summaryrefslogtreecommitdiffstats
Commit message (Collapse)AuthorAgeFilesLines
* Fix typo in ipset-translate man pageHEADmasterBernhard M. Wiedemann2021-09-291-1/+1
| | | | | | | | | originally reported in https://lists.opensuse.org/archives/list/factory@lists.opensuse.org/thread/ZIXKNQHSSCQ4ZLEGYYKLAXQ4PQ5EYFGZ/ by Larry Len Rainey Signed-off-by: Bernhard M. Wiedemann <bwiedemann@suse.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* ipset 7.15 releasedv7.15Jozsef Kadlecsik2021-08-042-1/+5
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: Fix maximal range check in hash_ipportnet4_uadt()Nathan Chancellor2021-08-031-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Clang warns: net/netfilter/ipset/ip_set_hash_ipportnet.c:249:29: warning: variable 'port_to' is uninitialized when used here [-Wuninitialized] if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE) ^~~~~~~ net/netfilter/ipset/ip_set_hash_ipportnet.c:167:45: note: initialize the variable 'port_to' to silence this warning u32 ip = 0, ip_to = 0, p = 0, port, port_to; ^ = 0 net/netfilter/ipset/ip_set_hash_ipportnet.c:249:39: warning: variable 'port' is uninitialized when used here [-Wuninitialized] if (((u64)ip_to - ip + 1)*(port_to - port + 1) > IPSET_MAX_RANGE) ^~~~ net/netfilter/ipset/ip_set_hash_ipportnet.c:167:36: note: initialize the variable 'port' to silence this warning u32 ip = 0, ip_to = 0, p = 0, port, port_to; ^ = 0 2 warnings generated. The range check was added before port and port_to are initialized. Shuffle the check after the initialization so that the check works properly. Fixes: 7fb6c63025ff ("netfilter: ipset: Limit the maximal range of consecutive elements to add/delete") Reported-by: kernel test robot <lkp@intel.com> Signed-off-by: Nathan Chancellor <nathan@kernel.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.14 releasedv7.14Jozsef Kadlecsik2021-07-283-1/+8
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* 64bit division isn't allowed on 32bit, replace it with shiftJozsef Kadlecsik2021-07-281-1/+2
| | | | | | | The number of hosts in a netblock must be a power of two, so use shift instead of division. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Add missing function to libipset.map and bump library versionJozsef Kadlecsik2021-07-282-1/+6
| | | | | | | A new function was not added to libipset.map at the previous release, fix it. Reported by Jan Engelhardt. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.13 releasedv7.13Jozsef Kadlecsik2021-07-273-1/+8
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* When parsing protocols by number, do not check it in /etc/protocols.Jozsef Kadlecsik2021-07-271-7/+7
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Add missing hunk to patch "Allow specifying protocols by number"Jozsef Kadlecsik2021-07-161-2/+12
| | | | | | | Actually, this is the part of it which allows specifying protocols by number :-) Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Limit the maximal range of consecutive elements to add/delete fixJozsef Kadlecsik2021-07-1610-19/+70
| | | | | | | | Avoid possible number overflows when calculating the number of consecutive elements. Also, compute properly the consecutive elements in the case of hash:net* types. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.12 releasedv7.12Jozsef Kadlecsik2021-07-143-1/+19
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Allow specifying protocols by numberHaw Loeung2021-07-141-15/+18
| | | | | | | This allows us to optimise and reduce restore time by specifying protocol numbers, especially for large ipsets. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Limit the maximal range of consecutive elements to add/deleteJozsef Kadlecsik2021-07-1411-0/+31
| | | | | | | | | The range size of consecutive elements were not limited. Thus one could define a huge range which may result soft lockup errors due to the long execution time. Now the range size is limited to 2^20 entries. Reported by Brad Spengler. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Fix example in ipset.8 manpage discovered by Pablo Neira Ayuso.Jozsef Kadlecsik2021-06-271-1/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* tests: add tests ipset to nftablesPablo Neira Ayuso2021-06-263-0/+140
| | | | | | | | | | | | | This test checks that the translation from ipset to nftables is correct. term$ cd tests/xlate term$ ./runtest.sh in case that the translation is not correct, it shows the diff with expected translation output. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* add ipset to nftables translation infrastructurePablo Neira Ayuso2021-06-267-4/+654
| | | | | | | | | | | | | | | | | | | | | This patch provides the ipset-translate utility which allows you to translate your existing ipset file to nftables. The ipset-translate utility is actually a symlink to ipset, which checks for 'argv[0] == ipset-translate' to exercise the translation path. You can translate your ipset file through: ipset-translate restore < sets.ipt This patch reuses the existing parser and API to represent the sets and the elements. There is a new ipset_xlate_set dummy object that allows to store a created set to fetch the type without interactions with the kernel. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* lib: Detach restore routine from parserPablo Neira Ayuso2021-06-261-1/+4
| | | | | | | | | | | Do not call restore() from ipset_parser(). Instead, ipset_parser() returns the IPSET_CMD_RESTORE command and the caller invokes restore(). This patch comes in preparation for the ipset to nftables translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* lib: split parser from command executionPablo Neira Ayuso2021-06-261-14/+30
| | | | | | | | | | | | ipset_parse_argv() parses, builds and send the netlink messages to the kernel. This patch extracts the parser and wrap it around the new ipset_parser() function. This patch comes is preparation for the ipset to nftables translation infrastructure. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Backport "netfilter: use nfnetlink_unicast()"Jozsef Kadlecsik2021-06-263-40/+53
| | | | | | | Backport patch "netfilter: use nfnetlink_unicast()" from Pablo Neira Ayuso <pablo@netfilter.org>. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Backport "netfilter: nfnetlink: consolidate callback type"Jozsef Kadlecsik2021-06-263-0/+33
| | | | | | | Backport patch "netfilter: nfnetlink: consolidate callback type" from Pablo Neira Ayuso <pablo@netfilter.org>. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Backport "netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks"Jozsef Kadlecsik2021-06-263-62/+109
| | | | | | | Backport patch "netfilter: nfnetlink: add struct nfnl_info and pass it to callbacks" from Pablo Neira Ayuso <pablo@netfilter.org>. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Backport "netfilter: add helper function to set up the nfnetlink header and ↵Jozsef Kadlecsik2021-06-263-14/+43
| | | | | | | | | use it" Backport patch "netfilter: add helper function to set up the nfnetlink header and use it" from Pablo Neira Ayuso <pablo@netfilter.org>. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Fix patch "Parse port before trying by service name"Jozsef Kadlecsik2021-06-261-14/+22
| | | | | | | | | The patch broke parsing service names: number parsing failures are hard errors which erase data, thus making impossible to parse input as a string. Fix it by enabling soft (warning) failures in the case of port number parsing. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.11 releasedv7.11Jozsef Kadlecsik2021-02-192-1/+11
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Parse port before trying by service nameHaw Loeung2021-02-191-2/+2
| | | | | | | This improves performance for loading IP sets using port numbers, especially large ones. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Silence unused-but-set-variable warningsJozsef Kadlecsik2021-02-192-4/+6
| | | | | | | | | | | | | | | | | | | | When ipset is compiled in non-debug mode, in some environments warnings treated as errors emitted: session.c: In function 'build_msg': session.c:1985:28: warning: variable 'type' set but not used [-Wunused-but-set-variable] const struct ipset_type *type; ^ session.c:2030:28: warning: variable 'type' set but not used [-Wunused-but-set-variable] const struct ipset_type *type; ^ Fix it by hiding the unused variable definitions/settings in non-debug mode. Reported by Serhey Popovych. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Handle -Werror=implicit-fallthrough= in debug mode compilingJozsef Kadlecsik2021-02-093-0/+20
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset: fix print format warningNeutron Soutmun2021-01-191-3/+3
| | | | | | | | | | | * Use PRIx64 for portablility over various architectures. * The format string for the 64bit number printing is incorrect, the `%` sign is missing. * The force types casting over the uint32_t and uint64_t are unnecessary which warned by the compiler on different architecture. Signed-off-by: Neutron Soutmun <neo.neutron@gmail.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Updated utilitiesJozsef Kadlecsik2021-01-193-1787/+1083
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Argument parsing buffer overflow in ipset_parse_argv fixedJozsef Kadlecsik2021-01-191-0/+5
| | | | | | | Argument length checking was simply missing. Fixes netfilter bugzilla #1492, reported by Marshall Whittaker. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.10 releasedv7.10Jozsef Kadlecsik2020-12-203-2/+14
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Fix patch "Handle false warning from -Wstringop-overflow"Jozsef Kadlecsik2020-12-201-1/+1
| | | | | | Return code of strscpy() was not handled properly. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Backward compatibility: handle renaming nla_strlcpy to nla_strscpyJozsef Kadlecsik2020-12-202-0/+15
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* treewide: rename nla_strlcpy to nla_strscpy.Francis Laniel2020-12-201-2/+2
| | | | | | | | | Calls to nla_strlcpy are now replaced by calls to nla_strscpy which is the new name of this function. Signed-off-by: Francis Laniel <laniel_francis@privacyrequired.com> Reviewed-by: Kees Cook <keescook@chromium.org> Signed-off-by: Jakub Kicinski <kuba@kernel.org>
* netfilter: ipset: fix shift-out-of-bounds in htable_bits()Vasily Averin2020-12-201-19/+5
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | htable_bits() can call jhash_size(32) and trigger shift-out-of-bounds UBSAN: shift-out-of-bounds in net/netfilter/ipset/ip_set_hash_gen.h:151:6 shift exponent 32 is too large for 32-bit type 'unsigned int' CPU: 0 PID: 8498 Comm: syz-executor519 Not tainted 5.10.0-rc7-next-20201208-syzkaller #0 Call Trace: __dump_stack lib/dump_stack.c:79 [inline] dump_stack+0x107/0x163 lib/dump_stack.c:120 ubsan_epilogue+0xb/0x5a lib/ubsan.c:148 __ubsan_handle_shift_out_of_bounds.cold+0xb1/0x181 lib/ubsan.c:395 htable_bits net/netfilter/ipset/ip_set_hash_gen.h:151 [inline] hash_mac_create.cold+0x58/0x9b net/netfilter/ipset/ip_set_hash_gen.h:1524 ip_set_create+0x610/0x1380 net/netfilter/ipset/ip_set_core.c:1115 nfnetlink_rcv_msg+0xecc/0x1180 net/netfilter/nfnetlink.c:252 netlink_rcv_skb+0x153/0x420 net/netlink/af_netlink.c:2494 nfnetlink_rcv+0x1ac/0x420 net/netfilter/nfnetlink.c:600 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x533/0x7d0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x907/0xe40 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:652 [inline] sock_sendmsg+0xcf/0x120 net/socket.c:672 ____sys_sendmsg+0x6e8/0x810 net/socket.c:2345 __sys_sendmsg+0xe5/0x1b0 net/socket.c:2432 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 This patch replaces htable_bits() by simple fls(hashsize - 1) call: it alone returns valid nbits both for round and non-round hashsizes. It is normal to set any nbits here because it is validated inside following htable_size() call which returns 0 for nbits>31. Fixes: 1feab10d7e6d("netfilter: ipset: Unified hash type generation") Reported-by: syzbot+d66bfadebca46cf61a2b@syzkaller.appspotmail.com Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: fixes possible oops in mtype_resizeVasily Averin2020-12-201-9/+17
| | | | | | | | | | | | | | | | | | currently mtype_resize() can cause oops t = ip_set_alloc(htable_size(htable_bits)); if (!t) { ret = -ENOMEM; goto out; } t->hregion = ip_set_alloc(ahash_sizeof_regions(htable_bits)); Increased htable_bits can force htable_size() to return 0. In own turn ip_set_alloc(0) returns not 0 but ZERO_SIZE_PTR, so follwoing access to t->hregion should trigger an OOPS. Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Handle false warning from -Wstringop-overflowJozsef Kadlecsik2020-12-141-1/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Backward compatibility: handle missing strscpy with a wrapper of strlcpy.Jozsef Kadlecsik2020-12-141-1/+6
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Move compiler specific compatibility support to separated fileJozsef Kadlecsik2020-12-076-15/+20
| | | | | | Kernel compatibility support was broken in 7.9, reported by Ed W. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.9 releasedv7.9Jozsef Kadlecsik2020-11-191-1/+1
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Fix library versioning (Jan Engelhardt)Jozsef Kadlecsik2020-11-192-1/+4
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.8 releasedv7.8Jozsef Kadlecsik2020-11-192-1/+11
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Complete backward compatibility fix for package copy of <linux/jhash.h>Jozsef Kadlecsik2020-11-191-2/+0
| | | | | | | An unnecessary condition prevented to compile pfxlen.c with the patch 202cfef66b3a1e0988d applied, it's fixed. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Compatibility: check for kvzalloc() and GFP_KERNEL_ACCOUNTJozsef Kadlecsik2020-11-192-1/+50
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: enable memory accounting for ipset allocationsVasily Averin2020-11-191-16/+1
| | | | | | | | | | | | Currently netadmin inside non-trusted container can quickly allocate whole node's memory via request of huge ipset hashtable. Other ipset-related memory allocations should be restricted too. v2: fixed typo ALLOC -> ACCOUNT Signed-off-by: Vasily Averin <vvs@virtuozzo.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* netfilter: ipset: prevent uninit-value in hash_ip6_addEric Dumazet2020-11-193-2/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | syzbot found that we are not validating user input properly before copying 16 bytes [1]. Using NLA_BINARY in ipaddr_policy[] for IPv6 address is not correct, since it ensures at most 16 bytes were provided. We should instead make sure user provided exactly 16 bytes. In old kernels (before v4.20), fix would be to remove the NLA_BINARY, since NLA_POLICY_EXACT_LEN() was not yet available. [1] BUG: KMSAN: uninit-value in hash_ip6_add+0x1cba/0x3a50 net/netfilter/ipset/ip_set_hash_gen.h:892 CPU: 1 PID: 11611 Comm: syz-executor.0 Not tainted 5.10.0-rc4-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x21c/0x280 lib/dump_stack.c:118 kmsan_report+0xf7/0x1e0 mm/kmsan/kmsan_report.c:118 __msan_warning+0x5f/0xa0 mm/kmsan/kmsan_instr.c:197 hash_ip6_add+0x1cba/0x3a50 net/netfilter/ipset/ip_set_hash_gen.h:892 hash_ip6_uadt+0x976/0xbd0 net/netfilter/ipset/ip_set_hash_ip.c:267 call_ad+0x329/0xd00 net/netfilter/ipset/ip_set_core.c:1720 ip_set_ad+0x111f/0x1440 net/netfilter/ipset/ip_set_core.c:1808 ip_set_uadd+0xf6/0x110 net/netfilter/ipset/ip_set_core.c:1833 nfnetlink_rcv_msg+0xc7d/0xdf0 net/netfilter/nfnetlink.c:252 netlink_rcv_skb+0x70a/0x820 net/netlink/af_netlink.c:2494 nfnetlink_rcv+0x4f0/0x4380 net/netfilter/nfnetlink.c:600 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x11da/0x14b0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x173c/0x1840 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] ____sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x6d5/0x830 net/socket.c:2440 __do_sys_sendmsg net/socket.c:2449 [inline] __se_sys_sendmsg+0x97/0xb0 net/socket.c:2447 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x45deb9 Code: 0d b4 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 db b3 fb ff c3 66 2e 0f 1f 84 00 00 00 00 RSP: 002b:00007fe2e503fc78 EFLAGS: 00000246 ORIG_RAX: 000000000000002e RAX: ffffffffffffffda RBX: 0000000000029ec0 RCX: 000000000045deb9 RDX: 0000000000000000 RSI: 0000000020000140 RDI: 0000000000000003 RBP: 000000000118bf60 R08: 0000000000000000 R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000118bf2c R13: 000000000169fb7f R14: 00007fe2e50409c0 R15: 000000000118bf2c Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289 __msan_chain_origin+0x57/0xa0 mm/kmsan/kmsan_instr.c:147 ip6_netmask include/linux/netfilter/ipset/pfxlen.h:49 [inline] hash_ip6_netmask net/netfilter/ipset/ip_set_hash_ip.c:185 [inline] hash_ip6_uadt+0xb1c/0xbd0 net/netfilter/ipset/ip_set_hash_ip.c:263 call_ad+0x329/0xd00 net/netfilter/ipset/ip_set_core.c:1720 ip_set_ad+0x111f/0x1440 net/netfilter/ipset/ip_set_core.c:1808 ip_set_uadd+0xf6/0x110 net/netfilter/ipset/ip_set_core.c:1833 nfnetlink_rcv_msg+0xc7d/0xdf0 net/netfilter/nfnetlink.c:252 netlink_rcv_skb+0x70a/0x820 net/netlink/af_netlink.c:2494 nfnetlink_rcv+0x4f0/0x4380 net/netfilter/nfnetlink.c:600 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x11da/0x14b0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x173c/0x1840 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] ____sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x6d5/0x830 net/socket.c:2440 __do_sys_sendmsg net/socket.c:2449 [inline] __se_sys_sendmsg+0x97/0xb0 net/socket.c:2447 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Uninit was stored to memory at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_chain_origin+0xad/0x130 mm/kmsan/kmsan.c:289 kmsan_memcpy_memmove_metadata+0x25e/0x2d0 mm/kmsan/kmsan.c:226 kmsan_memcpy_metadata+0xb/0x10 mm/kmsan/kmsan.c:246 __msan_memcpy+0x46/0x60 mm/kmsan/kmsan_instr.c:110 ip_set_get_ipaddr6+0x2cb/0x370 net/netfilter/ipset/ip_set_core.c:310 hash_ip6_uadt+0x439/0xbd0 net/netfilter/ipset/ip_set_hash_ip.c:255 call_ad+0x329/0xd00 net/netfilter/ipset/ip_set_core.c:1720 ip_set_ad+0x111f/0x1440 net/netfilter/ipset/ip_set_core.c:1808 ip_set_uadd+0xf6/0x110 net/netfilter/ipset/ip_set_core.c:1833 nfnetlink_rcv_msg+0xc7d/0xdf0 net/netfilter/nfnetlink.c:252 netlink_rcv_skb+0x70a/0x820 net/netlink/af_netlink.c:2494 nfnetlink_rcv+0x4f0/0x4380 net/netfilter/nfnetlink.c:600 netlink_unicast_kernel net/netlink/af_netlink.c:1304 [inline] netlink_unicast+0x11da/0x14b0 net/netlink/af_netlink.c:1330 netlink_sendmsg+0x173c/0x1840 net/netlink/af_netlink.c:1919 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] ____sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x6d5/0x830 net/socket.c:2440 __do_sys_sendmsg net/socket.c:2449 [inline] __se_sys_sendmsg+0x97/0xb0 net/socket.c:2447 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Uninit was created at: kmsan_save_stack_with_flags mm/kmsan/kmsan.c:121 [inline] kmsan_internal_poison_shadow+0x5c/0xf0 mm/kmsan/kmsan.c:104 kmsan_slab_alloc+0x8d/0xe0 mm/kmsan/kmsan_hooks.c:76 slab_alloc_node mm/slub.c:2906 [inline] __kmalloc_node_track_caller+0xc61/0x15f0 mm/slub.c:4512 __kmalloc_reserve net/core/skbuff.c:142 [inline] __alloc_skb+0x309/0xae0 net/core/skbuff.c:210 alloc_skb include/linux/skbuff.h:1094 [inline] netlink_alloc_large_skb net/netlink/af_netlink.c:1176 [inline] netlink_sendmsg+0xdb8/0x1840 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:651 [inline] sock_sendmsg net/socket.c:671 [inline] ____sys_sendmsg+0xc7a/0x1240 net/socket.c:2353 ___sys_sendmsg net/socket.c:2407 [inline] __sys_sendmsg+0x6d5/0x830 net/socket.c:2440 __do_sys_sendmsg net/socket.c:2449 [inline] __se_sys_sendmsg+0x97/0xb0 net/socket.c:2447 __x64_sys_sendmsg+0x4a/0x70 net/socket.c:2447 do_syscall_64+0x9f/0x140 arch/x86/entry/common.c:48 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support") Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: syzbot <syzkaller@googlegroups.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Compatibility: use skb_policy() from if_vlan.h if availableJozsef Kadlecsik2020-11-192-0/+15
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Compatibility: Check for the fourth arg of list_for_each_entry_rcu()Jozsef Kadlecsik2020-11-193-2/+21
| | | | | | | A forth argument of list_for_each_entry_rcu() was introduced, handle the compatibility issue. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* Backward compatibility fix for the package copy of <linux/jhash.h>Jozsef Kadlecsik2020-11-081-0/+1
| | | | | | | The patch "Use fallthrough pseudo-keyword in the package copy of <linux/jhash.h> too" missed to include the compatibility header file. Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
* ipset 7.7 releasedv7.7Jozsef Kadlecsik2020-09-223-1/+29
| | | | Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>