1. 06 Jul, 2022 10 commits
  2. 05 Jul, 2022 7 commits
  3. 04 Jul, 2022 20 commits
  4. 03 Jul, 2022 1 commit
    • David S. Miller's avatar
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf · 280e3a85
      David S. Miller authored
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for net:
      
      1) Insufficient validation of element datatype and length in
         nft_setelem_parse_data(). At least commit 7d740264 updates
         maximum element data area up to 64 bytes when only 16 bytes
         where supported at the time. Support for larger element size
         came later in fdb9c405 though. Picking this older commit
         as Fixes: tag to be safe than sorry.
      
      2) Memleak in pipapo destroy path, reproducible when transaction
         in aborted. This is already triggering in the existing netfilter
         test infrastructure since more recent new tests are covering this
         path.
      ====================
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      280e3a85
  5. 02 Jul, 2022 2 commits
    • Pablo Neira Ayuso's avatar
      netfilter: nft_set_pipapo: release elements in clone from abort path · 9827a0e6
      Pablo Neira Ayuso authored
      New elements that reside in the clone are not released in case that the
      transaction is aborted.
      
      [16302.231754] ------------[ cut here ]------------
      [16302.231756] WARNING: CPU: 0 PID: 100509 at net/netfilter/nf_tables_api.c:1864 nf_tables_chain_destroy+0x26/0x127 [nf_tables]
      [...]
      [16302.231882] CPU: 0 PID: 100509 Comm: nft Tainted: G        W         5.19.0-rc3+ #155
      [...]
      [16302.231887] RIP: 0010:nf_tables_chain_destroy+0x26/0x127 [nf_tables]
      [16302.231899] Code: f3 fe ff ff 41 55 41 54 55 53 48 8b 6f 10 48 89 fb 48 c7 c7 82 96 d9 a0 8b 55 50 48 8b 75 58 e8 de f5 92 e0 83 7d 50 00 74 09 <0f> 0b 5b 5d 41 5c 41 5d c3 4c 8b 65 00 48 8b 7d 08 49 39 fc 74 05
      [...]
      [16302.231917] Call Trace:
      [16302.231919]  <TASK>
      [16302.231921]  __nf_tables_abort.cold+0x23/0x28 [nf_tables]
      [16302.231934]  nf_tables_abort+0x30/0x50 [nf_tables]
      [16302.231946]  nfnetlink_rcv_batch+0x41a/0x840 [nfnetlink]
      [16302.231952]  ? __nla_validate_parse+0x48/0x190
      [16302.231959]  nfnetlink_rcv+0x110/0x129 [nfnetlink]
      [16302.231963]  netlink_unicast+0x211/0x340
      [16302.231969]  netlink_sendmsg+0x21e/0x460
      
      Add nft_set_pipapo_match_destroy() helper function to release the
      elements in the lookup tables.
      
      Stefano Brivio says: "We additionally look for elements pointers in the
      cloned matching data if priv->dirty is set, because that means that
      cloned data might point to additional elements we did not commit to the
      working copy yet (such as the abort path case, but perhaps not limited
      to it)."
      
      Fixes: 3c4287f6 ("nf_tables: Add set type for arbitrary concatenation of ranges")
      Reviewed-by: default avatarStefano Brivio <sbrivio@redhat.com>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      9827a0e6
    • Pablo Neira Ayuso's avatar
      netfilter: nf_tables: stricter validation of element data · 7e6bc1f6
      Pablo Neira Ayuso authored
      Make sure element data type and length do not mismatch the one specified
      by the set declaration.
      
      Fixes: 7d740264 ("netfilter: nf_tables: variable sized set element keys / data")
      Reported-by: default avatarHugues ANGUELKOV <hanguelkov@randorisec.fr>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7e6bc1f6