| Message ID | 15fdceb5-2de5-4453-98b3-cfa9d486e8da@moroto.mountain |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:8f47:0:b0:403:3b70:6f57 with SMTP id j7csp839576vqu;
Thu, 2 Nov 2023 23:43:33 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IEK9GuAPaSLpOQWemO0Av3+yZ8ZxB+4TQDJNq4+EDTclD6Ps/I9CaDefdo50SPi8WKondBF
X-Received: by 2002:a17:90b:3746:b0:280:c85d:450 with SMTP id
ne6-20020a17090b374600b00280c85d0450mr5615844pjb.44.1698993813549;
Thu, 02 Nov 2023 23:43:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698993813; cv=none;
d=google.com; s=arc-20160816;
b=q4VUmdwgiixerrCxYK+MIKf0jbgUostExHdOQObniagsQ3wNe96/TYzQMz8dcKh19s
MMKvd6WNCIjof1KnbLcthbz8OP1IyxwCiLVr/tos5GFCei7iOjW8mm87n8tQIjkbhxvG
Y5RmLNVrT0Xp8eAiU42liFUJheSG9xKL8+QidIJXzHZQn+gttaobiJ8q5XwzKdEXoqQZ
R5GF4dYKUDabDcz6YNXO1qUGF/4fork7fCUfHzufY9OCHVRmpcMvox1Ysg01+n48g6Pn
w4VaLusx6JYlsaBtjsPLIpyKCazRzDv3rUwqlX0hP5vNO5zI6BDyf5Pv0frTEsKEUKgn
XRMg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-disposition:mime-version:message-id
:subject:cc:to:from:date:dkim-signature;
bh=HBU5oj0huelFR/2545WemOLhvSZlToyjTZBhGrpdm7g=;
fh=oAvefmRaN4aV84sh9+vNnD0D9vb50Q5W7mh9CqqRzaA=;
b=OOWhpz1RYGoCXEIVnikY0VbeVHFfuah0XQRojLWViQhjx9xUtzg47+bzBw7gP1qSHM
DKMuM30TajrTjERxhLTfII3vGERsMp0fJ5isHtcOCeQXon9X+/SDYJfSaTpZRnwWOk2J
PXaNmaoFnkTEI5nnqfnFIM0x6yjfhj0yII5YLI5qLY3AtcFjRzDIYfqECcTUw0uGeFvW
EXZrOny6g5FaV+usXM38AgCluRT1sivvvg+dtGe0OFYCPMlDrpDFPUiVI9owtN4XTYUd
5fL2Jt6yrWXj001r6OiOgsqb+fXMFmb3pc+wZksrZBr/bfKsDS6N5ZLgsjB6oLBUUU9W
kJxQ==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@linaro.org header.s=google header.b=HSB1zsie;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
by mx.google.com with ESMTPS id
om3-20020a17090b3a8300b00263860e1f4csi1180924pjb.16.2023.11.02.23.43.33
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 02 Nov 2023 23:43:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
dkim=pass header.i=@linaro.org header.s=google header.b=HSB1zsie;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linaro.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by lipwig.vger.email (Postfix) with ESMTP id 1B7A1826BB81;
Thu, 2 Nov 2023 23:43:29 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S232027AbjKCGnE (ORCPT <rfc822;lhua1029@gmail.com> + 36 others);
Fri, 3 Nov 2023 02:43:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55480 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231825AbjKCGnC (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Fri, 3 Nov 2023 02:43:02 -0400
Received: from mail-ed1-x52f.google.com (mail-ed1-x52f.google.com
[IPv6:2a00:1450:4864:20::52f])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B8E111B9
for <linux-kernel@vger.kernel.org>;
Thu, 2 Nov 2023 23:42:56 -0700 (PDT)
Received: by mail-ed1-x52f.google.com with SMTP id
4fb4d7f45d1cf-53f9af41444so2928688a12.1
for <linux-kernel@vger.kernel.org>;
Thu, 02 Nov 2023 23:42:56 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=linaro.org; s=google; t=1698993775; x=1699598575;
darn=vger.kernel.org;
h=content-disposition:mime-version:message-id:subject:cc:to:from:date
:from:to:cc:subject:date:message-id:reply-to;
bh=HBU5oj0huelFR/2545WemOLhvSZlToyjTZBhGrpdm7g=;
b=HSB1zsieAK8E/r7G1jqrAfN40ZT7ScdE1VZ/KI/4zPvMCuBjHT8g2Lr9iI5c3qgnqg
Rw1ECGaf3BlfsuxaiRSiMI/ef6O9U2MNdFTd9CnLtaB9Va7xIQfACoiMmR9Bi7W5zXcf
dxJYvVTvLG/yIqzOmiTRSyyszkN4J+5zT767M+w0xEdLlLxVf3apmccNF/z6lbC24XWb
6tTs8oPFQKd4zAVFC6tYu4IHJE60ahksXoboC4HoNMy/66Vi2IuDP+8h/fE1OI2jxUQw
8yBpbSbuzFnWZD1APhECQpVQJ9aiT8V8Od9BjGmxTl8OY4agKrqnnIiLNATss4jQi8pA
na2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1698993775; x=1699598575;
h=content-disposition:mime-version:message-id:subject:cc:to:from:date
:x-gm-message-state:from:to:cc:subject:date:message-id:reply-to;
bh=HBU5oj0huelFR/2545WemOLhvSZlToyjTZBhGrpdm7g=;
b=uKoz6ju8qPvUWkPY5uBWW1TK85WjuR23H7U2oksK2vMHib/tabmlzyDxkmIM2TKwG/
Zesa0P6LHxYfNwU3KqnfzMPbEtd46OWtUtVr+X0YobhMMuDPYJ+u9CGQ2JOas4ylQgSS
KYCdwS94d9DgqUzlgQfyRRerpsah7ZUIBQ6O/Ip2bcMv1oQ56CFGDgJasJgVOaGcgKEO
TzMcQiLY/Ah0bQrXJ8c/sTinL4FWe/J6v9PmnaatKt0Ve2BFnzHHQpdJaTDH5A4mpxXF
qnPik5MLBQNbQya8b+fXoHCDn8kjx35herkNNse6G8ZOcAnoYiIs8J2X6IfpP0W9YvH6
P/Sg==
X-Gm-Message-State: AOJu0YzkyXLQ8SejHzTGwRwNrq2RhT+7fnZf8uVvNN0p0VIwFsZhbrXb
l3eJV/iRdBBZs/cSRBoFg62AQQ==
X-Received: by 2002:a17:906:bc93:b0:9bd:bbc1:1c5f with SMTP id
lv19-20020a170906bc9300b009bdbbc11c5fmr4766399ejb.35.1698993775211;
Thu, 02 Nov 2023 23:42:55 -0700 (PDT)
Received: from localhost ([102.36.222.112])
by smtp.gmail.com with ESMTPSA id
bw4-20020a170906c1c400b00992e94bcfabsm531429ejb.167.2023.11.02.23.42.54
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 02 Nov 2023 23:42:54 -0700 (PDT)
Date: Fri, 3 Nov 2023 09:42:51 +0300
From: Dan Carpenter <dan.carpenter@linaro.org>
To: Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@netfilter.org>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kernel-janitors@vger.kernel.org
Subject: [PATCH net] netfilter: nf_tables: fix pointer math issue in
nft_byteorder_eval()
Message-ID: <15fdceb5-2de5-4453-98b3-cfa9d486e8da@moroto.mountain>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Mailer: git-send-email haha only kidding
X-Spam-Status: No, score=-0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable
autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
Thu, 02 Nov 2023 23:43:29 -0700 (PDT)
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1781524137364333584
X-GMAIL-MSGID: 1781524137364333584
|
| Series |
[net] netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()
|
|
Commit Message
Dan Carpenter
Nov. 3, 2023, 6:42 a.m. UTC
The problem is in nft_byteorder_eval() where we are iterating through a
loop and writing to dst[0], dst[1], dst[2] and so on... On each
iteration we are writing 8 bytes. But dst[] is an array of u32 so each
element only has space for 4 bytes. That means that every iteration
overwrites part of the previous element.
I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter:
nf_tables: prevent OOB access in nft_byteorder_eval") which is a related
issue. I think that the reason we have not detected this bug in testing
is that most of time we only write one element.
Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
---
include/net/netfilter/nf_tables.h | 4 ++--
net/netfilter/nft_byteorder.c | 5 +++--
net/netfilter/nft_meta.c | 2 +-
3 files changed, 6 insertions(+), 5 deletions(-)
Comments
Dan Carpenter <dan.carpenter@linaro.org> wrote: > The problem is in nft_byteorder_eval() where we are iterating through a > loop and writing to dst[0], dst[1], dst[2] and so on... On each > iteration we are writing 8 bytes. But dst[] is an array of u32 so each > element only has space for 4 bytes. That means that every iteration > overwrites part of the previous element. > > I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: > nf_tables: prevent OOB access in nft_byteorder_eval") which is a related > issue. I think that the reason we have not detected this bug in testing > is that most of time we only write one element. LGTM, thanks Dan. We will route this via nf.git.
On Fri, Nov 03, 2023 at 10:18:01AM +0100, Florian Westphal wrote: > Dan Carpenter <dan.carpenter@linaro.org> wrote: > > The problem is in nft_byteorder_eval() where we are iterating through a > > loop and writing to dst[0], dst[1], dst[2] and so on... On each > > iteration we are writing 8 bytes. But dst[] is an array of u32 so each > > element only has space for 4 bytes. That means that every iteration > > overwrites part of the previous element. > > > > I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: > > nf_tables: prevent OOB access in nft_byteorder_eval") which is a related > > issue. I think that the reason we have not detected this bug in testing > > is that most of time we only write one element. > > LGTM, thanks Dan. We will route this via nf.git. Thanks for your patch. One question, is this update really required? diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 3bbd13ab1ecf..b157c5cafd14 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -178,9 +178,9 @@ static inline __be32 nft_reg_load_be32(const u32 *sreg) return *(__force __be32 *)sreg; } -static inline void nft_reg_store64(u32 *dreg, u64 val) +static inline void nft_reg_store64(u64 *dreg, u64 val) { - put_unaligned(val, (u64 *)dreg); + put_unaligned(val, dreg); } static inline u64 nft_reg_load64(const u32 *sreg) because one of the goals of nft_reg_store64() is to avoid that caller casts the register to 64-bits.
Pablo Neira Ayuso <pablo@netfilter.org> wrote: > On Fri, Nov 03, 2023 at 10:18:01AM +0100, Florian Westphal wrote: > > Dan Carpenter <dan.carpenter@linaro.org> wrote: > > > The problem is in nft_byteorder_eval() where we are iterating through a > > > loop and writing to dst[0], dst[1], dst[2] and so on... On each > > > iteration we are writing 8 bytes. But dst[] is an array of u32 so each > > > element only has space for 4 bytes. That means that every iteration > > > overwrites part of the previous element. > > > > > > I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: > > > nf_tables: prevent OOB access in nft_byteorder_eval") which is a related > > > issue. I think that the reason we have not detected this bug in testing > > > is that most of time we only write one element. > > > > LGTM, thanks Dan. We will route this via nf.git. > > Thanks for your patch. > > One question, is this update really required? I think so, yes. Part of this bug here is that this helper-niceness masks whats really happening in the caller (advancing in strides of 'u32', rather than 'u64').
On Fri, Nov 03, 2023 at 09:42:51AM +0300, Dan Carpenter wrote: > The problem is in nft_byteorder_eval() where we are iterating through a > loop and writing to dst[0], dst[1], dst[2] and so on... On each > iteration we are writing 8 bytes. But dst[] is an array of u32 so each > element only has space for 4 bytes. That means that every iteration > overwrites part of the previous element. > > I spotted this bug while reviewing commit caf3ef7468f7 ("netfilter: > nf_tables: prevent OOB access in nft_byteorder_eval") which is a related > issue. I think that the reason we have not detected this bug in testing > is that most of time we only write one element. > > Fixes: ce1e7989d989 ("netfilter: nft_byteorder: provide 64bit le/be conversion") > Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org> > --- > include/net/netfilter/nf_tables.h | 4 ++-- > net/netfilter/nft_byteorder.c | 5 +++-- > net/netfilter/nft_meta.c | 2 +- > 3 files changed, 6 insertions(+), 5 deletions(-) > > diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h > index 3bbd13ab1ecf..b157c5cafd14 100644 > --- a/include/net/netfilter/nf_tables.h > +++ b/include/net/netfilter/nf_tables.h > @@ -178,9 +178,9 @@ static inline __be32 nft_reg_load_be32(const u32 *sreg) > return *(__force __be32 *)sreg; > } > > -static inline void nft_reg_store64(u32 *dreg, u64 val) > +static inline void nft_reg_store64(u64 *dreg, u64 val) > { > - put_unaligned(val, (u64 *)dreg); > + put_unaligned(val, dreg); > } > > static inline u64 nft_reg_load64(const u32 *sreg) > diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c > index e596d1a842f7..f6e791a68101 100644 > --- a/net/netfilter/nft_byteorder.c > +++ b/net/netfilter/nft_byteorder.c > @@ -38,13 +38,14 @@ void nft_byteorder_eval(const struct nft_expr *expr, > > switch (priv->size) { > case 8: { > + u64 *dst64 = (void *)dst; > u64 src64; > > switch (priv->op) { > case NFT_BYTEORDER_NTOH: > for (i = 0; i < priv->len / 8; i++) { > src64 = nft_reg_load64(&src[i]); > - nft_reg_store64(&dst[i], > + nft_reg_store64(&dst64[i], > be64_to_cpu((__force __be64)src64)); > } > break; > @@ -52,7 +53,7 @@ void nft_byteorder_eval(const struct nft_expr *expr, > for (i = 0; i < priv->len / 8; i++) { > src64 = (__force __u64) > cpu_to_be64(nft_reg_load64(&src[i])); > - nft_reg_store64(&dst[i], src64); > + nft_reg_store64(&dst64[i], src64); > } > break; > } I stumbled upon this when the issue got a CVE id (sigh) and I share Andrea's (Cc-ed) concern that the fix is incomplete. While the fix, commit c301f0981fdd ("netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval()") now, fixes the destination side, src is still a pointer to u32, i.e. we are reading 64-bit values with relative offsets which are multiples of 32 bits. Shouldn't we fix this as well, e.g. like indicated below? Michal ------------------------------------------------------------------------------ diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 001226c34621..bb4b83ea2908 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -183,9 +183,9 @@ static inline void nft_reg_store64(u64 *dreg, u64 val) put_unaligned(val, dreg); } -static inline u64 nft_reg_load64(const u32 *sreg) +static inline u64 nft_reg_load64(const u64 *sreg) { - return get_unaligned((u64 *)sreg); + return get_unaligned(sreg); } static inline void nft_data_copy(u32 *dst, const struct nft_data *src, diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c index f6e791a68101..2a64c69ed507 100644 --- a/net/netfilter/nft_byteorder.c +++ b/net/netfilter/nft_byteorder.c @@ -39,21 +39,22 @@ void nft_byteorder_eval(const struct nft_expr *expr, switch (priv->size) { case 8: { u64 *dst64 = (void *)dst; - u64 src64; + u64 *src64 = (void *)src; + u64 val64; switch (priv->op) { case NFT_BYTEORDER_NTOH: for (i = 0; i < priv->len / 8; i++) { - src64 = nft_reg_load64(&src[i]); + val64 = nft_reg_load64(&src64[i]); nft_reg_store64(&dst64[i], - be64_to_cpu((__force __be64)src64)); + be64_to_cpu((__force __be64)val64)); } break; case NFT_BYTEORDER_HTON: for (i = 0; i < priv->len / 8; i++) { - src64 = (__force __u64) - cpu_to_be64(nft_reg_load64(&src[i])); - nft_reg_store64(&dst64[i], src64); + val64 = (__force __u64) + cpu_to_be64(nft_reg_load64(&src64[i])); + nft_reg_store64(&dst64[i], val64); } break; } ------------------------------------------------------------------------------
On Tue, Feb 06, 2024 at 11:43:36AM +0100, Michal Kubecek wrote: > > I stumbled upon this when the issue got a CVE id (sigh) and I share > Andrea's (Cc-ed) concern that the fix is incomplete. While the fix, > commit c301f0981fdd ("netfilter: nf_tables: fix pointer math issue in > nft_byteorder_eval()") now, fixes the destination side, src is still > a pointer to u32, i.e. we are reading 64-bit values with relative > offsets which are multiples of 32 bits. > > Shouldn't we fix this as well, e.g. like indicated below? > Yep. You're right. Could you send that as a patch. regards, dan carpenter
On Tue, Feb 06, 2024 at 02:04:10PM +0300, Dan Carpenter wrote: > On Tue, Feb 06, 2024 at 11:43:36AM +0100, Michal Kubecek wrote: > > > > I stumbled upon this when the issue got a CVE id (sigh) and I share > > Andrea's (Cc-ed) concern that the fix is incomplete. While the fix, > > commit c301f0981fdd ("netfilter: nf_tables: fix pointer math issue in > > nft_byteorder_eval()") now, fixes the destination side, src is still > > a pointer to u32, i.e. we are reading 64-bit values with relative > > offsets which are multiples of 32 bits. > > > > Shouldn't we fix this as well, e.g. like indicated below? > > > > Yep. You're right. Could you send that as a patch. Thank you for checking. I'll send a patch in a moment. Michal
Michal Kubecek <mkubecek@suse.cz> wrote: > I stumbled upon this when the issue got a CVE id (sigh) and I share > Andrea's (Cc-ed) concern that the fix is incomplete. While the fix, > commit c301f0981fdd ("netfilter: nf_tables: fix pointer math issue in > nft_byteorder_eval()") now, fixes the destination side, src is still > a pointer to u32, i.e. we are reading 64-bit values with relative > offsets which are multiples of 32 bits. > > Shouldn't we fix this as well, e.g. like indicated below? No, please remove multi-elem support instead, nothing uses this feature.
On Tue, Feb 06, 2024 at 12:11:12PM +0100, Florian Westphal wrote: > Michal Kubecek <mkubecek@suse.cz> wrote: > > I stumbled upon this when the issue got a CVE id (sigh) and I share > > Andrea's (Cc-ed) concern that the fix is incomplete. While the fix, > > commit c301f0981fdd ("netfilter: nf_tables: fix pointer math issue in > > nft_byteorder_eval()") now, fixes the destination side, src is still > > a pointer to u32, i.e. we are reading 64-bit values with relative > > offsets which are multiples of 32 bits. > > > > Shouldn't we fix this as well, e.g. like indicated below? > > No, please remove multi-elem support instead, nothing uses this feature. See attached patch. I posted this: https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240202120602.5122-1-pablo@netfilter.org/ I can replace it by the attached patch if you prefer. This can only help in the future to microoptimize some set configurations, where several byteorder can be coalesced into one single expression.
On Tue, Feb 06, 2024 at 12:29:51PM +0100, Pablo Neira Ayuso wrote: > On Tue, Feb 06, 2024 at 12:11:12PM +0100, Florian Westphal wrote: > > Michal Kubecek <mkubecek@suse.cz> wrote: > > > I stumbled upon this when the issue got a CVE id (sigh) and I share > > > Andrea's (Cc-ed) concern that the fix is incomplete. While the fix, > > > commit c301f0981fdd ("netfilter: nf_tables: fix pointer math issue in > > > nft_byteorder_eval()") now, fixes the destination side, src is still > > > a pointer to u32, i.e. we are reading 64-bit values with relative > > > offsets which are multiples of 32 bits. > > > > > > Shouldn't we fix this as well, e.g. like indicated below? > > > > No, please remove multi-elem support instead, nothing uses this feature. > > See attached patch. > > I posted this: > > https://patchwork.ozlabs.org/project/netfilter-devel/patch/20240202120602.5122-1-pablo@netfilter.org/ > > I can replace it by the attached patch if you prefer. This can only > help in the future to microoptimize some set configurations, where > several byteorder can be coalesced into one single expression. I have to replace those index 'i' by simply dst instead, this is obviosly incomplete. > diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c > index 8cf91e47fd7a..af3412602869 100644 > --- a/net/netfilter/nft_byteorder.c > +++ b/net/netfilter/nft_byteorder.c > @@ -43,18 +43,14 @@ void nft_byteorder_eval(const struct nft_expr *expr, > > switch (priv->op) { > case NFT_BYTEORDER_NTOH: > - for (i = 0; i < priv->len / 8; i++) { > - src64 = nft_reg_load64(&src[i]); > - nft_reg_store64(&dst64[i], > - be64_to_cpu((__force __be64)src64)); > - } > + src64 = nft_reg_load64(&src[i]); > + nft_reg_store64(&dst64[i], > + be64_to_cpu((__force __be64)src64)); > break; > case NFT_BYTEORDER_HTON: > - for (i = 0; i < priv->len / 8; i++) { > - src64 = (__force __u64) > - cpu_to_be64(nft_reg_load64(&src[i])); > - nft_reg_store64(&dst64[i], src64); > - } > + src64 = (__force __u64) > + cpu_to_be64(nft_reg_load64(&src[i])); > + nft_reg_store64(&dst64[i], src64); > break; > } > break; > @@ -62,24 +58,20 @@ void nft_byteorder_eval(const struct nft_expr *expr, > case 4: > switch (priv->op) { > case NFT_BYTEORDER_NTOH: > - for (i = 0; i < priv->len / 4; i++) > - dst[i] = ntohl((__force __be32)src[i]); > + dst[i] = ntohl((__force __be32)src[i]); > break; > case NFT_BYTEORDER_HTON: > - for (i = 0; i < priv->len / 4; i++) > - dst[i] = (__force __u32)htonl(src[i]); > + dst[i] = (__force __u32)htonl(src[i]); > break; > } > break; > case 2: > switch (priv->op) { > case NFT_BYTEORDER_NTOH: > - for (i = 0; i < priv->len / 2; i++) > - d16[i] = ntohs((__force __be16)s16[i]); > + d16[i] = ntohs((__force __be16)s16[i]); > break; > case NFT_BYTEORDER_HTON: > - for (i = 0; i < priv->len / 2; i++) > - d16[i] = (__force __u16)htons(s16[i]); > + d16[i] = (__force __u16)htons(s16[i]); > break; > } > break; > @@ -137,6 +129,9 @@ static int nft_byteorder_init(const struct nft_ctx *ctx, > if (err < 0) > return err; > > + if (priv->size != len) > + return -EINVAL; > + > priv->len = len; > > if (len % size != 0)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h index 3bbd13ab1ecf..b157c5cafd14 100644 --- a/include/net/netfilter/nf_tables.h +++ b/include/net/netfilter/nf_tables.h @@ -178,9 +178,9 @@ static inline __be32 nft_reg_load_be32(const u32 *sreg) return *(__force __be32 *)sreg; } -static inline void nft_reg_store64(u32 *dreg, u64 val) +static inline void nft_reg_store64(u64 *dreg, u64 val) { - put_unaligned(val, (u64 *)dreg); + put_unaligned(val, dreg); } static inline u64 nft_reg_load64(const u32 *sreg) diff --git a/net/netfilter/nft_byteorder.c b/net/netfilter/nft_byteorder.c index e596d1a842f7..f6e791a68101 100644 --- a/net/netfilter/nft_byteorder.c +++ b/net/netfilter/nft_byteorder.c @@ -38,13 +38,14 @@ void nft_byteorder_eval(const struct nft_expr *expr, switch (priv->size) { case 8: { + u64 *dst64 = (void *)dst; u64 src64; switch (priv->op) { case NFT_BYTEORDER_NTOH: for (i = 0; i < priv->len / 8; i++) { src64 = nft_reg_load64(&src[i]); - nft_reg_store64(&dst[i], + nft_reg_store64(&dst64[i], be64_to_cpu((__force __be64)src64)); } break; @@ -52,7 +53,7 @@ void nft_byteorder_eval(const struct nft_expr *expr, for (i = 0; i < priv->len / 8; i++) { src64 = (__force __u64) cpu_to_be64(nft_reg_load64(&src[i])); - nft_reg_store64(&dst[i], src64); + nft_reg_store64(&dst64[i], src64); } break; } diff --git a/net/netfilter/nft_meta.c b/net/netfilter/nft_meta.c index f7da7c43333b..ba0d3683a45d 100644 --- a/net/netfilter/nft_meta.c +++ b/net/netfilter/nft_meta.c @@ -63,7 +63,7 @@ nft_meta_get_eval_time(enum nft_meta_keys key, { switch (key) { case NFT_META_TIME_NS: - nft_reg_store64(dest, ktime_get_real_ns()); + nft_reg_store64((u64 *)dest, ktime_get_real_ns()); break; case NFT_META_TIME_DAY: nft_reg_store8(dest, nft_meta_weekday());