1. 16 Aug, 2024 8 commits
  2. 15 Aug, 2024 24 commits
  3. 14 Aug, 2024 8 commits
    • Phil Sutter's avatar
      netfilter: nf_tables: Add locking for NFT_MSG_GETOBJ_RESET requests · bd662c42
      Phil Sutter authored
      Objects' dump callbacks are not concurrency-safe per-se with reset bit
      set. If two CPUs perform a reset at the same time, at least counter and
      quota objects suffer from value underrun.
      
      Prevent this by introducing dedicated locking callbacks for nfnetlink
      and the asynchronous dump handling to serialize access.
      
      Fixes: 43da04a5 ("netfilter: nf_tables: atomic dump and reset for stateful objects")
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      bd662c42
    • Phil Sutter's avatar
      netfilter: nf_tables: Introduce nf_tables_getobj_single · 69fc3e9e
      Phil Sutter authored
      Outsource the reply skb preparation for non-dump getrule requests into a
      distinct function. Prep work for object reset locking.
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      69fc3e9e
    • Phil Sutter's avatar
      netfilter: nf_tables: Audit log dump reset after the fact · e0b6648b
      Phil Sutter authored
      In theory, dumpreset may fail and invalidate the preceeding log message.
      Fix this and use the occasion to prepare for object reset locking, which
      benefits from a few unrelated changes:
      
      * Add an early call to nfnetlink_unicast if not resetting which
        effectively skips the audit logging but also unindents it.
      * Extract the table's name from the netlink attribute (which is verified
        via earlier table lookup) to not rely upon validity of the looked up
        table pointer.
      * Do not use local variable family, it will vanish.
      
      Fixes: 8e6cf365 ("audit: log nftables configuration change events")
      Signed-off-by: default avatarPhil Sutter <phil@nwl.cc>
      Reviewed-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e0b6648b
    • Florian Westphal's avatar
      selftests: netfilter: add test for br_netfilter+conntrack+queue combination · ea2306f0
      Florian Westphal authored
      Trigger cloned skbs leaving softirq protection.
      This triggers splat without the preceeding change
      ("netfilter: nf_queue: drop packets with cloned unconfirmed
       conntracks"):
      
      WARNING: at net/netfilter/nf_conntrack_core.c:1198 __nf_conntrack_confirm..
      
      because local delivery and forwarding will race for confirmation.
      
      Based on a reproducer script from Yi Chen.
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      ea2306f0
    • Florian Westphal's avatar
      netfilter: nf_queue: drop packets with cloned unconfirmed conntracks · 7d8dc1c7
      Florian Westphal authored
      Conntrack assumes an unconfirmed entry (not yet committed to global hash
      table) has a refcount of 1 and is not visible to other cores.
      
      With multicast forwarding this assumption breaks down because such
      skbs get cloned after being picked up, i.e.  ct->use refcount is > 1.
      
      Likewise, bridge netfilter will clone broad/mutlicast frames and
      all frames in case they need to be flood-forwarded during learning
      phase.
      
      For ip multicast forwarding or plain bridge flood-forward this will
      "work" because packets don't leave softirq and are implicitly
      serialized.
      
      With nfqueue this no longer holds true, the packets get queued
      and can be reinjected in arbitrary ways.
      
      Disable this feature, I see no other solution.
      
      After this patch, nfqueue cannot queue packets except the last
      multicast/broadcast packet.
      
      Fixes: 1da177e4 ("Linux-2.6.12-rc2")
      Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      7d8dc1c7
    • Donald Hunter's avatar
      netfilter: flowtable: initialise extack before use · e9767137
      Donald Hunter authored
      Fix missing initialisation of extack in flow offload.
      
      Fixes: c29f74e0 ("netfilter: nf_flow_table: hardware offload support")
      Signed-off-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      e9767137
    • Donald Hunter's avatar
      netfilter: nfnetlink: Initialise extack before use in ACKs · d1a7b382
      Donald Hunter authored
      Add missing extack initialisation when ACKing BATCH_BEGIN and BATCH_END.
      
      Fixes: bf2ac490 ("netfilter: nfnetlink: Handle ACK flags for batch messages")
      Signed-off-by: default avatarDonald Hunter <donald.hunter@gmail.com>
      Reviewed-by: default avatarSimon Horman <horms@kernel.org>
      Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
      d1a7b382
    • Linus Torvalds's avatar
      Merge tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm · d07b4328
      Linus Torvalds authored
      Pull kvm fixes from Paolo Bonzini:
       "s390:
      
         - Fix failure to start guests with kvm.use_gisa=0
      
         - Panic if (un)share fails to maintain security.
      
        ARM:
      
         - Use kvfree() for the kvmalloc'd nested MMUs array
      
         - Set of fixes to address warnings in W=1 builds
      
         - Make KVM depend on assembler support for ARMv8.4
      
         - Fix for vgic-debug interface for VMs without LPIs
      
         - Actually check ID_AA64MMFR3_EL1.S1PIE in get-reg-list selftest
      
         - Minor code / comment cleanups for configuring PAuth traps
      
         - Take kvm->arch.config_lock to prevent destruction / initialization
           race for a vCPU's CPUIF which may lead to a UAF
      
        x86:
      
         - Disallow read-only memslots for SEV-ES and SEV-SNP (and TDX)
      
         - Fix smatch issues
      
         - Small cleanups
      
         - Make x2APIC ID 100% readonly
      
         - Fix typo in uapi constant
      
        Generic:
      
         - Use synchronize_srcu_expedited() on irqfd shutdown"
      
      * tag 'for-linus' of git://git.kernel.org/pub/scm/virt/kvm/kvm: (21 commits)
        KVM: SEV: uapi: fix typo in SEV_RET_INVALID_CONFIG
        KVM: x86: Disallow read-only memslots for SEV-ES and SEV-SNP (and TDX)
        KVM: eventfd: Use synchronize_srcu_expedited() on shutdown
        KVM: selftests: Add a testcase to verify x2APIC is fully readonly
        KVM: x86: Make x2APIC ID 100% readonly
        KVM: x86: Use this_cpu_ptr() instead of per_cpu_ptr(smp_processor_id())
        KVM: x86: hyper-v: Remove unused inline function kvm_hv_free_pa_page()
        KVM: SVM: Fix an error code in sev_gmem_post_populate()
        KVM: SVM: Fix uninitialized variable bug
        KVM: arm64: vgic: Hold config_lock while tearing down a CPU interface
        KVM: selftests: arm64: Correct feature test for S1PIE in get-reg-list
        KVM: arm64: Tidying up PAuth code in KVM
        KVM: arm64: vgic-debug: Exit the iterator properly w/o LPI
        KVM: arm64: Enforce dependency on an ARMv8.4-aware toolchain
        s390/uv: Panic for set and remove shared access UVC errors
        KVM: s390: fix validity interception issue when gisa is switched off
        docs: KVM: Fix register ID of SPSR_FIQ
        KVM: arm64: vgic: fix unexpected unlock sparse warnings
        KVM: arm64: fix kdoc warnings in W=1 builds
        KVM: arm64: fix override-init warnings in W=1 builds
        ...
      d07b4328