diff options
| author | Jakub Kicinski <kuba@kernel.org> | 2026-05-26 18:07:28 -0700 |
|---|---|---|
| committer | Jakub Kicinski <kuba@kernel.org> | 2026-05-26 18:07:28 -0700 |
| commit | 09cfce83e89a456a2587b4317b5395438feb2405 (patch) | |
| tree | ba97a028b1abf6d17cce6c7127a697113ade82cf /net | |
| parent | eca539e6619e80e9b2406dbea19575b4c25c015d (diff) | |
| parent | 2b413fc689ba890348db13a4daa5adf42846ebca (diff) | |
| download | linux-next-history-09cfce83e89a456a2587b4317b5395438feb2405.tar.gz | |
Merge tag 'nf-next-26-05-25' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next
Florian Westphal says:
====================
netfilter: updates for net-next
The following patchset contains Netfilter fixes and small enhancements:
1) Disable 32-bit x_tables compatibility (32bit binaries on 64bit
kernel) interface in user namespaces. This is 'last warning'
before this is removed for good.
2) Add a configuration toggle for netfilter GCOV profiling. Provide
dedicated toggles for ipset and ipvs.
3) Remove modular support for nfnetlink and restrict it to built-in only.
From Pablo Neira Ayuso.
4) Use per-rule hash initval in nf_conncount. This avoids unecessary
lock contention with short keys (e.g. conntrack zones) in different
namespaces.
5) Use nf_ct_exp_net() in ctnetlink expectation dumps.
From Pratham Gupta.
6) Remove a dead conditional in nft_set_rbtree.
7) Fix conntrack helper policy updates to apply per-class values correctly.
From David Carlier.
8) Fix an off-by-one OOB read in nf_conntrack_irc:parse_dcc(). Use strict
less-than comparison in the newline search loop to respect the
exclusive-end pointer convention. From Muhammad Bilal.
9) Fix typos in nf_conntrack_proto_tcp comments. From Avinash Duduskar.
10) Restore performance optimization in nft_set_pipapo_avx2 by passing
the next map index. Refactor lookup logic for clarity and add a
DEBUG_NET check to document this.
11) Avoid (harmless) u16 overflow in nf_conntrack_ftp when parsing FTP PORT
and EPRT commands. Ignore commands where single octet exceeds 255.
From Giuseppe Caruso.
Patch 12, which removes incorrect (and obviously unused) code from
nft_byteorder was kept back to avoid a net -> net-next merge conflict.
* tag 'nf-next-26-05-25' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: nf_conntrack_ftp: avoid u16 overflows
netfilter: nft_set_pipapo_avx2: restore performance optimization
netfilter: nf_conntrack_proto_tcp: fix typos in comments
netfilter: nf_conntrack_irc: fix parse_dcc() off-by-one OOB read
netfilter: nfnl_cthelper: apply per-class values when updating policies
netfilter: nft_set_rbtree: remove dead conditional
netfilter: ctnetlink: use nf_ct_exp_net() in expectation dump
netfilter: nf_conncount: use per-rule hash initval
netfilter: allow nfnetlink built-in only
netfilter: add option for GCOV profiling
netfilter: x_tables: disable 32bit compat interface in user namespaces
====================
Link: https://patch.msgid.link/20260525182924.28456-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/bridge/Makefile | 6 | ||||
| -rw-r--r-- | net/bridge/netfilter/Makefile | 4 | ||||
| -rw-r--r-- | net/bridge/netfilter/ebtables.c | 4 | ||||
| -rw-r--r-- | net/ipv4/Makefile | 4 | ||||
| -rw-r--r-- | net/ipv4/netfilter/Makefile | 4 | ||||
| -rw-r--r-- | net/ipv4/netfilter/arp_tables.c | 4 | ||||
| -rw-r--r-- | net/ipv4/netfilter/ip_tables.c | 4 | ||||
| -rw-r--r-- | net/ipv6/Makefile | 4 | ||||
| -rw-r--r-- | net/ipv6/netfilter/Makefile | 4 | ||||
| -rw-r--r-- | net/ipv6/netfilter/ip6_tables.c | 4 | ||||
| -rw-r--r-- | net/netfilter/Kconfig | 10 | ||||
| -rw-r--r-- | net/netfilter/Makefile | 6 | ||||
| -rw-r--r-- | net/netfilter/ipset/Kconfig | 9 | ||||
| -rw-r--r-- | net/netfilter/ipset/Makefile | 3 | ||||
| -rw-r--r-- | net/netfilter/ipvs/Kconfig | 9 | ||||
| -rw-r--r-- | net/netfilter/ipvs/Makefile | 3 | ||||
| -rw-r--r-- | net/netfilter/nf_conncount.c | 7 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_ftp.c | 11 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_irc.c | 6 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 2 | ||||
| -rw-r--r-- | net/netfilter/nf_conntrack_proto_tcp.c | 8 | ||||
| -rw-r--r-- | net/netfilter/nfnetlink_cthelper.c | 4 | ||||
| -rw-r--r-- | net/netfilter/nft_set_pipapo_avx2.c | 35 | ||||
| -rw-r--r-- | net/netfilter/nft_set_rbtree.c | 3 |
24 files changed, 114 insertions, 44 deletions
diff --git a/net/bridge/Makefile b/net/bridge/Makefile index 24bd1c0a9a5a3..1203dc19e15c9 100644 --- a/net/bridge/Makefile +++ b/net/bridge/Makefile @@ -29,3 +29,9 @@ obj-$(CONFIG_NETFILTER) += netfilter/ bridge-$(CONFIG_BRIDGE_MRP) += br_mrp_switchdev.o br_mrp.o br_mrp_netlink.o bridge-$(CONFIG_BRIDGE_CFM) += br_cfm.o br_cfm_netlink.o + +ifdef CONFIG_GCOV_PROFILE_NETFILTER +GCOV_PROFILE_br_nf_core.o := y +GCOV_PROFILE_br_netfilter_hooks.o := y +GCOV_PROFILE_br_netfilter_ipv6.o := y +endif diff --git a/net/bridge/netfilter/Makefile b/net/bridge/netfilter/Makefile index b9a1303da9771..af0c903aa4ace 100644 --- a/net/bridge/netfilter/Makefile +++ b/net/bridge/netfilter/Makefile @@ -38,3 +38,7 @@ obj-$(CONFIG_BRIDGE_EBT_SNAT) += ebt_snat.o # watchers obj-$(CONFIG_BRIDGE_EBT_LOG) += ebt_log.o obj-$(CONFIG_BRIDGE_EBT_NFLOG) += ebt_nflog.o + +ifdef CONFIG_GCOV_PROFILE_NETFILTER +GCOV_PROFILE := y +endif diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c index b9f4daac09af3..8d8f1a7c9ad5f 100644 --- a/net/bridge/netfilter/ebtables.c +++ b/net/bridge/netfilter/ebtables.c @@ -2455,6 +2455,8 @@ static int do_ebt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; + if (!xt_compat_check()) + return -EPERM; #ifdef CONFIG_NETFILTER_XTABLES_COMPAT /* try real handler in case userland supplied needed padding */ @@ -2520,6 +2522,8 @@ static int do_ebt_set_ctl(struct sock *sk, int cmd, sockptr_t arg, if (!ns_capable(net->user_ns, CAP_NET_ADMIN)) return -EPERM; + if (!xt_compat_check()) + return -EPERM; switch (cmd) { case EBT_SO_SET_ENTRIES: diff --git a/net/ipv4/Makefile b/net/ipv4/Makefile index 7964234f0d088..06e21c26b76f2 100644 --- a/net/ipv4/Makefile +++ b/net/ipv4/Makefile @@ -71,3 +71,7 @@ obj-$(CONFIG_TCP_AO) += tcp_ao.o ifeq ($(CONFIG_BPF_JIT),y) obj-$(CONFIG_BPF_SYSCALL) += bpf_tcp_ca.o endif + +ifdef CONFIG_GCOV_PROFILE_NETFILTER +GCOV_PROFILE_netfilter.o := y +endif diff --git a/net/ipv4/netfilter/Makefile b/net/ipv4/netfilter/Makefile index 85502d4dfbb4d..dbfb1c4739a87 100644 --- a/net/ipv4/netfilter/Makefile +++ b/net/ipv4/netfilter/Makefile @@ -51,3 +51,7 @@ obj-$(CONFIG_IP_NF_ARP_MANGLE) += arpt_mangle.o obj-$(CONFIG_IP_NF_ARPFILTER) += arptable_filter.o obj-$(CONFIG_NF_DUP_IPV4) += nf_dup_ipv4.o + +ifdef CONFIG_GCOV_PROFILE_NETFILTER +GCOV_PROFILE := y +endif diff --git a/net/ipv4/netfilter/arp_tables.c b/net/ipv4/netfilter/arp_tables.c index ad2259678c785..341ae049e5a21 100644 --- a/net/ipv4/netfilter/arp_tables.c +++ b/net/ipv4/netfilter/arp_tables.c @@ -1430,6 +1430,8 @@ static int do_arpt_set_ctl(struct sock *sk, int cmd, sockptr_t arg, if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) return -EPERM; + if (!xt_compat_check()) + return -EPERM; switch (cmd) { case ARPT_SO_SET_REPLACE: @@ -1458,6 +1460,8 @@ static int do_arpt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) return -EPERM; + if (!xt_compat_check()) + return -EPERM; switch (cmd) { case ARPT_SO_GET_INFO: diff --git a/net/ipv4/netfilter/ip_tables.c b/net/ipv4/netfilter/ip_tables.c index 5cbdb0815857f..f917a9004a01a 100644 --- a/net/ipv4/netfilter/ip_tables.c +++ b/net/ipv4/netfilter/ip_tables.c @@ -1624,6 +1624,8 @@ do_ipt_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len) if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) return -EPERM; + if (!xt_compat_check()) + return -EPERM; switch (cmd) { case IPT_SO_SET_REPLACE: @@ -1653,6 +1655,8 @@ do_ipt_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) return -EPERM; + if (!xt_compat_check()) + return -EPERM; switch (cmd) { case IPT_SO_GET_INFO: diff --git a/net/ipv6/Makefile b/net/ipv6/Makefile index 2c9ce2ccbde17..5b0cd64880212 100644 --- a/net/ipv6/Makefile +++ b/net/ipv6/Makefile @@ -54,3 +54,7 @@ obj-$(CONFIG_NET_UDP_TUNNEL) += ip6_udp_tunnel.o obj-y += mcast_snoop.o obj-$(CONFIG_TCP_AO) += tcp_ao.o endif + +ifdef CONFIG_GCOV_PROFILE_NETFILTER +GCOV_PROFILE_netfilter.o := y +endif diff --git a/net/ipv6/netfilter/Makefile b/net/ipv6/netfilter/Makefile index 66ce6fa5b2f52..72902d8005ad9 100644 --- a/net/ipv6/netfilter/Makefile +++ b/net/ipv6/netfilter/Makefile @@ -43,3 +43,7 @@ obj-$(CONFIG_IP6_NF_MATCH_SRH) += ip6t_srh.o obj-$(CONFIG_IP6_NF_TARGET_NPT) += ip6t_NPT.o obj-$(CONFIG_IP6_NF_TARGET_REJECT) += ip6t_REJECT.o obj-$(CONFIG_IP6_NF_TARGET_SYNPROXY) += ip6t_SYNPROXY.o + +ifdef CONFIG_GCOV_PROFILE_NETFILTER +GCOV_PROFILE := y +endif diff --git a/net/ipv6/netfilter/ip6_tables.c b/net/ipv6/netfilter/ip6_tables.c index 9d9c3763f2f5e..ecf79d05a51bc 100644 --- a/net/ipv6/netfilter/ip6_tables.c +++ b/net/ipv6/netfilter/ip6_tables.c @@ -1633,6 +1633,8 @@ do_ip6t_set_ctl(struct sock *sk, int cmd, sockptr_t arg, unsigned int len) if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) return -EPERM; + if (!xt_compat_check()) + return -EPERM; switch (cmd) { case IP6T_SO_SET_REPLACE: @@ -1662,6 +1664,8 @@ do_ip6t_get_ctl(struct sock *sk, int cmd, void __user *user, int *len) if (!ns_capable(sock_net(sk)->user_ns, CAP_NET_ADMIN)) return -EPERM; + if (!xt_compat_check()) + return -EPERM; switch (cmd) { case IP6T_SO_GET_INFO: diff --git a/net/netfilter/Kconfig b/net/netfilter/Kconfig index 682c675125fc1..665f8008cc4b2 100644 --- a/net/netfilter/Kconfig +++ b/net/netfilter/Kconfig @@ -22,7 +22,7 @@ config NETFILTER_SKIP_EGRESS def_bool NETFILTER_EGRESS && (NET_CLS_ACT || IFB) config NETFILTER_NETLINK - tristate + bool config NETFILTER_FAMILY_BRIDGE bool @@ -1648,6 +1648,14 @@ config NETFILTER_XT_MATCH_U32 endif # NETFILTER_XTABLES +config GCOV_PROFILE_NETFILTER + bool "Enable GCOV profiling for netfilter" + depends on GCOV_KERNEL + help + Enable GCOV profiling for netfilter to check which functions/lines + are executed. + + If unsure, say N. endmenu source "net/netfilter/ipset/Kconfig" diff --git a/net/netfilter/Makefile b/net/netfilter/Makefile index 6bfc250e474fe..6bf74d488a292 100644 --- a/net/netfilter/Makefile +++ b/net/netfilter/Makefile @@ -1,5 +1,6 @@ # SPDX-License-Identifier: GPL-2.0 netfilter-objs := core.o nf_log.o nf_queue.o nf_sockopt.o utils.o +netfilter-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o nf_conntrack-y := nf_conntrack_core.o nf_conntrack_standalone.o nf_conntrack_expect.o nf_conntrack_helper.o \ nf_conntrack_proto.o nf_conntrack_proto_generic.o nf_conntrack_proto_tcp.o nf_conntrack_proto_udp.o \ @@ -23,7 +24,6 @@ endif obj-$(CONFIG_NETFILTER) = netfilter.o obj-$(CONFIG_NETFILTER_BPF_LINK) += nf_bpf_link.o -obj-$(CONFIG_NETFILTER_NETLINK) += nfnetlink.o obj-$(CONFIG_NETFILTER_NETLINK_ACCT) += nfnetlink_acct.o obj-$(CONFIG_NETFILTER_NETLINK_QUEUE) += nfnetlink_queue.o obj-$(CONFIG_NETFILTER_NETLINK_LOG) += nfnetlink_log.o @@ -240,3 +240,7 @@ obj-$(CONFIG_IP_VS) += ipvs/ # lwtunnel obj-$(CONFIG_LWTUNNEL) += nf_hooks_lwtunnel.o + +ifdef CONFIG_GCOV_PROFILE_NETFILTER +GCOV_PROFILE := y +endif diff --git a/net/netfilter/ipset/Kconfig b/net/netfilter/ipset/Kconfig index b1ea054bb82c8..6c4d547581067 100644 --- a/net/netfilter/ipset/Kconfig +++ b/net/netfilter/ipset/Kconfig @@ -175,4 +175,13 @@ config IP_SET_LIST_SET To compile it as a module, choose M here. If unsure, say N. +config GCOV_PROFILE_IPSET + bool "Enable GCOV profiling for ipset" + depends on GCOV_KERNEL + help + Enable GCOV profiling for ipset to check which functions/lines + are executed. + + If unsure, say N. + endif # IP_SET diff --git a/net/netfilter/ipset/Makefile b/net/netfilter/ipset/Makefile index a445a6bf4f111..4f48df5406cd3 100644 --- a/net/netfilter/ipset/Makefile +++ b/net/netfilter/ipset/Makefile @@ -29,3 +29,6 @@ obj-$(CONFIG_IP_SET_HASH_NETPORTNET) += ip_set_hash_netportnet.o # list types obj-$(CONFIG_IP_SET_LIST_SET) += ip_set_list_set.o +ifdef CONFIG_GCOV_PROFILE_IPSET +GCOV_PROFILE := y +endif diff --git a/net/netfilter/ipvs/Kconfig b/net/netfilter/ipvs/Kconfig index c203252e856d8..7724cb44e6dea 100644 --- a/net/netfilter/ipvs/Kconfig +++ b/net/netfilter/ipvs/Kconfig @@ -349,4 +349,13 @@ config IP_VS_PE_SIP help Allow persistence based on the SIP Call-ID +config GCOV_PROFILE_IPVS + bool "Enable GCOV profiling for IPVS" + depends on GCOV_KERNEL + help + Enable GCOV profiling for IPVS to check which functions/lines + are executed. + + If unsure, say N. + endif # IP_VS diff --git a/net/netfilter/ipvs/Makefile b/net/netfilter/ipvs/Makefile index bb5d8125c82ab..8e4cc67ad39d5 100644 --- a/net/netfilter/ipvs/Makefile +++ b/net/netfilter/ipvs/Makefile @@ -43,3 +43,6 @@ obj-$(CONFIG_IP_VS_FTP) += ip_vs_ftp.o # IPVS connection template retrievers obj-$(CONFIG_IP_VS_PE_SIP) += ip_vs_pe_sip.o +ifdef CONFIG_GCOV_PROFILE_IPVS +GCOV_PROFILE := y +endif diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c index 00eed5b4d1b12..ab28b47395bd2 100644 --- a/net/netfilter/nf_conncount.c +++ b/net/netfilter/nf_conncount.c @@ -58,6 +58,7 @@ static spinlock_t nf_conncount_locks[CONNCOUNT_SLOTS] __cacheline_aligned_in_smp struct nf_conncount_data { unsigned int keylen; + u32 initval; struct rb_root root[CONNCOUNT_SLOTS]; struct net *net; struct work_struct gc_work; @@ -65,7 +66,6 @@ struct nf_conncount_data { unsigned int gc_tree; }; -static u_int32_t conncount_rnd __read_mostly; static struct kmem_cache *conncount_rb_cachep __read_mostly; static struct kmem_cache *conncount_conn_cachep __read_mostly; @@ -496,7 +496,7 @@ count_tree(struct net *net, struct nf_conncount_rb *rbconn; unsigned int hash; - hash = jhash2(key, data->keylen, conncount_rnd) % CONNCOUNT_SLOTS; + hash = jhash2(key, data->keylen, data->initval) % CONNCOUNT_SLOTS; root = &data->root[hash]; parent = rcu_dereference_raw(root->rb_node); @@ -630,8 +630,6 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen keylen == 0) return ERR_PTR(-EINVAL); - net_get_random_once(&conncount_rnd, sizeof(conncount_rnd)); - data = kmalloc_obj(*data); if (!data) return ERR_PTR(-ENOMEM); @@ -641,6 +639,7 @@ struct nf_conncount_data *nf_conncount_init(struct net *net, unsigned int keylen data->keylen = keylen / sizeof(u32); data->net = net; + data->initval = get_random_u32(); INIT_WORK(&data->gc_work, tree_gc_worker); return data; diff --git a/net/netfilter/nf_conntrack_ftp.c b/net/netfilter/nf_conntrack_ftp.c index de83bf9e6c61a..dc6f0017ca6bd 100644 --- a/net/netfilter/nf_conntrack_ftp.c +++ b/net/netfilter/nf_conntrack_ftp.c @@ -120,6 +120,8 @@ static int try_number(const char *data, size_t dlen, u_int32_t array[], for (i = 0, len = 0; len < dlen && i < array_size; len++, data++) { if (*data >= '0' && *data <= '9') { array[i] = array[i]*10 + *data - '0'; + if (array[i] > 255) + return 0; } else if (*data == sep) i++; @@ -189,7 +191,7 @@ static int try_rfc1123(const char *data, size_t dlen, static int get_port(const char *data, int start, size_t dlen, char delim, __be16 *port) { - u_int16_t tmp_port = 0; + u32 tmp_port = 0; int i; for (i = start; i < dlen; i++) { @@ -200,10 +202,11 @@ static int get_port(const char *data, int start, size_t dlen, char delim, *port = htons(tmp_port); pr_debug("get_port: return %d\n", tmp_port); return i + 1; - } - else if (data[i] >= '0' && data[i] <= '9') + } else if (data[i] >= '0' && data[i] <= '9') { tmp_port = tmp_port*10 + data[i] - '0'; - else { /* Some other crap */ + if (tmp_port > 65535) + break; + } else { /* Some other crap */ pr_debug("get_port: invalid char.\n"); break; } diff --git a/net/netfilter/nf_conntrack_irc.c b/net/netfilter/nf_conntrack_irc.c index 522183b9a6046..9a7b8f6221eb0 100644 --- a/net/netfilter/nf_conntrack_irc.c +++ b/net/netfilter/nf_conntrack_irc.c @@ -59,7 +59,7 @@ static const char *const dccprotos[] = { /* tries to get the ip_addr and port out of a dcc command * return value: -1 on failure, 0 on success * data pointer to first byte of DCC command data - * data_end pointer to last byte of dcc command data + * data_end one past end of data * ip returns parsed ip of dcc command * port returns parsed port of dcc command * ad_beg_p returns pointer to first byte of addr data @@ -77,10 +77,10 @@ static int parse_dcc(char *data, const char *data_end, __be32 *ip, /* Make sure we have a newline character within the packet boundaries * because simple_strtoul parses until the first invalid character. */ - for (tmp = data; tmp <= data_end; tmp++) + for (tmp = data; tmp < data_end; tmp++) if (*tmp == '\n') break; - if (tmp > data_end || *tmp != '\n') + if (tmp >= data_end || *tmp != '\n') return -1; *ad_beg_p = data; diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index befa7e83ee49f..d429f9c9546cd 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -3173,7 +3173,7 @@ restart: if (l3proto && exp->tuple.src.l3num != l3proto) continue; - if (!net_eq(nf_ct_net(exp->master), net)) + if (!net_eq(nf_ct_exp_net(exp), net)) continue; if (cb->args[1]) { diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c index b67426c2189b2..47dc6edb44319 100644 --- a/net/netfilter/nf_conntrack_proto_tcp.c +++ b/net/netfilter/nf_conntrack_proto_tcp.c @@ -169,14 +169,14 @@ static const u8 tcp_conntracks[2][6][TCP_CONNTRACK_MAX] = { /*fin*/ { sIV, sIV, sFW, sFW, sLA, sLA, sLA, sTW, sCL, sIV }, /* * sNO -> sIV Too late and no reason to do anything... - * sSS -> sIV Client migth not send FIN in this state: + * sSS -> sIV Client might not send FIN in this state: * we enforce waiting for a SYN/ACK reply first. * sS2 -> sIV * sSR -> sFW Close started. * sES -> sFW * sFW -> sLA FIN seen in both directions, waiting for * the last ACK. - * Migth be a retransmitted FIN as well... + * Might be a retransmitted FIN as well... * sCW -> sLA * sLA -> sLA Retransmitted FIN. Remain in the same state. * sTW -> sTW @@ -798,7 +798,7 @@ static void tcp_error_log(const struct sk_buff *skb, nf_l4proto_log_invalid(skb, state, IPPROTO_TCP, "%s", msg); } -/* Protect conntrack agaist broken packets. Code taken from ipt_unclean.c. */ +/* Protect conntrack against broken packets. Code taken from ipt_unclean.c. */ static bool tcp_error(const struct tcphdr *th, struct sk_buff *skb, unsigned int dataoff, @@ -1098,7 +1098,7 @@ int nf_conntrack_tcp_packet(struct nf_conn *ct, } /* Mark the potential for RFC5961 challenge ACK, * this pose a special problem for LAST_ACK state - * as ACK is intrepretated as ACKing last FIN. + * as ACK is interpreted as ACKing last FIN. */ if (old_state == TCP_CONNTRACK_LAST_ACK) ct->proto.tcp.last_flags |= diff --git a/net/netfilter/nfnetlink_cthelper.c b/net/netfilter/nfnetlink_cthelper.c index 0d16ad82d70c0..34af6840803e2 100644 --- a/net/netfilter/nfnetlink_cthelper.c +++ b/net/netfilter/nfnetlink_cthelper.c @@ -346,8 +346,8 @@ static int nfnl_cthelper_update_policy_all(struct nlattr *tb[], for (i = 0; i < helper->expect_class_max + 1; i++) { policy = (struct nf_conntrack_expect_policy *) &helper->expect_policy[i]; - policy->max_expected = new_policy->max_expected; - policy->timeout = new_policy->timeout; + policy->max_expected = new_policy[i].max_expected; + policy->timeout = new_policy[i].timeout; } err: diff --git a/net/netfilter/nft_set_pipapo_avx2.c b/net/netfilter/nft_set_pipapo_avx2.c index dad265807b8b3..b3f105520a85b 100644 --- a/net/netfilter/nft_set_pipapo_avx2.c +++ b/net/netfilter/nft_set_pipapo_avx2.c @@ -144,6 +144,7 @@ static void nft_pipapo_avx2_fill(unsigned long *data, int start, int len) * This is an alternative implementation of pipapo_refill() suitable for usage * with AVX2 lookup routines: we know there are four words to be scanned, at * a given offset inside the map, for each matching iteration. + * The caller must ensure at least one bit in the four words is set. * * This function doesn't actually use any AVX2 instruction. * @@ -179,6 +180,7 @@ static int nft_pipapo_avx2_refill(int offset, unsigned long *map, NFT_PIPAPO_AVX2_REFILL_ONE_WORD(3); #undef NFT_PIPAPO_AVX2_REFILL_ONE_WORD + DEBUG_NET_WARN_ON_ONCE(ret < 0); return ret; } @@ -243,8 +245,7 @@ static int nft_pipapo_avx2_lookup_4b_2(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -320,8 +321,7 @@ static int nft_pipapo_avx2_lookup_4b_4(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -415,8 +415,7 @@ static int nft_pipapo_avx2_lookup_4b_8(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -506,8 +505,7 @@ static int nft_pipapo_avx2_lookup_4b_12(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -642,8 +640,7 @@ static int nft_pipapo_avx2_lookup_4b_32(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -700,8 +697,7 @@ static int nft_pipapo_avx2_lookup_8b_1(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -765,8 +761,7 @@ static int nft_pipapo_avx2_lookup_8b_2(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -840,8 +835,7 @@ static int nft_pipapo_avx2_lookup_8b_4(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -926,8 +920,7 @@ static int nft_pipapo_avx2_lookup_8b_6(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -1020,8 +1013,7 @@ static int nft_pipapo_avx2_lookup_8b_16(unsigned long *map, unsigned long *fill, b = nft_pipapo_avx2_refill(i_ul, &map[i_ul], fill, f->mt, last); if (last) ret = b; - - if (unlikely(ret == -1)) + else if (unlikely(ret == -1)) ret = b / XSAVE_YMM_SIZE; continue; @@ -1143,6 +1135,7 @@ struct nft_pipapo_elem *pipapo_get_avx2(const struct nft_pipapo_match *m, const struct nft_pipapo_field *f; unsigned long *res, *fill, *map; bool map_index; + int ret = 0; int i; scratch = *raw_cpu_ptr(m->scratch); @@ -1167,8 +1160,8 @@ struct nft_pipapo_elem *pipapo_get_avx2(const struct nft_pipapo_match *m, nft_pipapo_for_each_field(f, i, m) { bool last = i == m->field_count - 1, first = !i; - int ret = 0; + /* NB: previous round @ret is passed to avx2 lookup fn */ #define NFT_SET_PIPAPO_AVX2_LOOKUP(b, n) \ (ret = nft_pipapo_avx2_lookup_##b##b_##n(res, fill, f, \ ret, data, \ diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c index 560fbe6e3f750..b4f0b5fdf1f26 100644 --- a/net/netfilter/nft_set_rbtree.c +++ b/net/netfilter/nft_set_rbtree.c @@ -396,9 +396,6 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set, const struct nft_rbtree_elem *removed_end; removed_end = nft_rbtree_gc_elem(set, priv, rbe); - if (IS_ERR(removed_end)) - return PTR_ERR(removed_end); - if (removed_end == rbe_le || removed_end == rbe_ge) return -EAGAIN; |