From patchwork Thu Apr 3 11:57:50 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14036957 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 80F0924C09F; Thu, 3 Apr 2025 11:58:05 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743681487; cv=none; b=QjT3f98jnzCv6JK+s1JV+PFpkdUc74bVO66+FGg9d2MHdg3oo2wMp5RWNKbIKy3pmrCI8LJMBkAvgQqEodTO3jmxYmHdRD1MZ+eU5IMDH67wQGnqqxWcPC/+Ryb0lAleYoa6BqMfJVcwuyQDlig8QYr8XWRtgIwGelrcObtYbxY= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743681487; c=relaxed/simple; bh=GmFPSg3msBAwuO8Ba3nJQqzs7M/6zwxRi3rWQuUmHfQ=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=qakadSpZSJ7RTgM8YSpp0dlzAFcalghw6JYJv+JWdRusy2qrQm723g/4TzP805bivmzYi/8XDCIamcEU22eXNGLkZYeTAVhHm3Q638kU+m0BMhzYR4zaYqqEVRgrhHVHAMHyjzR+sASd/NUkMN8ad6WXoweLSzB84tj5+fBM67k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=vzQjVbzN; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=dGpX9usw; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="vzQjVbzN"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="dGpX9usw" Received: by mail.netfilter.org (Postfix, from userid 109) id C495960642; Thu, 3 Apr 2025 13:58:03 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1743681483; bh=BJYD028tH9CCyBESIrr1lBopoqzJNrWmxI8xceiy30Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vzQjVbzN6Vff3n+NOsyVJqT5Fun4q/dhrUe33qN7o/rdjjVyX4zx97VN55qQGQATN BXpdh87HuneG5BKXX6WZFXQKGSnxRcwTQzLv7rcr91iBFk4DrDK3gCoA4S8GL4YxCU ZV5imVt/ZhuSHKcoAESITgt/ZOmJbfYD07HsioOPHdls7f8KhYdCbpPyLNfQSu66BG cw4GLE0cE62i6wdd0MCINx3lifaY0qpj9+RYcq9+P2qAWdD8iBws3jT/KAqAJmAwHT bM63WPyxoPOcWo46HU9odt2xz/Q5STpNYJBs6wsVg0Jy4f668YVnhHh3wXJxrIbR10 KTqF6++XNLQoA== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id CA4E96063F; Thu, 3 Apr 2025 13:58:00 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1743681481; bh=BJYD028tH9CCyBESIrr1lBopoqzJNrWmxI8xceiy30Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dGpX9uswX9dKkUOGoy15YiHYhAfxCm9fa73oQgMhG7PbIfK4jej0dFbehIXdHk6Pq F7vRbtSkP7MtOsvmk2tHj0kU3gqO7K/HLmYjXeOVK2mizS4RIrxp/LXpkZah25+Wa+ D2nzymw/dRCbMaTDIPHYMZ5PoRPHApWXDxNr5wtAlGbRfGUDjckKYp2ps0MDjrIRar FmnihwpaKn89LDBmEknjrD1ad0WPqKZ8dgKUzqkvDjUt0D8m2YW+31LcE/tgzBK880 O3ej2DbcjfEdIao4IbcskjyrVtR8Yo71aaljoO62y/qwitD90GPokGw7jr9Z2JS1au 8+tXg2c7ZmoQA== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net 1/3] netfilter: nft_set_hash: GC reaps elements with conncount for dynamic sets only Date: Thu, 3 Apr 2025 13:57:50 +0200 Message-Id: <20250403115752.19608-2-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250403115752.19608-1-pablo@netfilter.org> References: <20250403115752.19608-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org conncount has its own GC handler which determines when to reap stale elements, this is convenient for dynamic sets. However, this also reaps non-dynamic sets with static configurations coming from control plane. Always run connlimit gc handler but honor feedback to reap element if this set is dynamic. Fixes: 290180e2448c ("netfilter: nf_tables: add connlimit support") Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_set_hash.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/netfilter/nft_set_hash.c b/net/netfilter/nft_set_hash.c index 8bfac4185ac7..abb0c8ec6371 100644 --- a/net/netfilter/nft_set_hash.c +++ b/net/netfilter/nft_set_hash.c @@ -309,7 +309,8 @@ static bool nft_rhash_expr_needs_gc_run(const struct nft_set *set, nft_setelem_expr_foreach(expr, elem_expr, size) { if (expr->ops->gc && - expr->ops->gc(read_pnet(&set->net), expr)) + expr->ops->gc(read_pnet(&set->net), expr) && + set->flags & NFT_SET_EVAL) return true; } From patchwork Thu Apr 3 11:57:51 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14036958 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id A3B2C24C66A; Thu, 3 Apr 2025 11:58:06 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743681488; cv=none; b=kUh2PCLLxQdHKrBgErAnM1SN1TRsCSgCMlTmoXP03k9is/OhkJk8XRAUxxZw4uo1MjVbVLmDmRMOJniIreQ/o2RURvLIcr9fbmRd5LTUXCrC9aWM55RrRHJD2fwLG/g92DmRNsY/hEmvo8TmZ6jVh9QegWPzN+gd5gubGCfFSYQ= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743681488; c=relaxed/simple; bh=+j/Y7sCwLMqA1nv2LkBoaFeInW+9iGKEYvtnIXttesc=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=CFphDbuI9m9/H6TjNHVHAbm4EuWrVPd/IycDciD8KK4spLjrydnZx+q5xmFgOHCykuh+4MYcHHVboWjvJuBs0Bdvd7VUemTiEs66+BrlCFcQ8s8dwBFnvlg1lZpXYzYq8nIm6jkFw9QbfbOsnwWplyN70SaLLY+/KYPQjh1l3sI= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=QDWSl8d0; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=a788r+kS; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="QDWSl8d0"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="a788r+kS" Received: by mail.netfilter.org (Postfix, from userid 109) id 2ECF26064C; Thu, 3 Apr 2025 13:58:05 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1743681485; bh=XEvOGkCzgV4FR1qgYwDn6pvrE/rEpvXA9UV2CI+r1F8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=QDWSl8d0tEcuemO848O+MEN8ojv5a64Vr32++GO1Crqx52tqflzEaCVU6Z5iDKOPp oSqL0tLxbxqp1pGMK5Tx8KzqA3bmUS/4w12NfzaHfqOLG7iFwL4pIocPQX+wkA6goM 0S55SYywzqCDphBPaKzHjAYvUnN47QVjmbuQLjRLQmPHREEcy9w0/+5M47GAuTYJLl PMb0XBR4gmRkpKHAzsrr0+DFHe1I2Nj5xn51ttjuX8Y44ONC4nrf82h2iaokImWOd5 SR0WEfIghQ3l+Eos7rKxtr6bcU2brYgEpHRDGnCVqNkB/2vpX+knTDUHz9D9Sloiae h1jvvcE149jbA== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id AACAB6063A; Thu, 3 Apr 2025 13:58:01 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1743681482; bh=XEvOGkCzgV4FR1qgYwDn6pvrE/rEpvXA9UV2CI+r1F8=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=a788r+kSbPGA3OwEhZt/IrWRjCbpfwo5EhrMHBDwQl/AmGtk0F1A/TDZ69YGCh9TW QFoX960fmjXXc9WSUpR9joMNpJz6sjdNm8PUjsQ3SwNnCzR3NSR0TI1hoKaAFqam5M 7OOwvsBpmamVo2eug0ESMuUWhtUtdL9ptJIS6X3Bc5WEOzgraMyvZK/HnEXK9Snfa+ FmX3UutWCxJcXGrYgfGx2j9DP1paFk/c7wkdaiJ3yzK3onSL0zHFNdmKOj0FYVC0ZK 73eonQdrxbMkILGTsdPfAHWg4hRHv7MNxNYKpxOZKcVyePA5TfKRXBlR6TNU9aizrT 9Ir4xoCmEwhOw== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net 2/3] netfilter: nf_tables: don't unregister hook when table is dormant Date: Thu, 3 Apr 2025 13:57:51 +0200 Message-Id: <20250403115752.19608-3-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250403115752.19608-1-pablo@netfilter.org> References: <20250403115752.19608-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Florian Westphal When nf_tables_updchain encounters an error, hook registration needs to be rolled back. This should only be done if the hook has been registered, which won't happen when the table is flagged as dormant (inactive). Just move the assignment into the registration block. Reported-by: syzbot+53ed3a6440173ddbf499@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=53ed3a6440173ddbf499 Fixes: b9703ed44ffb ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nf_tables_api.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index c2df81b7e950..a133e1c175ce 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -2839,11 +2839,11 @@ static int nf_tables_updchain(struct nft_ctx *ctx, u8 genmask, u8 policy, err = nft_netdev_register_hooks(ctx->net, &hook.list); if (err < 0) goto err_hooks; + + unregister = true; } } - unregister = true; - if (nla[NFTA_CHAIN_COUNTERS]) { if (!nft_is_base_chain(chain)) { err = -EOPNOTSUPP; From patchwork Thu Apr 3 11:57:52 2025 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pablo Neira Ayuso X-Patchwork-Id: 14036959 X-Patchwork-Delegate: kuba@kernel.org Received: from mail.netfilter.org (mail.netfilter.org [217.70.190.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id CFE9824DFFB; Thu, 3 Apr 2025 11:58:08 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=217.70.190.124 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743681490; cv=none; b=aPxo72PeqzW21SAexqClmllZ3emNkPKu3hYA1XoNAmCp+M3puFeVvWd51yMKb5p31tyDWSu3wOSVFuySqwWg+N9NyjqHpJZo6eRuw12N8XDX6xl3oLaXSCMugLU+i+cYt5hM4myuuISZ+nzlITyIjE8KKhJqMLEI/KSNvx4dTEA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1743681490; c=relaxed/simple; bh=k5hvQEz/STmJKgeZt2USNb0VrNwUmC16D3AGQuq/6Jw=; h=From:To:Cc:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=iSlsOrmB19iXWYapzMedS0s2UqwV4Ft3x83xebUK8DIQnEFE2Z4EoDHcptsbQQNVKw2NiOnULul7NYq/gV5j5l8nS8vavOZlmy98TBsKwwxJ8WNhG40ieymgorTrLwf6kr/CsPyXUYGeWyKj9o7NdfCFD8he2IhlBKi2liRsxyM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org; spf=pass smtp.mailfrom=netfilter.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=l7361x+f; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b=g8xVozvR; arc=none smtp.client-ip=217.70.190.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=netfilter.org Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=netfilter.org Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="l7361x+f"; dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org header.b="g8xVozvR" Received: by mail.netfilter.org (Postfix, from userid 109) id 3B45960646; Thu, 3 Apr 2025 13:58:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1743681487; bh=aUfowwFMwu3r7vT13ntNy4QxMXB7CT89vJJ20UkVpMI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=l7361x+fYYRhoUEU9do0N16or+CkbD3/yPONpO/x4l33D/y0693HmlE5wNE011q6W tmfFpIPrqvLqHozQQMpnIDrVKegCDeFaYzdawlh/EvnZNh6FmKqJPyE7Ig+G7pCvxa Am97eMPN9iqFTOgdKyeL7M4rJt3tZ1cp3M912MmSwA/mJGwStUSvvd7lGD4NVJ4PsT jscbTbd86WW3sHf5yc9A/n3tbSImper0dFjoDvu3SM0n6lxzeSWv6RV1W4O3D+lNgB pwWIOA9xf5vkfqaqtBngtq2dxI3NvR/onWSOfeSuG0Qpwj4WGqz8oIt0GGKeFEf2IY xiilnqCKWl/tg== X-Spam-Level: Received: from localhost.localdomain (mail-agni [217.70.190.124]) by mail.netfilter.org (Postfix) with ESMTPSA id 4E75F60639; Thu, 3 Apr 2025 13:58:02 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org; s=2025; t=1743681482; bh=aUfowwFMwu3r7vT13ntNy4QxMXB7CT89vJJ20UkVpMI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=g8xVozvRTJG9CelDdNJPHu6LfSUNz6W1GYzsxxNbsoFYU83sMHEmJPhRNuR9rXMx1 Z6Un6I7a+avHORCCmZEiwVP7L6g7eT4l1d9fl94E4boEMDq6xDoJl++iOMYYxLsqSG v85P6AHRyNi5g4PXATvT/f+G8KQs1ItmrAUPv6tSh7MlYG+q+PsOC0UzTFRQCd+X/A SL+K6yWEeWr/0U5ZX6Iv1a5ku9mMAe/H59HfPLd8Sn5FdMayZUU6s4pjPFuxlByC6h 0+ViSeBtFR51XBeKDczN9a4lkUxesShyoEpEv5hLcdwJTi98Mm1RQhAAnO6S8HhD7g L6oblfWNtK/4Q== From: Pablo Neira Ayuso To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org, pabeni@redhat.com, edumazet@google.com, fw@strlen.de, horms@kernel.org Subject: [PATCH net 3/3] netfilter: nft_tunnel: fix geneve_opt type confusion addition Date: Thu, 3 Apr 2025 13:57:52 +0200 Message-Id: <20250403115752.19608-4-pablo@netfilter.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20250403115752.19608-1-pablo@netfilter.org> References: <20250403115752.19608-1-pablo@netfilter.org> Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Patchwork-Delegate: kuba@kernel.org From: Lin Ma When handling multiple NFTA_TUNNEL_KEY_OPTS_GENEVE attributes, the parsing logic should place every geneve_opt structure one by one compactly. Hence, when deciding the next geneve_opt position, the pointer addition should be in units of char *. However, the current implementation erroneously does type conversion before the addition, which will lead to heap out-of-bounds write. [ 6.989857] ================================================================== [ 6.990293] BUG: KASAN: slab-out-of-bounds in nft_tunnel_obj_init+0x977/0xa70 [ 6.990725] Write of size 124 at addr ffff888005f18974 by task poc/178 [ 6.991162] [ 6.991259] CPU: 0 PID: 178 Comm: poc-oob-write Not tainted 6.1.132 #1 [ 6.991655] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 6.992281] Call Trace: [ 6.992423] [ 6.992586] dump_stack_lvl+0x44/0x5c [ 6.992801] print_report+0x184/0x4be [ 6.993790] kasan_report+0xc5/0x100 [ 6.994252] kasan_check_range+0xf3/0x1a0 [ 6.994486] memcpy+0x38/0x60 [ 6.994692] nft_tunnel_obj_init+0x977/0xa70 [ 6.995677] nft_obj_init+0x10c/0x1b0 [ 6.995891] nf_tables_newobj+0x585/0x950 [ 6.996922] nfnetlink_rcv_batch+0xdf9/0x1020 [ 6.998997] nfnetlink_rcv+0x1df/0x220 [ 6.999537] netlink_unicast+0x395/0x530 [ 7.000771] netlink_sendmsg+0x3d0/0x6d0 [ 7.001462] __sock_sendmsg+0x99/0xa0 [ 7.001707] ____sys_sendmsg+0x409/0x450 [ 7.002391] ___sys_sendmsg+0xfd/0x170 [ 7.003145] __sys_sendmsg+0xea/0x170 [ 7.004359] do_syscall_64+0x5e/0x90 [ 7.005817] entry_SYSCALL_64_after_hwframe+0x6e/0xd8 [ 7.006127] RIP: 0033:0x7ec756d4e407 [ 7.006339] Code: 48 89 fa 4c 89 df e8 38 aa 00 00 8b 93 08 03 00 00 59 5e 48 83 f8 fc 74 1a 5b c3 0f 1f 84 00 00 00 00 00 48 8b 44 24 10 0f 05 <5b> c3 0f 1f 80 00 00 00 00 83 e2 39 83 faf [ 7.007364] RSP: 002b:00007ffed5d46760 EFLAGS: 00000202 ORIG_RAX: 000000000000002e [ 7.007827] RAX: ffffffffffffffda RBX: 00007ec756cc4740 RCX: 00007ec756d4e407 [ 7.008223] RDX: 0000000000000000 RSI: 00007ffed5d467f0 RDI: 0000000000000003 [ 7.008620] RBP: 00007ffed5d468a0 R08: 0000000000000000 R09: 0000000000000000 [ 7.009039] R10: 0000000000000000 R11: 0000000000000202 R12: 0000000000000000 [ 7.009429] R13: 00007ffed5d478b0 R14: 00007ec756ee5000 R15: 00005cbd4e655cb8 Fix this bug with correct pointer addition and conversion in parse and dump code. Fixes: 925d844696d9 ("netfilter: nft_tunnel: add support for geneve opts") Signed-off-by: Lin Ma Signed-off-by: Pablo Neira Ayuso --- net/netfilter/nft_tunnel.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/netfilter/nft_tunnel.c b/net/netfilter/nft_tunnel.c index 681301b46aa4..2e40f575aed9 100644 --- a/net/netfilter/nft_tunnel.c +++ b/net/netfilter/nft_tunnel.c @@ -341,7 +341,7 @@ static const struct nla_policy nft_tunnel_opts_geneve_policy[NFTA_TUNNEL_KEY_GEN static int nft_tunnel_obj_geneve_init(const struct nlattr *attr, struct nft_tunnel_opts *opts) { - struct geneve_opt *opt = (struct geneve_opt *)opts->u.data + opts->len; + struct geneve_opt *opt = (struct geneve_opt *)(opts->u.data + opts->len); struct nlattr *tb[NFTA_TUNNEL_KEY_GENEVE_MAX + 1]; int err, data_len; @@ -625,7 +625,7 @@ static int nft_tunnel_opts_dump(struct sk_buff *skb, if (!inner) goto failure; while (opts->len > offset) { - opt = (struct geneve_opt *)opts->u.data + offset; + opt = (struct geneve_opt *)(opts->u.data + offset); if (nla_put_be16(skb, NFTA_TUNNEL_KEY_GENEVE_CLASS, opt->opt_class) || nla_put_u8(skb, NFTA_TUNNEL_KEY_GENEVE_TYPE,