avatarLex Siegel <usiegl00@gmail.com>
      Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
      Cc: Neil Brown <neilb@suse.de>
      Cc: Trond Myklebust <trondmy@kernel.org>
      Cc: Anna Schumaker <anna@kernel.org>
      Link: https://github.com/cilium/cilium/issues/33395
      Link: https://lore.kernel.org/bpf/171374175513.12877.8993642908082014881@noble.neil.brown.name
      Link: https://patch.msgid.link/9069ec1d59e4b2129fc23433349fd5580ad43921.1720075070.git.daniel@iogearbox.netSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      626dfed5
    • Chengen Du's avatar
      net/sched: Fix UAF when resolving a clash · 26488172
      Chengen Du authored
      KASAN reports the following UAF:
      
       BUG: KASAN: slab-use-after-free in tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
       Read of size 1 at addr ffff888c07603600 by task handler130/6469
      
       Call Trace:
        <IRQ>
        dump_stack_lvl+0x48/0x70
        print_address_description.constprop.0+0x33/0x3d0
        print_report+0xc0/0x2b0
        kasan_report+0xd0/0x120
        __asan_load1+0x6c/0x80
        tcf_ct_flow_table_process_conn+0x12b/0x380 [act_ct]
        tcf_ct_act+0x886/0x1350 [act_ct]
        tcf_action_exec+0xf8/0x1f0
        fl_classify+0x355/0x360 [cls_flower]
        __tcf_classify+0x1fd/0x330
        tcf_classify+0x21c/0x3c0
        sch_handle_ingress.constprop.0+0x2c5/0x500
        __netif_receive_skb_core.constprop.0+0xb25/0x1510
        __netif_receive_skb_list_core+0x220/0x4c0
        netif_receive_skb_list_internal+0x446/0x620
        napi_complete_done+0x157/0x3d0
        gro_cell_poll+0xcf/0x100
        __napi_poll+0x65/0x310
        net_rx_action+0x30c/0x5c0
        __do_softirq+0x14f/0x491
        __irq_exit_rcu+0x82/0xc0
        irq_exit_rcu+0xe/0x20
        common_interrupt+0xa1/0xb0
        </IRQ>
        <TASK>
        asm_common_interrupt+0x27/0x40
      
       Allocated by task 6469:
        kasan_save_stack+0x38/0x70
        kasan_set_track+0x25/0x40
        kasan_save_alloc_info+0x1e/0x40
        __kasan_krealloc+0x133/0x190
        krealloc+0xaa/0x130
        nf_ct_ext_add+0xed/0x230 [nf_conntrack]
        tcf_ct_act+0x1095/0x1350 [act_ct]
        tcf_action_exec+0xf8/0x1f0
        fl_classify+0x355/0x360 [cls_flower]
        __tcf_classify+0x1fd/0x330
        tcf_classify+0x21c/0x3c0
        sch_handle_ingress.constprop.0+0x2c5/0x500
        __netif_receive_skb_core.constprop.0+0xb25/0x1510
        __netif_receive_skb_list_core+0x220/0x4c0
        netif_receive_skb_list_internal+0x446/0x620
        napi_complete_done+0x157/0x3d0
        gro_cell_poll+0xcf/0x100
        __napi_poll+0x65/0x310
        net_rx_action+0x30c/0x5c0
        __do_softirq+0x14f/0x491
      
       Freed by task 6469:
        kasan_save_stack+0x38/0x70
        kasan_set_track+0x25/0x40
        kasan_save_free_info+0x2b/0x60
        ____kasan_slab_free+0x180/0x1f0
        __kasan_slab_free+0x12/0x30
        slab_free_freelist_hook+0xd2/0x1a0
        __kmem_cache_free+0x1a2/0x2f0
        kfree+0x78/0x120
        nf_conntrack_free+0x74/0x130 [nf_conntrack]
        nf_ct_destroy+0xb2/0x140 [nf_conntrack]
        __nf_ct_resolve_clash+0x529/0x5d0 [nf_conntrack]
        nf_ct_resolve_clash+0xf6/0x490 [nf_conntrack]
        __nf_conntrack_confirm+0x2c6/0x770 [nf_conntrack]
        tcf_ct_act+0x12ad/0x1350 [act_ct]
        tcf_action_exec+0xf8/0x1f0
        fl_classify+0x355/0x360 [cls_flower]
        __tcf_classify+0x1fd/0x330
        tcf_classify+0x21c/0x3c0
        sch_handle_ingress.constprop.0+0x2c5/0x500
        __netif_receive_skb_core.constprop.0+0xb25/0x1510
        __netif_receive_skb_list_core+0x220/0x4c0
        netif_receive_skb_list_internal+0x446/0x620
        napi_complete_done+0x157/0x3d0
        gro_cell_poll+0xcf/0x100
        __napi_poll+0x65/0x310
        net_rx_action+0x30c/0x5c0
        __do_softirq+0x14f/0x491
      
      The ct may be dropped if a clash has been resolved but is still passed to
      the tcf_ct_flow_table_process_conn function for further usage. This issue
      can be fixed by retrieving ct from skb again after confirming conntrack.
      
      Fixes: 0cc254e5 ("net/sched: act_ct: Offload connections with commit action")
      Co-developed-by: default avatarGerald Yang <gerald.yang@canonical.com>
      Signed-off-by: default avatarGerald Yang <gerald.yang@canonical.com>
      Signed-off-by: default avatarChengen Du <chengen.du@canonical.com>
      Link: https://patch.msgid.link/20240710053747.13223-1-chengen.du@canonical.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      26488172
    • Ronald Wahl's avatar
      net: ks8851: Fix potential TX stall after interface reopen · 7a99afef
      Ronald Wahl authored
      The amount of TX space in the hardware buffer is tracked in the tx_space
      variable. The initial value is currently only set during driver probing.
      
      After closing the interface and reopening it the tx_space variable has
      the last value it had before close. If it is smaller than the size of
      the first send packet after reopeing the interface the queue will be
      stopped. The queue is woken up after receiving a TX interrupt but this
      will never happen since we did not send anything.
      
      This commit moves the initialization of the tx_space variable to the
      ks8851_net_open function right before starting the TX queue. Also query
      the value from the hardware instead of using a hard coded value.
      
      Only the SPI chip variant is affected by this issue because only this
      driver variant actually depends on the tx_space variable in the xmit
      function.
      
      Fixes: 3dc5d445 ("net: ks8851: Fix TX stall caused by TX buffer overrun")
      Cc: "David S. Miller" <davem@davemloft.net>
      Cc: Eric Dumazet <edumazet@google.com>
      Cc: Jakub Kicinski <kuba@kernel.org>
      Cc: Paolo Abeni <pabeni@redhat.com>
      Cc: Simon Horman <horms@kernel.org>
      Cc: netdev@vger.kernel.org
      Cc: stable@vger.kernel.org # 5.10+
      Signed-off-by: default avatarRonald Wahl <ronald.wahl@raritan.com>
      Reviewed-by: default avatarJacob Keller <jacob.e.keller@intel.com>
      Link: https://patch.msgid.link/20240709195845.9089-1-rwahl@gmx.deSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      7a99afef
    • Kuniyuki Iwashima's avatar
      udp: Set SOCK_RCU_FREE earlier in udp_lib_get_port(). · 5c0b485a
      Kuniyuki Iwashima authored
      syzkaller triggered the warning [0] in udp_v4_early_demux().
      
      In udp_v[46]_early_demux() and sk_lookup(), we do not touch the refcount
      of the looked-up sk and use sock_pfree() as skb->destructor, so we check
      SOCK_RCU_FREE to ensure that the sk is safe to access during the RCU grace
      period.
      
      Currently, SOCK_RCU_FREE is flagged for a bound socket after being put
      into the hash table.  Moreover, the SOCK_RCU_FREE check is done too early
      in udp_v[46]_early_demux() and sk_lookup(), so there could be a small race
      window:
      
        CPU1                                 CPU2
        ----                                 ----
        udp_v4_early_demux()                 udp_lib_get_port()
        |                                    |- hlist_add_head_rcu()
        |- sk = __udp4_lib_demux_lookup()    |
        |- DEBUG_NET_WARN_ON_ONCE(sk_is_refcounted(sk));
                                             `- sock_set_flag(sk, SOCK_RCU_FREE)
      
      We had the same bug in TCP and fixed it in commit 871019b2 ("net:
      set SOCK_RCU_FREE before inserting socket into hashtable").
      
      Let's apply the same fix for UDP.
      
      [0]:
      WARNING: CPU: 0 PID: 11198 at net/ipv4/udp.c:2599 udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599
      Modules linked in:
      CPU: 0 PID: 11198 Comm: syz-executor.1 Not tainted 6.9.0-g93bda330 #13
      Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
      RIP: 0010:udp_v4_early_demux+0x481/0xb70 net/ipv4/udp.c:2599
      Code: c5 7a 15 fe bb 01 00 00 00 44 89 e9 31 ff d3 e3 81 e3 bf ef ff ff 89 de e8 2c 74 15 fe 85 db 0f 85 02 06 00 00 e8 9f 7a 15 fe <0f> 0b e8 98 7a 15 fe 49 8d 7e 60 e8 4f 39 2f fe 49 c7 46 60 20 52
      RSP: 0018:ffffc9000ce3fa58 EFLAGS: 00010293
      RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffffff8318c92c
      RDX: ffff888036ccde00 RSI: ffffffff8318c2f1 RDI: 0000000000000001
      RBP: ffff88805a2dd6e0 R08: 0000000000000001 R09: 0000000000000000
      R10: 0000000000000000 R11: 0001ffffffffffff R12: ffff88805a2dd680
      R13: 0000000000000007 R14: ffff88800923f900 R15: ffff88805456004e
      FS:  00007fc449127640(0000) GS:ffff88807dc00000(0000) knlGS:0000000000000000
      CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
      CR2: 00007fc449126e38 CR3: 000000003de4b002 CR4: 0000000000770ef0
      DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
      DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600
      PKRU: 55555554
      Call Trace:
       <TASK>
       ip_rcv_finish_core.constprop.0+0xbdd/0xd20 net/ipv4/ip_input.c:349
       ip_rcv_finish+0xda/0x150 net/ipv4/ip_input.c:447
       NF_HOOK include/linux/netfilter.h:314 [inline]
       NF_HOOK include/linux/netfilter.h:308 [inline]
       ip_rcv+0x16c/0x180 net/ipv4/ip_input.c:569
       __netif_receive_skb_one_core+0xb3/0xe0 net/core/dev.c:5624
       __netif_receive_skb+0x21/0xd0 net/core/dev.c:5738
       netif_receive_skb_internal net/core/dev.c:5824 [inline]
       netif_receive_skb+0x271/0x300 net/core/dev.c:5884
       tun_rx_batched drivers/net/tun.c:1549 [inline]
       tun_get_user+0x24db/0x2c50 drivers/net/tun.c:2002
       tun_chr_write_iter+0x107/0x1a0 drivers/net/tun.c:2048
       new_sync_write fs/read_write.c:497 [inline]
       vfs_write+0x76f/0x8d0 fs/read_write.c:590
       ksys_write+0xbf/0x190 fs/read_write.c:643
       __do_sys_write fs/read_write.c:655 [inline]
       __se_sys_write fs/read_write.c:652 [inline]
       __x64_sys_write+0x41/0x50 fs/read_write.c:652
       x64_sys_call+0xe66/0x1990 arch/x86/include/generated/asm/syscalls_64.h:2
       do_syscall_x64 arch/x86/entry/common.c:52 [inline]
       do_syscall_64+0x4b/0x110 arch/x86/entry/common.c:83
       entry_SYSCALL_64_after_hwframe+0x4b/0x53
      RIP: 0033:0x7fc44a68bc1f
      Code: 89 54 24 18 48 89 74 24 10 89 7c 24 08 e8 e9 cf f5 ff 48 8b 54 24 18 48 8b 74 24 10 41 89 c0 8b 7c 24 08 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 31 44 89 c7 48 89 44 24 08 e8 3c d0 f5 ff 48
      RSP: 002b:00007fc449126c90 EFLAGS: 00000293 ORIG_RAX: 0000000000000001
      RAX: ffffffffffffffda RBX: 00000000004bc050 RCX: 00007fc44a68bc1f
      RDX: 0000000000000032 RSI: 00000000200000c0 RDI: 00000000000000c8
      RBP: 00000000004bc050 R08: 0000000000000000 R09: 0000000000000000
      R10: 0000000000000032 R11: 0000000000000293 R12: 0000000000000000
      R13: 000000000000000b R14: 00007fc44a5ec530 R15: 0000000000000000
       </TASK>
      
      Fixes: 6acc9b43 ("bpf: Add helper to retrieve socket in BPF")
      Reported-by: default avatarsyzkaller <syzkaller@googlegroups.com>
      Signed-off-by: default avatarKuniyuki Iwashima <kuniyu@amazon.com>
      Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
      Link: https://patch.msgid.link/20240709191356.24010-1-kuniyu@amazon.comSigned-off-by: default avatarPaolo Abeni <pabeni@redhat.com>
      5c0b485a
    • Florian Westphal's avatar
      netfilter: nf_tables: prefer nft_chain_validate · cff3bd01
      Florian Westphal authored
      nft_chain_validate already performs loop detection because a cycle will
      result in a call stack overflow (ctx->level >= NFT_JUMP_STACK_SIZE).
      
      It also follows maps via ->validate callback in nft_lookup, so there
      appears no reason to iterate the maps again.
      
      nf_tables_check_loops() and all its helper functions can be removed.
      This improves ruleset load time significantly, from 23s down to 12s.
      
      This also fixes a crash bug. Old loop detection code can result in
      unbounded recursion:
      
      BUG: TASK stack guard page was hit at ....
      Oops: stack guard page: 0000 [#1] PREEMPT SMP KASAN
      CPU: 4 PID: 1539 Comm: nft Not tainted 6.10.0-rc5+ #1
      [..]
      
      with a suitable ruleset during validation of register stores.
      
      I can't see any actual reason to attempt to check for this from
      nft_validate_register_store(), at this point the transaction is still in
      progress, so we don't have a full picture of the rule graph.
      
      For nf-next it might make sense to either remove it or make this depend
      on table->validate_state in case we could catch an error earlier
      (for improved error reporting to userspace).
      
      Fixes: 20a69341 ("netfilter: nf_tables: add netlink set API")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      cff3bd01
    • Florian Westphal's avatar
      netfilter: nfnetlink_queue: drop bogus WARN_ON · 631a4b3d
      Florian Westphal authored
      Happens when rules get flushed/deleted while packet is out, so remove
      this WARN_ON.
      
      This WARN exists in one form or another since v4.14, no need to backport
      this to older releases, hence use a more recent fixes tag.
      
      Fixes: 3f801968 ("netfilter: move nf_reinject into nfnetlink_queue modules")
      Reported-by: default avatarkernel test robot <oliver.sang@intel.com>
      Closes: https://lore.kernel.org/oe-lkp/202407081453.11ac0f63-lkp@intel.comSigned-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      631a4b3d