diff mbox series

[net,1/5] netfilter: nf_tables: fix spurious set element insertion failure

Message ID 20230720165143.30208-2-fw@strlen.de (mailing list archive)
State Accepted
Commit ddbd8be68941985f166f5107109a90ce13147c44
Delegated to: Netdev Maintainers
Headers show
Series [net,1/5] netfilter: nf_tables: fix spurious set element insertion failure | expand

Checks

Context Check Description
netdev/series_format success Pull request is its own cover letter
netdev/tree_selection success Clearly marked for net
netdev/fixes_present success Fixes tag present in non-next series
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 1358 this patch: 1358
netdev/cc_maintainers fail 1 blamed authors not CCed: pablo@netfilter.org; 3 maintainers not CCed: pablo@netfilter.org coreteam@netfilter.org kadlec@netfilter.org
netdev/build_clang success Errors and warnings before: 1365 this patch: 1365
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/deprecated_api success None detected
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success Fixes tag looks correct
netdev/build_allmodconfig_warn success Errors and warnings before: 1381 this patch: 1381
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 9 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Florian Westphal July 20, 2023, 4:51 p.m. UTC 
On some platforms there is a padding hole in the nft_verdict
structure, between the verdict code and the chain pointer.

On element insertion, if the new element clashes with an existing one and
NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as
the data associated with duplicated element is the same as the existing
one.  The data equality check uses memcmp.

For normal data (NFT_DATA_VALUE) this works fine, but for NFT_DATA_VERDICT
padding area leads to spurious failure even if the verdict data is the
same.

This then makes the insertion fail with 'already exists' error, even
though the new "key : data" matches an existing entry and userspace
told the kernel that it doesn't want to receive an error indication.

Fixes: c016c7e45ddf ("netfilter: nf_tables: honor NLM_F_EXCL flag in set element insertion")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/nf_tables_api.c | 3 +++
 1 file changed, 3 insertions(+)

Comments

patchwork-bot+netdevbpf@kernel.org July 20, 2023, 8 p.m. UTC | #1 
Hello:

This series was applied to netdev/net.git (main)
by Florian Westphal <fw@strlen.de>:

On Thu, 20 Jul 2023 18:51:33 +0200 you wrote:
> On some platforms there is a padding hole in the nft_verdict
> structure, between the verdict code and the chain pointer.
> 
> On element insertion, if the new element clashes with an existing one and
> NLM_F_EXCL flag isn't set, we want to ignore the -EEXIST error as long as
> the data associated with duplicated element is the same as the existing
> one.  The data equality check uses memcmp.
> 
> [...]

Here is the summary with links:
  - [net,1/5] netfilter: nf_tables: fix spurious set element insertion failure
    https://git.kernel.org/netdev/net/c/ddbd8be68941
  - [net,2/5] netfilter: nf_tables: can't schedule in nft_chain_validate
    https://git.kernel.org/netdev/net/c/314c82841602
  - [net,3/5] netfilter: nft_set_pipapo: fix improper element removal
    https://git.kernel.org/netdev/net/c/87b5a5c20940
  - [net,4/5] netfilter: nf_tables: skip bound chain in netns release path
    https://git.kernel.org/netdev/net/c/751d460ccff3
  - [net,5/5] netfilter: nf_tables: skip bound chain on rule flush
    https://git.kernel.org/netdev/net/c/6eaf41e87a22

You are awesome, thank you!
diff mbox series

Patch

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 237f739da3ca..79c7eee33dcd 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10517,6 +10517,9 @@  static int nft_verdict_init(const struct nft_ctx *ctx, struct nft_data *data,
 
 	if (!tb[NFTA_VERDICT_CODE])
 		return -EINVAL;
+
+	/* zero padding hole for memcmp */
+	memset(data, 0, sizeof(*data));
 	data->verdict.code = ntohl(nla_get_be32(tb[NFTA_VERDICT_CODE]));
 
 	switch (data->verdict.code) {