mbox series

[5.10.y,0/3] netfilter: nf_tables fixes for 5.10.y

Message ID 20210909140337.29707-1-fw@strlen.de
Headers show
Series netfilter: nf_tables fixes for 5.10.y | expand

Message

Florian Westphal Sept. 9, 2021, 2:03 p.m. UTC 
Hello,

please consider applying these nf_tables fixes to the 5.10.y tree.
These patches had to mangled to make them apply to 5.10.y.

I've done the follwoing tests in a kasan/kmemleak enabled vm:
1. run upstream nft python/shell tests.
   Without patch 2 and 3 doing so results in kernel crash.
   Some tests fail but afaics those are expected to
   fail on 5.10 due to lack of feature being tested.
2. Tested the 'conncount' feature (its affected by last patch).
   Worked as designed.
3. ran nftables related kernel self tests.

No kmemleak or kasan splats were seen.

Eric Dumazet (1):
  netfilter: nftables: avoid potential overflows on 32bit arches

Pablo Neira Ayuso (2):
  netfilter: nf_tables: initialize set before expression setup
  netfilter: nftables: clone set element expression template

 net/netfilter/nf_tables_api.c | 89 ++++++++++++++++++++++-------------
 net/netfilter/nft_set_hash.c  | 10 ++--
 2 files changed, 62 insertions(+), 37 deletions(-)

Comments

Salvatore Bonaccorso Sept. 11, 2021, 9:39 a.m. UTC | #1 
Hi Greg,

On Thu, Sep 09, 2021 at 04:52:09PM +0200, Greg KH wrote:
> On Thu, Sep 09, 2021 at 04:03:34PM +0200, Florian Westphal wrote:

> > Hello,

> > 

> > please consider applying these nf_tables fixes to the 5.10.y tree.

> > These patches had to mangled to make them apply to 5.10.y.

> > 

> > I've done the follwoing tests in a kasan/kmemleak enabled vm:

> > 1. run upstream nft python/shell tests.

> >    Without patch 2 and 3 doing so results in kernel crash.

> >    Some tests fail but afaics those are expected to

> >    fail on 5.10 due to lack of feature being tested.

> > 2. Tested the 'conncount' feature (its affected by last patch).

> >    Worked as designed.

> > 3. ran nftables related kernel self tests.

> > 

> > No kmemleak or kasan splats were seen.

> > 

> > Eric Dumazet (1):

> >   netfilter: nftables: avoid potential overflows on 32bit arches

> > 

> > Pablo Neira Ayuso (2):

> >   netfilter: nf_tables: initialize set before expression setup

> >   netfilter: nftables: clone set element expression template

> > 

> >  net/netfilter/nf_tables_api.c | 89 ++++++++++++++++++++++-------------

> >  net/netfilter/nft_set_hash.c  | 10 ++--

> >  2 files changed, 62 insertions(+), 37 deletions(-)

> > 

> > -- 

> > 2.32.0

> > 

> 

> All now queued up, thanks!


Florian, thank you! My query originated from a bugreport in Debian
triggering the issue with the 5.10.y kernels used.

Not really needed here as Greg already queued up but:

Tested-by: Salvatore Bonaccorso <carnil@debian.org>


Regards,
Salvatore
Florian Westphal Sept. 11, 2021, 12:06 p.m. UTC | #2 
Salvatore Bonaccorso <carnil@debian.org> wrote:
> On Thu, Sep 09, 2021 at 04:52:09PM +0200, Greg KH wrote:

> > All now queued up, thanks!

> 

> Florian, thank you! My query originated from a bugreport in Debian

> triggering the issue with the 5.10.y kernels used.

> 

> Not really needed here as Greg already queued up but:

> 

> Tested-by: Salvatore Bonaccorso <carnil@debian.org>


Thanks for testing!

Please let us know if anything else in netfilter territory
is not working as expected.