commit: 4aadb722f9ae557f568ab8cc7c971f68df2a4706 Author: Mike Pagano <mpagano <AT> gentoo <DOT> org> AuthorDate: Thu Jul 25 15:47:44 2024 +0000 Commit: Mike Pagano <mpagano <AT> gentoo <DOT> org> CommitDate: Thu Jul 25 15:47:44 2024 +0000 URL: https://gitweb.gentoo.org/proj/linux-patches.git/commit/?id=4aadb722
netfilter patches thanks to Kerin Millar Signed-off-by: Mike Pagano <mpagano <AT> gentoo.org> 0000_README | 8 + ...s-bail-if-stateful-expr-provides-no-clone.patch | 53 +++++ ...-nf-tables-allow-clone-callbacks-to-sleep.patch | 264 +++++++++++++++++++++ 3 files changed, 325 insertions(+) diff --git a/0000_README b/0000_README index 55eb987d..3900eeb8 100644 --- a/0000_README +++ b/0000_README @@ -227,6 +227,14 @@ Patch: 2000_BT-Check-key-sizes-only-if-Secure-Simple-Pairing-enabled.patch From: https://lore.kernel.org/linux-bluetooth/[email protected]/raw Desc: Bluetooth: Check key sizes only when Secure Simple Pairing is enabled. See bug #686758 +Patch: 2010_netfilter-nf-tables-bail-if-stateful-expr-provides-no-clone.patch +From: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git +Desc: netfilter: nf_tables: bail out if stateful expression provides no .clone + +Patch: 2011_netfilter-nf-tables-allow-clone-callbacks-to-sleep.patch +From: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git +Desc: netfilter: nf_tables: allow clone callbacks to sleep + Patch: 2700_ASoC_max98388_correct_includes.patch From: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/patch/sound/soc/codecs/max98388.c?id=832beb640e425b5d1a92d8c2002e6b8e0af693eb Desc: ASoC: max98388: Correct the includes diff --git a/2010_netfilter-nf-tables-bail-if-stateful-expr-provides-no-clone.patch b/2010_netfilter-nf-tables-bail-if-stateful-expr-provides-no-clone.patch new file mode 100644 index 00000000..c525909e --- /dev/null +++ b/2010_netfilter-nf-tables-bail-if-stateful-expr-provides-no-clone.patch @@ -0,0 +1,53 @@ +From 603988dc0f66f1d3f348b6e05984b291cc4bab13 Mon Sep 17 00:00:00 2001 +From: Kerin Millar <[email protected]> +Date: Thu, 25 Jul 2024 00:03:38 +0200 +Subject: [PATCH 1/2] Backport 3c13725f43dcf43ad8a9bcd6a9f12add19a8f93e to + linux-6.6.y + +Signed-off-by: Kerin Millar <[email protected]> +--- + +From 3c13725f43dcf43ad8a9bcd6a9f12add19a8f93e Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso <[email protected]> +Date: Sun, 7 Jan 2024 23:00:15 +0100 +Subject: netfilter: nf_tables: bail out if stateful expression provides no + .clone + +All existing NFT_EXPR_STATEFUL provide a .clone interface, remove +fallback to copy content of stateful expression since this is never +exercised and bail out if .clone interface is not defined. + +Signed-off-by: Pablo Neira Ayuso <[email protected]> +--- + net/netfilter/nf_tables_api.c | 15 +++++++-------- + 1 file changed, 7 insertions(+), 8 deletions(-) + +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index dd044a47c..b53fc54f2 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3316,14 +3316,13 @@ int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) + { + int err; + +- if (src->ops->clone) { +- dst->ops = src->ops; +- err = src->ops->clone(dst, src); +- if (err < 0) +- return err; +- } else { +- memcpy(dst, src, src->ops->size); +- } ++ if (WARN_ON_ONCE(!src->ops->clone)) ++ return -EINVAL; ++ ++ dst->ops = src->ops; ++ err = src->ops->clone(dst, src); ++ if (err < 0) ++ return err; + + __module_get(src->ops->type->owner); + +-- +2.44.2 + diff --git a/2011_netfilter-nf-tables-allow-clone-callbacks-to-sleep.patch b/2011_netfilter-nf-tables-allow-clone-callbacks-to-sleep.patch new file mode 100644 index 00000000..05da3a8e --- /dev/null +++ b/2011_netfilter-nf-tables-allow-clone-callbacks-to-sleep.patch @@ -0,0 +1,264 @@ +From b19498a9f2cca6aaeb56e6322ddfff33c338c0c7 Mon Sep 17 00:00:00 2001 +From: Kerin Millar <[email protected]> +Date: Thu, 25 Jul 2024 00:04:48 +0200 +Subject: [PATCH 2/2] Backport fa23e0d4b756d25829e124d6b670a4c6bbd4bf7e to + linux-6.6.y + +Signed-off-by: Kerin Millar <[email protected]> +--- + +From fa23e0d4b756d25829e124d6b670a4c6bbd4bf7e Mon Sep 17 00:00:00 2001 +From: Florian Westphal <[email protected]> +Date: Wed, 8 May 2024 14:52:47 +0200 +Subject: netfilter: nf_tables: allow clone callbacks to sleep + +Sven Auhagen reports transaction failures with following error: + ./main.nft:13:1-26: Error: Could not process rule: Cannot allocate memory + percpu: allocation failed, size=16 align=8 atomic=1, atomic alloc failed, no space left + +This points to failing pcpu allocation with GFP_ATOMIC flag. +However, transactions happen from user context and are allowed to sleep. + +One case where we can call into percpu allocator with GFP_ATOMIC is +nft_counter expression. + +Normally this happens from control plane, so this could use GFP_KERNEL +instead. But one use case, element insertion from packet path, +needs to use GFP_ATOMIC allocations (nft_dynset expression). + +At this time, .clone callbacks always use GFP_ATOMIC for this reason. + +Add gfp_t argument to the .clone function and pass GFP_KERNEL or +GFP_ATOMIC flag depending on context, this allows all clone memory +allocations to sleep for the normal (transaction) case. + +Cc: Sven Auhagen <[email protected]> +Signed-off-by: Florian Westphal <[email protected]> +Signed-off-by: Pablo Neira Ayuso <[email protected]> +--- + include/net/netfilter/nf_tables.h | 4 ++-- + net/netfilter/nf_tables_api.c | 8 ++++---- + net/netfilter/nft_connlimit.c | 4 ++-- + net/netfilter/nft_counter.c | 4 ++-- + net/netfilter/nft_dynset.c | 2 +- + net/netfilter/nft_last.c | 4 ++-- + net/netfilter/nft_limit.c | 14 ++++++++------ + net/netfilter/nft_quota.c | 4 ++-- + 8 files changed, 23 insertions(+), 21 deletions(-) + +diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h +index 8af254352..b4a6a45e2 100644 +--- a/include/net/netfilter/nf_tables.h ++++ b/include/net/netfilter/nf_tables.h +@@ -392,7 +392,7 @@ struct nft_expr_info; + + int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla, + struct nft_expr_info *info); +-int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src); ++int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp); + void nft_expr_destroy(const struct nft_ctx *ctx, struct nft_expr *expr); + int nft_expr_dump(struct sk_buff *skb, unsigned int attr, + const struct nft_expr *expr, bool reset); +@@ -889,7 +889,7 @@ struct nft_expr_ops { + struct nft_regs *regs, + const struct nft_pktinfo *pkt); + int (*clone)(struct nft_expr *dst, +- const struct nft_expr *src); ++ const struct nft_expr *src, gfp_t gfp); + unsigned int size; + + int (*init)(const struct nft_ctx *ctx, +diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c +index b53fc54f2..ec153266b 100644 +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3312,7 +3312,7 @@ static struct nft_expr *nft_expr_init(const struct nft_ctx *ctx, + return ERR_PTR(err); + } + +-int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) ++int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src, gfp_t gfp) + { + int err; + +@@ -3320,7 +3320,7 @@ int nft_expr_clone(struct nft_expr *dst, struct nft_expr *src) + return -EINVAL; + + dst->ops = src->ops; +- err = src->ops->clone(dst, src); ++ err = src->ops->clone(dst, src, gfp); + if (err < 0) + return err; + +@@ -6345,7 +6345,7 @@ int nft_set_elem_expr_clone(const struct nft_ctx *ctx, struct nft_set *set, + if (!expr) + goto err_expr; + +- err = nft_expr_clone(expr, set->exprs[i]); ++ err = nft_expr_clone(expr, set->exprs[i], GFP_KERNEL_ACCOUNT); + if (err < 0) { + kfree(expr); + goto err_expr; +@@ -6384,7 +6384,7 @@ static int nft_set_elem_expr_setup(struct nft_ctx *ctx, + + for (i = 0; i < num_exprs; i++) { + expr = nft_setelem_expr_at(elem_expr, elem_expr->size); +- err = nft_expr_clone(expr, expr_array[i]); ++ err = nft_expr_clone(expr, expr_array[i], GFP_KERNEL_ACCOUNT); + if (err < 0) + goto err_elem_expr_setup; + +diff --git a/net/netfilter/nft_connlimit.c b/net/netfilter/nft_connlimit.c +index de9d1980d..92b984fa8 100644 +--- a/net/netfilter/nft_connlimit.c ++++ b/net/netfilter/nft_connlimit.c +@@ -210,12 +210,12 @@ static void nft_connlimit_destroy(const struct nft_ctx *ctx, + nft_connlimit_do_destroy(ctx, priv); + } + +-static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src) ++static int nft_connlimit_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp) + { + struct nft_connlimit *priv_dst = nft_expr_priv(dst); + struct nft_connlimit *priv_src = nft_expr_priv(src); + +- priv_dst->list = kmalloc(sizeof(*priv_dst->list), GFP_ATOMIC); ++ priv_dst->list = kmalloc(sizeof(*priv_dst->list), gfp); + if (!priv_dst->list) + return -ENOMEM; + +diff --git a/net/netfilter/nft_counter.c b/net/netfilter/nft_counter.c +index dccc68a51..291ed2026 100644 +--- a/net/netfilter/nft_counter.c ++++ b/net/netfilter/nft_counter.c +@@ -226,7 +226,7 @@ static void nft_counter_destroy(const struct nft_ctx *ctx, + nft_counter_do_destroy(priv); + } + +-static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src) ++static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp) + { + struct nft_counter_percpu_priv *priv = nft_expr_priv(src); + struct nft_counter_percpu_priv *priv_clone = nft_expr_priv(dst); +@@ -236,7 +236,7 @@ static int nft_counter_clone(struct nft_expr *dst, const struct nft_expr *src) + + nft_counter_fetch(priv, &total); + +- cpu_stats = alloc_percpu_gfp(struct nft_counter, GFP_ATOMIC); ++ cpu_stats = alloc_percpu_gfp(struct nft_counter, gfp); + if (cpu_stats == NULL) + return -ENOMEM; + +diff --git a/net/netfilter/nft_dynset.c b/net/netfilter/nft_dynset.c +index 629a91a8c..a81bd69b0 100644 +--- a/net/netfilter/nft_dynset.c ++++ b/net/netfilter/nft_dynset.c +@@ -35,7 +35,7 @@ static int nft_dynset_expr_setup(const struct nft_dynset *priv, + + for (i = 0; i < priv->num_exprs; i++) { + expr = nft_setelem_expr_at(elem_expr, elem_expr->size); +- if (nft_expr_clone(expr, priv->expr_array[i]) < 0) ++ if (nft_expr_clone(expr, priv->expr_array[i], GFP_ATOMIC) < 0) + return -1; + + elem_expr->size += priv->expr_array[i]->ops->size; +diff --git a/net/netfilter/nft_last.c b/net/netfilter/nft_last.c +index 8e6d7eaf9..de1b6066b 100644 +--- a/net/netfilter/nft_last.c ++++ b/net/netfilter/nft_last.c +@@ -102,12 +102,12 @@ static void nft_last_destroy(const struct nft_ctx *ctx, + kfree(priv->last); + } + +-static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src) ++static int nft_last_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp) + { + struct nft_last_priv *priv_dst = nft_expr_priv(dst); + struct nft_last_priv *priv_src = nft_expr_priv(src); + +- priv_dst->last = kzalloc(sizeof(*priv_dst->last), GFP_ATOMIC); ++ priv_dst->last = kzalloc(sizeof(*priv_dst->last), gfp); + if (!priv_dst->last) + return -ENOMEM; + +diff --git a/net/netfilter/nft_limit.c b/net/netfilter/nft_limit.c +index cefa25e0d..21d26b79b 100644 +--- a/net/netfilter/nft_limit.c ++++ b/net/netfilter/nft_limit.c +@@ -150,7 +150,7 @@ static void nft_limit_destroy(const struct nft_ctx *ctx, + } + + static int nft_limit_clone(struct nft_limit_priv *priv_dst, +- const struct nft_limit_priv *priv_src) ++ const struct nft_limit_priv *priv_src, gfp_t gfp) + { + priv_dst->tokens_max = priv_src->tokens_max; + priv_dst->rate = priv_src->rate; +@@ -158,7 +158,7 @@ static int nft_limit_clone(struct nft_limit_priv *priv_dst, + priv_dst->burst = priv_src->burst; + priv_dst->invert = priv_src->invert; + +- priv_dst->limit = kmalloc(sizeof(*priv_dst->limit), GFP_ATOMIC); ++ priv_dst->limit = kmalloc(sizeof(*priv_dst->limit), gfp); + if (!priv_dst->limit) + return -ENOMEM; + +@@ -223,14 +223,15 @@ static void nft_limit_pkts_destroy(const struct nft_ctx *ctx, + nft_limit_destroy(ctx, &priv->limit); + } + +-static int nft_limit_pkts_clone(struct nft_expr *dst, const struct nft_expr *src) ++static int nft_limit_pkts_clone(struct nft_expr *dst, const struct nft_expr *src, ++ gfp_t gfp) + { + struct nft_limit_priv_pkts *priv_dst = nft_expr_priv(dst); + struct nft_limit_priv_pkts *priv_src = nft_expr_priv(src); + + priv_dst->cost = priv_src->cost; + +- return nft_limit_clone(&priv_dst->limit, &priv_src->limit); ++ return nft_limit_clone(&priv_dst->limit, &priv_src->limit, gfp); + } + + static struct nft_expr_type nft_limit_type; +@@ -281,12 +282,13 @@ static void nft_limit_bytes_destroy(const struct nft_ctx *ctx, + nft_limit_destroy(ctx, priv); + } + +-static int nft_limit_bytes_clone(struct nft_expr *dst, const struct nft_expr *src) ++static int nft_limit_bytes_clone(struct nft_expr *dst, const struct nft_expr *src, ++ gfp_t gfp) + { + struct nft_limit_priv *priv_dst = nft_expr_priv(dst); + struct nft_limit_priv *priv_src = nft_expr_priv(src); + +- return nft_limit_clone(priv_dst, priv_src); ++ return nft_limit_clone(priv_dst, priv_src, gfp); + } + + static const struct nft_expr_ops nft_limit_bytes_ops = { +diff --git a/net/netfilter/nft_quota.c b/net/netfilter/nft_quota.c +index 3ba12a747..9b2d7463d 100644 +--- a/net/netfilter/nft_quota.c ++++ b/net/netfilter/nft_quota.c +@@ -233,7 +233,7 @@ static void nft_quota_destroy(const struct nft_ctx *ctx, + return nft_quota_do_destroy(ctx, priv); + } + +-static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src) ++static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src, gfp_t gfp) + { + struct nft_quota *priv_dst = nft_expr_priv(dst); + struct nft_quota *priv_src = nft_expr_priv(src); +@@ -241,7 +241,7 @@ static int nft_quota_clone(struct nft_expr *dst, const struct nft_expr *src) + priv_dst->quota = priv_src->quota; + priv_dst->flags = priv_src->flags; + +- priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), GFP_ATOMIC); ++ priv_dst->consumed = kmalloc(sizeof(*priv_dst->consumed), gfp); + if (!priv_dst->consumed) + return -ENOMEM; + +-- +2.44.2 +
