Linux kernel stable tree (mirror) https://git.radix-linux.su/kernel/linux.git/atom?h=v5.18.12 2022-06-14T16:45:05+00:00 2022-06-14T16:45:05+00:00 Pablo Neira Ayuso pablo@netfilter.org 2022-06-06T15:31:29+00:00 urn:sha1:c02559cfea0aed3d685ceceb20e5d95551a1dc39 [ Upstream commit 3a41c64d9c1185a2f3a184015e2a9b78bfc99c71 ] If user requests for NFT_CHAIN_HW_OFFLOAD, then check if either device provides the .ndo_setup_tc interface or there is an indirect flow block that has been registered. Otherwise, bail out early from the preparation phase. Moreover, validate that family == NFPROTO_NETDEV and hook is NF_NETDEV_INGRESS. Fixes: c9626a2cbdb2 ("netfilter: nf_tables: add hardware offload support") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-14T16:45:04+00:00 Pablo Neira Ayuso pablo@netfilter.org 2022-05-30T16:40:06+00:00 urn:sha1:99180dec5ae582227219d1fdd0dd5ccf53ec7491 [ Upstream commit b6d9014a3335194590abdd2a2471ef5147a67645 ] Remove inactive bool field in nft_hook object that was introduced in abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable"). Move stale flowtable hooks to transaction list instead. Deleting twice the same device does not result in ENOENT. Fixes: abadb2f865d7 ("netfilter: nf_tables: delete devices from flowtable") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org> 2022-06-06T06:48:54+00:00 Florian Westphal fw@strlen.de 2022-05-19T22:02:04+00:00 urn:sha1:04e4a11dc723c52db7a36dc58f0d69ce6426f8f0 commit 56b14ecec97f39118bf85c9ac2438c5a949509ed upstream. In case the conntrack is clashing, insertion can free skb->_nfct and set skb->_nfct to the already-confirmed entry. This wasn't found before because the conntrack entry and the extension space used to free'd after an rcu grace period, plus the race needs events enabled to trigger. Reported-by: <syzbot+793a590957d9c1b96620@syzkaller.appspotmail.com> Fixes: 71d8c47fc653 ("netfilter: conntrack: introduce clash resolution on insertion race") Fixes: 2ad9d7747c10 ("netfilter: conntrack: free extension area immediately") Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> 2022-03-23T17:53:49+00:00 Jakub Kicinski kuba@kernel.org 2022-03-23T17:52:56+00:00 urn:sha1:89695196f0ba78a17453f9616355f2ca6b293402 Merge in overtime fixes, no conflicts. Signed-off-by: Jakub Kicinski <kuba@kernel.org> 2022-03-19T23:29:47+00:00 Florian Westphal fw@strlen.de 2022-03-14T17:23:12+00:00 urn:sha1:3c1eb413a45b6c6327fed394705081ec6202b31a The fib expression stores to a register, so we can't add empty stub. Check that the register that is being written is in fact redundant. In most cases, this is expected to cancel tracking as re-use is unlikely. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-03-19T23:29:46+00:00 Florian Westphal fw@strlen.de 2022-03-14T17:23:04+00:00 urn:sha1:aaa7b20bd4d637fd4ef0d72b6c828c061b9bc5f7 its enough to export the meta get reduce helper and then call it from nft_meta_bridge too. Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-03-19T23:29:46+00:00 Pablo Neira Ayuso pablo@netfilter.org 2022-03-14T17:23:01+00:00 urn:sha1:34cc9e52884a16c62acbfb309863fb60e4c24f55 Output of expressions might be larger than one single register, this might clobber existing data. Reset tracking for all destination registers that required to store the expression output. This patch adds three new helper functions: - nft_reg_track_update: cancel previous register tracking and update it. - nft_reg_track_cancel: cancel any previous register tracking info. - __nft_reg_track_cancel: cancel only one single register tracking info. Partial register clobbering detection is also supported by checking the .num_reg field which describes the number of register that are used. This patch updates the following expressions: - meta_bridge - bitwise - byteorder - meta - payload to use these helper functions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-03-19T23:29:46+00:00 Pablo Neira Ayuso pablo@netfilter.org 2022-03-14T17:23:00+00:00 urn:sha1:b2d306542ff935a4edf7a88ba8145c108193442a Skip register tracking for expressions that perform read-only operations on the registers. Define and use a cookie pointer NFT_REDUCE_READONLY to avoid defining stubs for these expressions. This patch re-enables register tracking which was disabled in ed5f85d42290 ("netfilter: nf_tables: disable register tracking"). Follow up patches add remaining register tracking for existing expressions. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-03-19T23:29:35+00:00 Phil Sutter phil@nwl.cc 2022-03-02T21:02:55+00:00 urn:sha1:31d0bb9763efad30377505f3467f958d1ebe1e3d The function sets the pernet boolean to avoid the spurious warning from nf_ct_lookup_helper() when assigning conntrack helpers via nftables. Fixes: 1a64edf54f55 ("netfilter: nft_ct: add helper set support") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> 2022-03-17T20:56:58+00:00 Jakub Kicinski kuba@kernel.org 2022-03-17T20:56:06+00:00 urn:sha1:e243f39685af1bd6d837fa7bff40c1afdf3eb7fa No conflicts. Signed-off-by: Jakub Kicinski <kuba@kernel.org>