From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9]) by lore.proxmox.com (Postfix) with ESMTPS id 3A0121FF165 for ; Thu, 11 Sep 2025 12:06:02 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id C6A1AFD4D; Thu, 11 Sep 2025 12:06:03 +0200 (CEST) From: Gabriel Goller To: pve-devel@lists.proxmox.com Date: Thu, 11 Sep 2025 12:05:43 +0200 Message-ID: <20250911100555.63174-3-g.goller@proxmox.com> X-Mailer: git-send-email 2.47.3 In-Reply-To: <20250911100555.63174-1-g.goller@proxmox.com> References: <20250911100555.63174-1-g.goller@proxmox.com> MIME-Version: 1.0 X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1757585157228 X-SPAM-LEVEL: Spam detection results: 0 AWL -0.005 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment RCVD_IN_VALIDITY_CERTIFIED_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_RPBL_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. RCVD_IN_VALIDITY_SAFE_BLOCKED 0.001 ADMINISTRATOR NOTICE: The query to Validity was blocked. See https://knowledge.validity.com/hc/en-us/articles/20961730681243 for more information. SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: [pve-devel] [PATCH pve-kernel 2/5] kernel: backport: netfilter: nft_set_rbtree: continue traversal if element is inactive X-BeenThere: pve-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox VE development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox VE development discussion Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: pve-devel-bounces@lists.proxmox.com Sender: "pve-devel" If a match is found in a rbtree, set the interval at the very end to avoid the element being inactive when finishing the traversal. Signed-off-by: Gabriel Goller --- ...t_rbtree-continue-traversal-if-eleme.patch | 88 +++++++++++++++++++ 1 file changed, 88 insertions(+) create mode 100644 patches/kernel/0015-netfilter-nft_set_rbtree-continue-traversal-if-eleme.patch diff --git a/patches/kernel/0015-netfilter-nft_set_rbtree-continue-traversal-if-eleme.patch b/patches/kernel/0015-netfilter-nft_set_rbtree-continue-traversal-if-eleme.patch new file mode 100644 index 000000000000..9e4d4d687003 --- /dev/null +++ b/patches/kernel/0015-netfilter-nft_set_rbtree-continue-traversal-if-eleme.patch @@ -0,0 +1,88 @@ +From 2af0ed300431a3c5675cd6a7219424430fa9651b Mon Sep 17 00:00:00 2001 +From: Gabriel Goller +Date: Wed, 10 Sep 2025 12:08:56 +0200 +Subject: [PATCH 2/5] netfilter: nft_set_rbtree: continue traversal if element + is inactive + +When the rbtree lookup function finds a match in the rbtree, it sets the +range start interval to a potentially inactive element. + +Then, after tree lookup, if the matching element is inactive, it returns +NULL and suppresses a matching result. + +This is wrong and leads to false negative matches when a transaction has +already entered the commit phase. + +cpu0 cpu1 + has added new elements to clone + has marked elements as being + inactive in new generation + perform lookup in the set + enters commit phase: +I) increments the genbit + A) observes new genbit + B) finds matching range + C) returns no match: found + range invalid in new generation +II) removes old elements from the tree + C New nft_lookup happening now + will find matching element, + because it is no longer + obscured by old, inactive one. + +Consider a packet matching range r1-r2: + +cpu0 processes following transaction: +1. remove r1-r2 +2. add r1-r3 + +P is contained in both ranges. Therefore, cpu1 should always find a match +for P. Due to above race, this is not the case: + +cpu1 does find r1-r2, but then ignores it due to the genbit indicating +the range has been removed. It does NOT test for further matches. + +The situation persists for all lookups until after cpu0 hits II) after +which r1-r3 range start node is tested for the first time. + +Move the "interval start is valid" check ahead so that tree traversal +continues if the starting interval is not valid in this generation. + +Thanks to Stefan Hanreich for providing an initial reproducer for this +bug. + +Reported-by: Stefan Hanreich +Fixes: c1eda3c6394f ("netfilter: nft_rbtree: ignore inactive matching element with no descendants") +Signed-off-by: Florian Westphal +Signed-off-by: Gabriel Goller +--- + net/netfilter/nft_set_rbtree.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c +index 2e8ef16ff191..c4eb94258e24 100644 +--- a/net/netfilter/nft_set_rbtree.c ++++ b/net/netfilter/nft_set_rbtree.c +@@ -77,7 +77,9 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set + nft_rbtree_interval_end(rbe) && + nft_rbtree_interval_start(interval)) + continue; +- interval = rbe; ++ if (nft_set_elem_active(&rbe->ext, genmask) && ++ !nft_rbtree_elem_expired(rbe)) ++ interval = rbe; + } else if (d > 0) + parent = rcu_dereference_raw(parent->rb_right); + else { +@@ -103,8 +105,6 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set + } + + if (set->flags & NFT_SET_INTERVAL && interval != NULL && +- nft_set_elem_active(&interval->ext, genmask) && +- !nft_rbtree_elem_expired(interval) && + nft_rbtree_interval_start(interval)) { + *ext = &interval->ext; + return true; +-- +2.47.3 + -- 2.47.3 _______________________________________________ pve-devel mailing list pve-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pve-devel