Merge tag 'nf-25-12-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

Florian Westphal says:

====================
netfilter: updates for net

1) Fix refcount leaks in nf_conncount, from Fernando Fernandez Mancera.
This addresses a recent regression that came in the last -next
pull request.

2) Fix a null dereference in route error handling in IPVS, from Slavin
Liu. This is an ancient issue dating back to 5.1 days.

3) Always set ifindex in route tuple in the flowtable output path, from
Lorenzo Bianconi. This bug came in with the recent output path refactoring.

4) Prefer 'exit $ksft_xfail' over 'exit $ksft_skip' when we fail to
trigger a nat race condition to exercise the clash resolution path in
selftest infra, $ksft_skip should be reserved for missing tooling,
From myself.

* tag 'nf-25-12-10' of https://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf:
selftests: netfilter: prefer xfail in case race wasn't triggered
netfilter: always set route tuple out ifindex
ipvs: fix ipv4 null-ptr-deref in route error path
netfilter: nf_conncount: fix leaked ct in error paths
====================

Link: https://patch.msgid.link/20251210110754.22620-1-fw@strlen.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 3 months ago 898ae76a 237c1e15

+24 -17

4 changed files

expand all

net

netfilter

ipvs

ip_vs_xmit.c

nf_conncount.c

nf_flow_table_path.c

tools

testing

selftests

net

netfilter

conntrack_clash.sh

net/netfilter/ipvs/ip_vs_xmit.c

··· 408 408 return -1; 409 409 410 410 err_unreach: 411 + if (!skb->dev) 412 + skb->dev = skb_dst(skb)->dev; 413 + 411 414 dst_link_failure(skb); 412 415 return -1; 413 416 }

+14 -11

net/netfilter/nf_conncount.c

··· 172 172 struct nf_conn *found_ct; 173 173 unsigned int collect = 0; 174 174 bool refcounted = false; 175 + int err = 0; 175 176 176 177 if (!get_ct_or_tuple_from_skb(net, skb, l3num, &ct, &tuple, &zone, &refcounted)) 177 178 return -ENOENT; 178 179 179 180 if (ct && nf_ct_is_confirmed(ct)) { 180 - if (refcounted) 181 - nf_ct_put(ct); 182 - return -EEXIST; 181 + err = -EEXIST; 182 + goto out_put; 183 183 } 184 184 185 185 if ((u32)jiffies == list->last_gc) ··· 231 231 } 232 232 233 233 add_new_node: 234 - if (WARN_ON_ONCE(list->count > INT_MAX)) 235 - return -EOVERFLOW; 234 + if (WARN_ON_ONCE(list->count > INT_MAX)) { 235 + err = -EOVERFLOW; 236 + goto out_put; 237 + } 236 238 237 239 conn = kmem_cache_alloc(conncount_conn_cachep, GFP_ATOMIC); 238 - if (conn == NULL) 239 - return -ENOMEM; 240 + if (conn == NULL) { 241 + err = -ENOMEM; 242 + goto out_put; 243 + } 240 244 241 245 conn->tuple = tuple; 242 246 conn->zone = *zone; ··· 253 249 out_put: 254 250 if (refcounted) 255 251 nf_ct_put(ct); 256 - return 0; 252 + return err; 257 253 } 258 254 259 255 int nf_conncount_add_skb(struct net *net, ··· 460 456 461 457 rb_link_node_rcu(&rbconn->node, parent, rbnode); 462 458 rb_insert_color(&rbconn->node, root); 463 - 464 - if (refcounted) 465 - nf_ct_put(ct); 466 459 } 467 460 out_unlock: 461 + if (refcounted) 462 + nf_ct_put(ct); 468 463 spin_unlock_bh(&nf_conncount_locks[hash]); 469 464 return count; 470 465 }

+3 -1

net/netfilter/nf_flow_table_path.c

··· 250 250 if (nft_dev_fill_forward_path(route, dst, ct, dir, ha, &stack) >= 0) 251 251 nft_dev_path_info(&stack, &info, ha, &ft->data); 252 252 253 + if (info.outdev) 254 + route->tuple[dir].out.ifindex = info.outdev->ifindex; 255 + 253 256 if (!info.indev || !nft_flowtable_find_dev(info.indev, ft)) 254 257 return; 255 258 ··· 272 269 273 270 route->tuple[!dir].in.num_encaps = info.num_encaps; 274 271 route->tuple[!dir].in.ingress_vlans = info.ingress_vlans; 275 - route->tuple[dir].out.ifindex = info.outdev->ifindex; 276 272 277 273 if (info.xmit_type == FLOW_OFFLOAD_XMIT_DIRECT) { 278 274 memcpy(route->tuple[dir].out.h_source, info.h_source, ETH_ALEN);

+4 -5

tools/testing/selftests/net/netfilter/conntrack_clash.sh

··· 116 116 # not a failure: clash resolution logic did not trigger. 117 117 # With right timing, xmit completed sequentially and 118 118 # no parallel insertion occurs. 119 - return $ksft_skip 119 + return $ksft_xfail 120 120 } 121 121 122 122 run_clash_test() ··· 133 133 if [ $rv -eq 0 ];then 134 134 echo "PASS: clash resolution test for $daddr:$dport on attempt $i" 135 135 return 0 136 - elif [ $rv -eq $ksft_skip ]; then 136 + elif [ $rv -eq $ksft_xfail ]; then 137 137 softerr=1 138 138 fi 139 139 done 140 140 141 - [ $softerr -eq 1 ] && echo "SKIP: clash resolution for $daddr:$dport did not trigger" 141 + [ $softerr -eq 1 ] && echo "XFAIL: clash resolution for $daddr:$dport did not trigger" 142 142 } 143 143 144 144 ip link add veth0 netns "$nsclient1" type veth peer name veth0 netns "$nsrouter" ··· 167 167 run_clash_test "$nsclient2" "$nsclient2" 127.0.0.1 9001 168 168 169 169 if [ $clash_resolution_active -eq 0 ];then 170 - [ "$ret" -eq 0 ] && ret=$ksft_skip 171 - echo "SKIP: Clash resolution did not trigger" 170 + [ "$ret" -eq 0 ] && ret=$ksft_xfail 172 171 fi 173 172 174 173 exit $ret