KMSAN: uninit-value in ebt_stp_mt_check

Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit a7f95e9c8a95e9fbb388c3999b61a17667cd3bbe (Sat Apr 21 13:50:22 2018 +) kmsan: disable assembly checksums syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=5c06e318fc558cc27823 So far

KMSAN: uninit-value in ip_vs_lblc_check_expire

Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3e9695f147fb529aa9bc

KMSAN: uninit-value in ip_vs_lblcr_check_expire

Hello, syzbot hit the following crash on https://github.com/google/kmsan.git/master commit d2d741e5d1898dfde1a75ea3d29a9a3e2edf0617 (Sun Apr 22 15:05:22 2018 +) kmsan: add initialization for shmem pages syzbot dashboard link: https://syzkaller.appspot.com/bug?extid=3dfdea57819073a04f21

[iptables 2/2] extensions: libip6t_srh: add test-cases for matching previous, next and last SID

This patch adds some test-cases to "libip6t_srh.t" for matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam --- extensions/libip6t_srh.t | 4 1 file changed, 4 insertions(+) diff --git a/extensions/libip6t_srh.t b/extensions/libip6t_srh.t

[iptables 1/2] extensions: libip6t_srh: support matching previous, next and last SID

This patch extends the libip6t_srh shared library to support matching previous SID, next SID, and last SID. Signed-off-by: Ahmed Abdelsalam --- extensions/libip6t_srh.c| 65 - include/linux/netfilter_ipv6/ip6t_srh.h | 22

[PATCH nf-next] netfilter: nf_tables: enable hashing of one element

The modulus in the hash function was limited to > 1 as initially there was no sense to create a hashing of just one element. Nevertheless, there are certain cases specially for load balancing where this case needs to be addressed. This patch fixes the following error. Error: Could not process

[nf-next] netfilter: extend SRH match to support matching previous, next and last SID

IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by SR encapsulated packet. Each SID is encoded as an IPv6 prefix. When a Firewall receives an SR encapsulated packet, it should be able to identify which node previously processed the packet (previous SID), which node is

[PATCH iptables] ebtables-compat: add 'pkttype' match extension

Signed-off-by: Florian Westphal --- extensions/libebt_pkttype.c | 119 +++ extensions/libebt_pkttype.txlate | 20 +++ iptables/xtables-eb.c| 1 + 3 files changed, 140 insertions(+) create mode 100644

[PATCH iptables] ebtables-compat: add 'vlan' match extension

Signed-off-by: Florian Westphal --- extensions/libebt_vlan.c | 226 ++ extensions/libebt_vlan.txlate | 11 ++ iptables/xtables-eb.c | 1 + 3 files changed, 238 insertions(+) create mode 100644 extensions/libebt_vlan.c

[PATCH 00/12] Netfilter/IPVS fixes for net

Hi David, The following patchset contains Netfilter/IPVS fixes for your net tree, they are: 1) Fix SIP conntrack with phones sending session descriptions for different media types but same port numbers, from Florian Westphal. 2) Fix incorrect rtnl_lock mutex logic from IPVS sync thread, from

[PATCH 01/12] netfilter: nf_conntrack_sip: allow duplicate SDP expectations

From: Florian Westphal Callum Sinclair reported SIP IP Phone errors that he tracked down to such phones sending session descriptions for different media types but with same port numbers. The expect core will only 'refresh' existing expectation if it is from same master AND same

[PATCH 08/12] netfilter: nf_tables: free set name in error path

From: Florian Westphal set->name must be free'd here in case ops->init fails. Fixes: 387454901bd6 ("netfilter: nf_tables: Allow set names of up to 255 chars") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso ---

[PATCH 11/12] netfilter: nf_tables: fix out-of-bounds in nft_chain_commit_update

From: Taehee Yoo When chain name is changed, nft_chain_commit_update is called. In the nft_chain_commit_update, trans->ctx.chain->name has old chain name and nft_trans_chain_name(trans) has new chain name. If new chain name is longer than old chain name, KASAN warns

[PATCH 03/12] netfilter: ebtables: don't attempt to allocate 0-sized compat array

From: Florian Westphal Dmitry reports 32bit ebtables on 64bit kernel got broken by a recent change that returns -EINVAL when ruleset has no entries. ebtables however only counts user-defined chains, so for the initial table nentries will be 0. Don't try to allocate the compat

[PATCH 05/12] netfilter: conntrack: silent a memory leak warning

From: Cong Wang The following memory leak is false postive: unreferenced object 0x8f37f156fb38 (size 128): comm "softirq", pid 0, jiffies 4294899665 (age 11.292s) hex dump (first 32 bytes): 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b

[PATCH 09/12] netfilter: conntrack: include kmemleak.h for kmemleak_not_leak()

From: Stephen Rothwell After merging the netfilter tree, today's linux-next build (powerpc ppc64_defconfig) failed like this: net/netfilter/nf_conntrack_extend.c: In function 'nf_ct_ext_add': net/netfilter/nf_conntrack_extend.c:74:2: error: implicit declaration of

[PATCH 04/12] netfilter: xt_connmark: Add bit mapping for bit-shift operation.

From: Jack Ma With the addition of bit-shift operations, we are able to shift ct/skbmark based on user requirements. However, this change might also cause the most left/right hand- side mark to be accidentially lost during shift operations. This patch adds the

[PATCH 10/12] netfilter: nf_tables: NAT chain and extensions require NF_TABLES

Move these options inside the scope of the 'if' NF_TABLES and NF_TABLES_IPV6 dependencies. This patch fixes: net/ipv6/netfilter/nft_chain_nat_ipv6.o: In function `nft_nat_do_chain': >> net/ipv6/netfilter/nft_chain_nat_ipv6.c:37: undefined reference to >> `nft_do_chain'

[PATCH 12/12] netfilter: xt_connmark: do not cast xt_connmark_tginfo1 to xt_connmark_tginfo2

These structures have different layout, fill xt_connmark_tginfo2 with old fields in xt_connmark_tginfo1. Based on patch from Jack Ma. Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for CONNMARK & MARK targets.") Signed-off-by: Pablo Neira Ayuso ---

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

On Mon, Apr 23, 2018 at 05:48:22AM -0500, Ahmed Abdelsalam wrote: > IPv6 Segment Routing Header (SRH) contains a list of SIDs to be crossed by > SR encapsulated packet. Each SID is encoded as an IPv6 prefix. > > When a Firewall receives an SR encapsulated packet, it should be able to > identify

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

On Mon, 23 Apr 2018 22:08:44 +0200 Florian Westphal wrote: > Ahmed Abdelsalam wrote: > > > > @@ -50,6 +62,12 @@ struct ip6t_srh { > > > > __u8segs_left; > > > > __u8last_entry; > > > > __u16

Re: [PATCH 00/12] Netfilter/IPVS fixes for net

From: Pablo Neira Ayuso Date: Mon, 23 Apr 2018 19:57:02 +0200 > The following patchset contains Netfilter/IPVS fixes for your net tree, > they are: ... > You can pull these changes from: > > git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf.git Pulled, thank you.

[Patch nf] ipvs: initialize tbl->entries after allocation

tbl->entries is not initialized after kmalloc(), therefore causes an uninit-value warning in ip_vs_lblc_check_expire() as reported by syzbot. Reported-by: Cc: Simon Horman Cc: Julian Anastasov Cc: Pablo

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

Ahmed Abdelsalam wrote: > > > @@ -50,6 +62,12 @@ struct ip6t_srh { > > > __u8segs_left; > > > __u8last_entry; > > > __u16 tag; > > > + struct in6_addr psid_addr; > > > + struct in6_addr nsid_addr;

[Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()

Similarly, tbl->entries is not initialized after kmalloc(), therefore causes an uninit-value warning in ip_vs_lblc_check_expire(), as reported by syzbot. Reported-by: Cc: Simon Horman Cc: Julian Anastasov

Re: [nf-next] netfilter: extend SRH match to support matching previous, next and last SID

On Mon, 23 Apr 2018 19:30:47 +0200 Pablo Neira Ayuso wrote: > On Mon, Apr 23, 2018 at 05:48:22AM -0500, Ahmed Abdelsalam wrote: > > Signed-off-by: Ahmed Abdelsalam > > --- > > include/uapi/linux/netfilter_ipv6/ip6t_srh.h | 22 +-- > >

[PATCH v4] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

This patch adds a new feature to iptables that allow bitshifting for --restore,set and save-mark operations. This allows existing logic operators (and, or and xor) and mask to co-operate with new bitshift operations. The intention is to provide uses with more fexible uses of skb->mark and

[PATCH nft 1/4] netlink: pass cmd object to netlink function calls

Simplify function footprint. Signed-off-by: Pablo Neira Ayuso --- include/netlink.h | 78 ++--- src/netlink.c | 127 +- src/rule.c| 87 - 3

[PATCH nft 2/4] netlink: netlink_list_chains() callers always wants all existing chains

Remove dead code, callers always need this to dump all of the existing chains. Signed-off-by: Pablo Neira Ayuso --- src/netlink.c | 16 +--- 1 file changed, 1 insertion(+), 15 deletions(-) diff --git a/src/netlink.c b/src/netlink.c index

[PATCH nft 3/4] netlink: don't pass location to netlink_list_*() function

Not needed anymore. Signed-off-by: Pablo Neira Ayuso --- include/netlink.h | 18 ++ src/netlink.c | 23 --- src/rule.c| 18 +++--- 3 files changed, 21 insertions(+), 38 deletions(-) diff --git a/include/netlink.h

[PATCH nft 4/4] netlink: remove unused function declarations

Signed-off-by: Pablo Neira Ayuso --- include/netlink.h | 4 1 file changed, 4 deletions(-) diff --git a/include/netlink.h b/include/netlink.h index 58b37d3cd572..92bae138bf91 100644 --- a/include/netlink.h +++ b/include/netlink.h @@ -110,10 +110,6 @@ extern void

[PATCH v5] libxt_CONNMARK: Support bit-shifting for --restore,set and save-mark

This patch adds a new feature to iptables that allow bitshifting for --restore,set and save-mark operations. This allows existing logic operators (and, or and xor) and mask to co-operate with new bitshift operations. The intention is to provide uses with more fexible uses of skb->mark and

Re: [Patch nf] ipvs: initialize tbl->entries after allocation

Hello, On Mon, 23 Apr 2018, Cong Wang wrote: > tbl->entries is not initialized after kmalloc(), therefore > causes an uninit-value warning in ip_vs_lblc_check_expire() > as reported by syzbot. > > Reported-by: > Cc: Simon Horman

Re: [Patch nf] ipvs: initialize tbl->entries in ip_vs_lblc_init_svc()

Hello, On Mon, 23 Apr 2018, Cong Wang wrote: > Similarly, tbl->entries is not initialized after kmalloc(), > therefore causes an uninit-value warning in ip_vs_lblc_check_expire(), > as reported by syzbot. > > Reported-by: > Cc: