| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
| |
Invalid JSON caused by extra commas, when libipset list_JSON command is
called more than one time.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
| |
Fixes bugzilla #1804.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Both the possible values and the default one contained 14
in the manpage while the real value is 12.
Fixes bugzilla #1803.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Rename IPSET_MIMINAL_HASHSIZE → IPSET_MINIMAL_HASHSIZE in
ip_set_hash_gen.h, matching the header typo-fix.
Signed-off-by: RubenKelevra <rubenkelevra@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Check for 'int \*id' in the pernet_operations struct
fails for some later versions of kernels as the declaration
is now 'int * const id'.
Kernel Commit 768e4bb6a75e3c6a034df7c67edac20bd222857e changed
the variable declaration that ipset uses to ensure presence
of the pernet ops id.
Modify the pattern match to include both the newer change while
still supporting the original declaration.
Reported and original patch submitted by Mike Pagano <mpagano@gentoo.org>,
single pattern suggested by Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Region locking introduced in v5.6-rc4 contained three macros to handle
the region locks: ahash_bucket_start(), ahash_bucket_end() which gave
back the start and end hash bucket values belonging to a given region
lock and ahash_region() which should give back the region lock belonging
to a given hash bucket. The latter was incorrect which can lead to a
race condition between the garbage collector and adding new elements
when a hash type of set is defined with timeouts.
Fixes: f66ee0410b1c ("netfilter: ipset: Fix "INFO: rcu detected stall in hash_xxx" reports")
Reported-by: Kota Toda <kota.toda@gmo-cybersecurity.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
| |
Fixes bugzilla #1793, issue 3.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
| |
Fixes bugzilla #1793, issue 4.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
| |
Fixes bugzilla #1793, issue 1.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
| |
Also fix extra whitespace before closing curly brace.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
There is a syntax error in a redirection:
$ bash -x utils/ipset_bash_completion/ipset
+ shopt -s extglob
utils/ipset_bash_completion/ipset: line 365: syntax error near unexpected token `('
utils/ipset_bash_completion/ipset: line 365: `done < <(PATH=${PATH}:/sbin ( command ip -o link show ) 2>/dev/null)'
Move the environment variable assignment into the sub-shell.
This fix was previously applied in commit 417ee1054fb2 ("bash-completion:
fix syntax error"), but then reverted, presumably by mistake, in commit
0378d91222c1 ("Bash completion utility updated").
Fixes: 0378d91222c1 ("Bash completion utility updated")
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
| |
"This values is ..." should be "This value is ...".
Signed-off-by: Jeremy Sowden <jeremy@azazel.net>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
| |
backward compatibility
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
With CONFIG_PROVE_LOCKING, when creating a set of type bitmap:ip, adding
it to a set of type list:set and populating it from iptables SET target
triggers a kernel warning:
| WARNING: possible recursive locking detected
| 6.12.0-rc7-01692-g5e9a28f41134-dirty #594 Not tainted
| --------------------------------------------
| ping/4018 is trying to acquire lock:
| ffff8881094a6848 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set]
|
| but task is already holding lock:
| ffff88811034c048 (&set->lock){+.-.}-{2:2}, at: ip_set_add+0x28c/0x360 [ip_set]
This is a false alarm: ipset does not allow nested list:set type, so the
loop in list_set_kadd() can never encounter the outer set itself. No
other set type supports embedded sets, so this is the only case to
consider.
To avoid the false report, create a distinct lock class for list:set
type ipset locks.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
| |
User space may unload ip_set.ko while it is itself requesting a set type
backend module, leading to a kernel crash. The race condition may be
provoked by inserting an mdelay() right after the nfnl_unlock() call.
Fixes: a7b4f989a629 ("netfilter: ipset: IP set core support")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Acked-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When tb[IPSET_ATTR_IP_TO] is not present but tb[IPSET_ATTR_CIDR] exists,
the values of ip and ip_to are slightly swapped. Therefore, the range check
for ip should be done later, but this part is missing and it seems that the
vulnerability occurs.
So we should add missing range checks and remove unnecessary range checks.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+58c872f7790a4d2ac951@syzkaller.appspotmail.com
Fixes: 72205fc68bd1 ("netfilter: ipset: bitmap:ip set type support")
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Acked-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When destroying all sets, we are either in pernet exit phase or
are executing a "destroy all sets command" from userspace. The latter
was taken into account in ip_set_dereference() (nfnetlink mutex is held),
but the former was not. The patch adds the required check to
rcu_dereference_protected() in ip_set_dereference().
Fixes: 4e7aaa6b82d6 ("netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type")
Reported-by: syzbot+b62c37cdd58103293a5a@syzkaller.appspotmail.com
Reported-by: syzbot+cfbe1da5fdfc39efc293@syzkaller.appspotmail.com
Reported-by: kernel test robot <oliver.sang@intel.com>
Closes: https://lore.kernel.org/oe-lkp/202406141556.e0b6f17e-lkp@intel.com
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
| |
Do not exit at each failure.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RHEL ships a special ipset[1] tool with different output in corner-cases
than the common one[2]:
* Reduced output with /32 netmasks:
| # ipcalc 255.255.255.254/32
| Address: 255.255.255.254
| Address space: Reserved
To cover for this, make net_last_addr() fall back to the 'Address:'
line. Simply adding this keyword is fine as in normal output it appears
first and thus the other recognized keywords' values take precedence.
* No "Address:" line with all-zero addresses:
| # ipcalc 0.0.0.0/1
| Network: 0.0.0.0/1
| Netmask: 128.0.0.0 = 1
| Broadcast: 127.255.255.255
|
| Address space: This host on this network
| HostMin: 0.0.0.1
| HostMax: 127.255.255.254
| Hosts/Net: 2147483646
Have net_first_addr() fall back to the 'HostMin:' line in this case.
[1] https://gitlab.com/ipcalc/ipcalc
[2] http://jodies.de/ipcalc
Fixes: e24e7656b3dd9 ("tests: cidr.sh: Add ipcalc fallback")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Allow callers to specify the ipset binary to test (with), just like
runtest.sh itself does, too.
Fixes: d05e7e9349bd1 ("Out of bound access in hash:net* types fixed")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
basename(3) is defined in libgen.h in MUSL.
Include libgen.h where basename(3) is used.
Signed-off-by: Mike Pagano <mpagano@gentoo.org>
Acked-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
Where acceptable, batch add set element calls to avoid overhead of
excessive 'ipset' program spawns. On my (slow) testing VM, this patch
reduces a full run of tests/runtest.sh from ~70min down to ~11min.
This might eliminate the situation being tested: resize.sh might be such
a case so batch only 255 'ipset add' calls and continue to repeat these
batched calls 32 times in hopes that it still qualifies as the resizing
stress test tests/hash:ip.t calls it.
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The maximum accepted value for 'argc' is MAX_ARGS which matches 'argv'
array size. The maximum allowed array index is therefore argc-1.
This fix will leave items in argv non-NULL-terminated, so explicitly
NULL the formerly last entry after shifting.
Looks like a day-1 bug. Interestingly, this neither triggered ASAN nor
valgrind. Yet adding debug output printing argv entries being copied
did.
Fixes: 1e6e8bd9a62aa ("Third stage to ipset-5")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
After compiling with CFLAGS="-fsanitize=address -g", running the
testsuite triggers the following warning:
| ipmap: Range: Check syntax error: missing range/from-to: FAILED
| Failed test: ../src/ipset 2>.foo.err -N test ipmap
| =================================================================
| ==4204==ERROR: AddressSanitizer: global-buffer-overflow on address 0x55a21e77172a at pc 0x7f1ef246f2a6 bp 0x7fffed8f4f40 sp 0x7fffed8f46e8
| READ of size 32 at 0x55a21e77172a thread T0
| #0 0x7f1ef246f2a5 in __interceptor_memcpy /var/tmp/portage/sys-devel/gcc-13.2.1_p20231014/work/gcc-13-20231014/libsanitizer/sanitizer_common/sanitizer_common_interceptors.inc:899
| #1 0x55a21e758bf6 in ipset_strlcpy /home/n0-1/git/ipset/lib/data.c:119
| #2 0x55a21e758bf6 in ipset_data_set /home/n0-1/git/ipset/lib/data.c:349
| #3 0x55a21e75ee2f in ipset_parse_typename /home/n0-1/git/ipset/lib/parse.c:1819
| #4 0x55a21e754119 in ipset_parser /home/n0-1/git/ipset/lib/ipset.c:1205
| #5 0x55a21e752cef in ipset_parse_argv /home/n0-1/git/ipset/lib/ipset.c:1344
| #6 0x55a21e74ea45 in main /home/n0-1/git/ipset/src/ipset.c:38
| #7 0x7f1ef224cf09 (/lib64/libc.so.6+0x23f09)
| #8 0x7f1ef224cfc4 in __libc_start_main (/lib64/libc.so.6+0x23fc4)
| #9 0x55a21e74f040 in _start (/home/n0-1/git/ipset/src/ipset+0x1d040)
|
| 0x55a21e77172a is located 54 bytes before global variable '*.LC1' defined in 'ipset_bitmap_ip.c' (0x55a21e771760) of size 19
| '*.LC1' is ascii string 'IP|IP/CIDR|FROM-TO'
| 0x55a21e77172a is located 0 bytes after global variable '*.LC0' defined in 'ipset_bitmap_ip.c' (0x55a21e771720) of size 10
| '*.LC0' is ascii string 'bitmap:ip'
Fix this by avoiding 'src' array overstep in ipset_strlcpy(): In
contrast to strncpy(), memcpy() does not respect NUL-chars in input but
stubbornly reads as many bytes as specified.
Fixes: a7432ba786ca4 ("Workaround misleading -Wstringop-truncation warning")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| | |
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
IPSET_OPT_IP should be quoted to be a well formed json file, otherwise see
following bad example (range is not quoted):
# ipset create foo bitmap:ip range 192.168.0.0/16
# ipset list -o json foo
[
{
"name" : "foo",
"type" : "bitmap:ip",
"revision" : 3,
"header" : {
"range" : 192.168.0.0-192.168.255.255,
"memsize" : 8280,
"references" : 0,
"numentries" : 0
},
"members" : [
]
}
]
Signed-off-by: Z. Liu <liuzx@knownsec.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
module remove
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Lion Ackermann reported that there is a race condition between namespace cleanup
in ipset and the garbage collection of the list:set type. The namespace
cleanup can destroy the list:set type of sets while the gc of the set type is
waiting to run in rcu cleanup. The latter uses data from the destroyed set which
thus leads use after free. The patch contains the following parts:
- When destroying all sets, first remove the garbage collectors, then wait
if needed and then destroy the sets.
- Fix the badly ordered "wait then remove gc" for the destroy a single set
case.
- Fix the missing rcu locking in the list:set type in the userspace test
case.
- Use proper RCU list handlings in the list:set type.
The patch depends on 975403cda657 (netfilter: ipset: Add list flush to cancel_gc).
Fixes: fdb8e12cc2cc (netfilter: ipset: fix performance regression in swap operation)
Reported-by: Lion Ackermann <nnamrec@gmail.com>
Tested-by: Lion Ackermann <nnamrec@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
| |
Flushing list in cancel_gc drops references to other lists right away,
without waiting for RCU to destroy list. Fixes race when referenced
ipsets can't be destroyed while referring list is scheduled for destroy.
Signed-off-by: Alexander Maltsev <keltar.gw@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
| |
by moving cond_resched_rcu() to rcupdate_wait.h, we can kill another big
sched.h dependency.
Signed-off-by: Kent Overstreet <kent.overstreet@linux.dev>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
| |
Handle backward compatibility with regard of the patch.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
| |
This is a preparation patch for replacing physindev with physinif on
nf_bridge_info structure. We will use dev_get_by_index_rcu to resolve
device, when needed, and it requires net to be available.
Signed-off-by: Pavel Tikhomirov <ptikhomirov@virtuozzo.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
In case of namespace exit the modules are not unloaded but the sets belonging
to the namespace must be destroyed.
This reverts commit 099916e8f2c0a9c84f79469a8db49f775d4af16e.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
| |
Due to the code reorganization the functions in question now run by call_rcu(),
not under rcu locking and pointer access. This produces false sparse warning
which are suppressed by the patch.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| | |
|
| |
|
|
|
|
|
|
|
| |
The ip_set module can only be removed when all set module type modules
are already removed. A set type module can only be removed when all sets
belonging to the given type are already removed. So it is not possible
that there's any set defined at ip_set module removal.
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
| |
stages in comments
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The patch fdb8e12cc2cc ("netfilter: ipset: fix performance regression
in swap operation") missed to add the calls to gc cancellations
at the error path of create operations and at module unload. Also,
because the half of the destroy operations now executed by a
function registered by call_rcu(), neither NFNL_SUBSYS_IPSET mutex
or rcu read lock is held and therefore the checking of them results
false warnings.
Reported-by: syzbot+52bbc0ad036f6f0d4a25@syzkaller.appspotmail.com
Reported-by: Brad Spengler <spender@grsecurity.net>
Reported-by: Стас Ничипорович <stasn77@gmail.com>
Fixes: fdb8e12cc2cc ("netfilter: ipset: fix performance regression in swap operation")
Tested-by: Brad Spengler <spender@grsecurity.net>
Tested-by: Стас Ничипорович <stasn77@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| |
|
|
| |
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Due to several bugs caused by timers being re-armed after they are
shutdown and just before they are freed, a new state of timers was added
called "shutdown". After a timer is set to this state, then it can no
longer be re-armed.
The following script was run to find all the trivial locations where
del_timer() or del_timer_sync() is called in the same function that the
object holding the timer is freed. It also ignores any locations where
the timer->function is modified between the del_timer*() and the free(),
as that is not considered a "trivial" case.
This was created by using a coccinelle script and the following
commands:
$ cat timer.cocci
@@
expression ptr, slab;
identifier timer, rfield;
@@
(
- del_timer(&ptr->timer);
+ timer_shutdown(&ptr->timer);
|
- del_timer_sync(&ptr->timer);
+ timer_shutdown_sync(&ptr->timer);
)
... when strict
when != ptr->timer
(
kfree_rcu(ptr, rfield);
|
kmem_cache_free(slab, ptr);
|
kfree(ptr);
)
$ spatch timer.cocci . > /tmp/t.patch
$ patch -p1 < /tmp/t.patch
Link: https://lore.kernel.org/lkml/20221123201306.823305113@linutronix.de/
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Acked-by: Pavel Machek <pavel@ucw.cz> [ LED ]
Acked-by: Kalle Valo <kvalo@kernel.org> [ wireless ]
Acked-by: Paolo Abeni <pabeni@redhat.com> [ networking ]
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
|
