tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag 'nf-next-24-11-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next

Pablo Neira Ayuso says:

====================
Netfilter updates for net-next

The following series contains Netfilter updates for net-next:

1) Make legacy xtables configs user selectable, from Breno Leitao.

2) Fix a few sparse warnings related to percpu, from Uros Bizjak.

3) Use strscpy_pad, from Justin Stitt.

4) Use nft_trans_elem_alloc() in catchall flush, from Florian Westphal.

5) A series of 7 patches to fix false positive with CONFIG_RCU_LIST=y.
Florian also sees possible issue with 10 while module load/removal
when requesting an expression that is available via module. As for
patch 11, object is being updated so reference on the module already
exists so I don't see any real issue.

Florian says:

"Unfortunately there are many more errors, and not all are false positives.

First patches pass lockdep_commit_lock_is_held() to the rcu list traversal
macro so that those splats are avoided.

The last two patches are real code change as opposed to
'pass the transaction mutex to relax rcu check':

Those two lists are not protected by transaction mutex so could be altered
in parallel.

This targets nf-next because these are long-standing issues."

netfilter pull request 24-11-07

* tag 'nf-next-24-11-07' of git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf-next:
netfilter: nf_tables: must hold rcu read lock while iterating object type list
netfilter: nf_tables: must hold rcu read lock while iterating expression type list
netfilter: nf_tables: avoid false-positive lockdep splats with basechain hook
netfilter: nf_tables: avoid false-positive lockdep splats in set walker
netfilter: nf_tables: avoid false-positive lockdep splats with flowtables
netfilter: nf_tables: avoid false-positive lockdep splats with sets
netfilter: nf_tables: avoid false-positive lockdep splat on rule deletion
netfilter: nf_tables: prefer nft_trans_elem_alloc helper
netfilter: nf_tables: replace deprecated strncpy with strscpy_pad
netfilter: nf_tables: Fix percpu address space issues in nf_tables_api.c
netfilter: Make legacy configs user selectable
====================

Link: https://patch.msgid.link/20241106234625.168468-1-pablo@netfilter.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Paolo Abeni 17bcfe66 90c940ff

+120 -69
+2 -1
include/net/netfilter/nf_tables.h
··· 1463 1463 struct nf_flowtable data; 1464 1464 }; 1465 1465 1466 - struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 1466 + struct nft_flowtable *nft_flowtable_lookup(const struct net *net, 1467 + const struct nft_table *table, 1467 1468 const struct nlattr *nla, 1468 1469 u8 genmask); 1469 1470
+7 -1
net/bridge/netfilter/Kconfig
··· 41 41 42 42 # old sockopt interface and eval loop 43 43 config BRIDGE_NF_EBTABLES_LEGACY 44 - tristate 44 + tristate "Legacy EBTABLES support" 45 + depends on BRIDGE && NETFILTER_XTABLES 46 + default n 47 + help 48 + Legacy ebtables packet/frame classifier. 49 + This is not needed if you are using ebtables over nftables 50 + (iptables-nft). 45 51 46 52 menuconfig BRIDGE_NF_EBTABLES 47 53 tristate "Ethernet Bridge tables (ebtables) support"
+1 -1
net/bridge/netfilter/nft_meta_bridge.c
··· 63 63 return nft_meta_get_eval(expr, regs, pkt); 64 64 } 65 65 66 - strncpy((char *)dest, br_dev ? br_dev->name : "", IFNAMSIZ); 66 + strscpy_pad((char *)dest, br_dev ? br_dev->name : "", IFNAMSIZ); 67 67 return; 68 68 err: 69 69 regs->verdict.code = NFT_BREAK;
+14 -2
net/ipv4/netfilter/Kconfig
··· 12 12 13 13 # old sockopt interface and eval loop 14 14 config IP_NF_IPTABLES_LEGACY 15 - tristate 15 + tristate "Legacy IP tables support" 16 + default n 17 + select NETFILTER_XTABLES 18 + help 19 + iptables is a legacy packet classifier. 20 + This is not needed if you are using iptables over nftables 21 + (iptables-nft). 16 22 17 23 config NF_SOCKET_IPV4 18 24 tristate "IPv4 socket lookup support" ··· 324 318 325 319 # ARP tables 326 320 config IP_NF_ARPTABLES 327 - tristate 321 + tristate "Legacy ARPTABLES support" 322 + depends on NETFILTER_XTABLES 323 + default n 324 + help 325 + arptables is a legacy packet classifier. 326 + This is not needed if you are using arptables over nftables 327 + (iptables-nft). 328 328 329 329 config NFT_COMPAT_ARP 330 330 tristate
+8 -1
net/ipv6/netfilter/Kconfig
··· 8 8 9 9 # old sockopt interface and eval loop 10 10 config IP6_NF_IPTABLES_LEGACY 11 - tristate 11 + tristate "Legacy IP6 tables support" 12 + depends on INET && IPV6 13 + select NETFILTER_XTABLES 14 + default n 15 + help 16 + ip6tables is a legacy packet classifier. 17 + This is not needed if you are using iptables over nftables 18 + (iptables-nft). 12 19 13 20 config NF_SOCKET_IPV6 14 21 tristate "IPv6 socket lookup support"
+78 -56
net/netfilter/nf_tables_api.c
··· 1824 1824 return -ENOSPC; 1825 1825 } 1826 1826 1827 - static int nft_dump_basechain_hook(struct sk_buff *skb, int family, 1827 + static int nft_dump_basechain_hook(struct sk_buff *skb, 1828 + const struct net *net, int family, 1828 1829 const struct nft_base_chain *basechain, 1829 1830 const struct list_head *hook_list) 1830 1831 { ··· 1850 1849 if (!hook_list) 1851 1850 hook_list = &basechain->hook_list; 1852 1851 1853 - list_for_each_entry_rcu(hook, hook_list, list) { 1852 + list_for_each_entry_rcu(hook, hook_list, list, 1853 + lockdep_commit_lock_is_held(net)) { 1854 1854 if (!first) 1855 1855 first = hook; 1856 1856 ··· 1902 1900 const struct nft_base_chain *basechain = nft_base_chain(chain); 1903 1901 struct nft_stats __percpu *stats; 1904 1902 1905 - if (nft_dump_basechain_hook(skb, family, basechain, hook_list)) 1903 + if (nft_dump_basechain_hook(skb, net, family, basechain, hook_list)) 1906 1904 goto nla_put_failure; 1907 1905 1908 1906 if (nla_put_be32(skb, NFTA_CHAIN_POLICY, ··· 2084 2082 err = nla_parse_nested_deprecated(tb, NFTA_COUNTER_MAX, attr, 2085 2083 nft_counter_policy, NULL); 2086 2084 if (err < 0) 2087 - return ERR_PTR(err); 2085 + return ERR_PTR_PCPU(err); 2088 2086 2089 2087 if (!tb[NFTA_COUNTER_BYTES] || !tb[NFTA_COUNTER_PACKETS]) 2090 - return ERR_PTR(-EINVAL); 2088 + return ERR_PTR_PCPU(-EINVAL); 2091 2089 2092 2090 newstats = netdev_alloc_pcpu_stats(struct nft_stats); 2093 2091 if (newstats == NULL) 2094 - return ERR_PTR(-ENOMEM); 2092 + return ERR_PTR_PCPU(-ENOMEM); 2095 2093 2096 2094 /* Restore old counters on this cpu, no problem. Per-cpu statistics 2097 2095 * are not exposed to userspace. ··· 2535 2533 2536 2534 if (nla[NFTA_CHAIN_COUNTERS]) { 2537 2535 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2538 - if (IS_ERR(stats)) { 2536 + if (IS_ERR_PCPU(stats)) { 2539 2537 nft_chain_release_hook(&hook); 2540 2538 kfree(basechain); 2541 - return PTR_ERR(stats); 2539 + return PTR_ERR_PCPU(stats); 2542 2540 } 2543 2541 rcu_assign_pointer(basechain->stats, stats); 2544 2542 } ··· 2652 2650 struct nft_table *table = ctx->table; 2653 2651 struct nft_chain *chain = ctx->chain; 2654 2652 struct nft_chain_hook hook = {}; 2655 - struct nft_stats *stats = NULL; 2653 + struct nft_stats __percpu *stats = NULL; 2656 2654 struct nft_hook *h, *next; 2657 2655 struct nf_hook_ops *ops; 2658 2656 struct nft_trans *trans; ··· 2748 2746 } 2749 2747 2750 2748 stats = nft_stats_alloc(nla[NFTA_CHAIN_COUNTERS]); 2751 - if (IS_ERR(stats)) { 2752 - err = PTR_ERR(stats); 2749 + if (IS_ERR_PCPU(stats)) { 2750 + err = PTR_ERR_PCPU(stats); 2753 2751 goto err_hooks; 2754 2752 } 2755 2753 } ··· 3296 3294 if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME]) 3297 3295 return -EINVAL; 3298 3296 3299 - type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]); 3300 - if (!type) 3301 - return -ENOENT; 3297 + rcu_read_lock(); 3302 3298 3303 - if (!type->inner_ops) 3304 - return -EOPNOTSUPP; 3299 + type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]); 3300 + if (!type) { 3301 + err = -ENOENT; 3302 + goto out_unlock; 3303 + } 3304 + 3305 + if (!type->inner_ops) { 3306 + err = -EOPNOTSUPP; 3307 + goto out_unlock; 3308 + } 3305 3309 3306 3310 err = nla_parse_nested_deprecated(info->tb, type->maxattr, 3307 3311 tb[NFTA_EXPR_DATA], 3308 3312 type->policy, NULL); 3309 3313 if (err < 0) 3310 - goto err_nla_parse; 3314 + goto out_unlock; 3311 3315 3312 3316 info->attr = nla; 3313 3317 info->ops = type->inner_ops; 3314 3318 3319 + /* No module reference will be taken on type->owner. 3320 + * Presence of type->inner_ops implies that the expression 3321 + * is builtin, so it cannot go away. 3322 + */ 3323 + rcu_read_unlock(); 3315 3324 return 0; 3316 3325 3317 - err_nla_parse: 3326 + out_unlock: 3327 + rcu_read_unlock(); 3318 3328 return err; 3319 3329 } 3320 3330 ··· 3425 3411 * Rules 3426 3412 */ 3427 3413 3428 - static struct nft_rule *__nft_rule_lookup(const struct nft_chain *chain, 3414 + static struct nft_rule *__nft_rule_lookup(const struct net *net, 3415 + const struct nft_chain *chain, 3429 3416 u64 handle) 3430 3417 { 3431 3418 struct nft_rule *rule; 3432 3419 3433 3420 // FIXME: this sucks 3434 - list_for_each_entry_rcu(rule, &chain->rules, list) { 3421 + list_for_each_entry_rcu(rule, &chain->rules, list, 3422 + lockdep_commit_lock_is_held(net)) { 3435 3423 if (handle == rule->handle) 3436 3424 return rule; 3437 3425 } ··· 3441 3425 return ERR_PTR(-ENOENT); 3442 3426 } 3443 3427 3444 - static struct nft_rule *nft_rule_lookup(const struct nft_chain *chain, 3428 + static struct nft_rule *nft_rule_lookup(const struct net *net, 3429 + const struct nft_chain *chain, 3445 3430 const struct nlattr *nla) 3446 3431 { 3447 3432 if (nla == NULL) 3448 3433 return ERR_PTR(-EINVAL); 3449 3434 3450 - return __nft_rule_lookup(chain, be64_to_cpu(nla_get_be64(nla))); 3435 + return __nft_rule_lookup(net, chain, be64_to_cpu(nla_get_be64(nla))); 3451 3436 } 3452 3437 3453 3438 static const struct nla_policy nft_rule_policy[NFTA_RULE_MAX + 1] = { ··· 3749 3732 return 0; 3750 3733 } 3751 3734 3752 - /* called with rcu_read_lock held */ 3735 + /* Caller must hold rcu read lock or transaction mutex */ 3753 3736 static struct sk_buff * 3754 3737 nf_tables_getrule_single(u32 portid, const struct nfnl_info *info, 3755 3738 const struct nlattr * const nla[], bool reset) ··· 3776 3759 return ERR_CAST(chain); 3777 3760 } 3778 3761 3779 - rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 3762 + rule = nft_rule_lookup(net, chain, nla[NFTA_RULE_HANDLE]); 3780 3763 if (IS_ERR(rule)) { 3781 3764 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 3782 3765 return ERR_CAST(rule); ··· 4000 3983 struct nft_set_ext *ext; 4001 3984 int ret = 0; 4002 3985 4003 - list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 3986 + list_for_each_entry_rcu(catchall, &set->catchall_list, list, 3987 + lockdep_commit_lock_is_held(ctx->net)) { 4004 3988 ext = nft_set_elem_ext(set, catchall->elem); 4005 3989 if (!nft_set_elem_active(ext, dummy_iter.genmask)) 4006 3990 continue; ··· 4075 4057 4076 4058 if (nla[NFTA_RULE_HANDLE]) { 4077 4059 handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_HANDLE])); 4078 - rule = __nft_rule_lookup(chain, handle); 4060 + rule = __nft_rule_lookup(net, chain, handle); 4079 4061 if (IS_ERR(rule)) { 4080 4062 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_HANDLE]); 4081 4063 return PTR_ERR(rule); ··· 4097 4079 4098 4080 if (nla[NFTA_RULE_POSITION]) { 4099 4081 pos_handle = be64_to_cpu(nla_get_be64(nla[NFTA_RULE_POSITION])); 4100 - old_rule = __nft_rule_lookup(chain, pos_handle); 4082 + old_rule = __nft_rule_lookup(net, chain, pos_handle); 4101 4083 if (IS_ERR(old_rule)) { 4102 4084 NL_SET_BAD_ATTR(extack, nla[NFTA_RULE_POSITION]); 4103 4085 return PTR_ERR(old_rule); ··· 4314 4296 4315 4297 if (chain) { 4316 4298 if (nla[NFTA_RULE_HANDLE]) { 4317 - rule = nft_rule_lookup(chain, nla[NFTA_RULE_HANDLE]); 4299 + rule = nft_rule_lookup(info->net, chain, nla[NFTA_RULE_HANDLE]); 4318 4300 if (IS_ERR(rule)) { 4319 4301 if (PTR_ERR(rule) == -ENOENT && 4320 4302 NFNL_MSG_TYPE(info->nlh->nlmsg_type) == NFT_MSG_DESTROYRULE) ··· 4474 4456 [NFTA_SET_DESC_CONCAT] = NLA_POLICY_NESTED_ARRAY(nft_concat_policy), 4475 4457 }; 4476 4458 4477 - static struct nft_set *nft_set_lookup(const struct nft_table *table, 4459 + static struct nft_set *nft_set_lookup(const struct net *net, 4460 + const struct nft_table *table, 4478 4461 const struct nlattr *nla, u8 genmask) 4479 4462 { 4480 4463 struct nft_set *set; ··· 4483 4464 if (nla == NULL) 4484 4465 return ERR_PTR(-EINVAL); 4485 4466 4486 - list_for_each_entry_rcu(set, &table->sets, list) { 4467 + list_for_each_entry_rcu(set, &table->sets, list, 4468 + lockdep_commit_lock_is_held(net)) { 4487 4469 if (!nla_strcmp(nla, set->name) && 4488 4470 nft_active_genmask(set, genmask)) 4489 4471 return set; ··· 4534 4514 { 4535 4515 struct nft_set *set; 4536 4516 4537 - set = nft_set_lookup(table, nla_set_name, genmask); 4517 + set = nft_set_lookup(net, table, nla_set_name, genmask); 4538 4518 if (IS_ERR(set)) { 4539 4519 if (!nla_set_id) 4540 4520 return set; ··· 4910 4890 if (!nla[NFTA_SET_TABLE]) 4911 4891 return -EINVAL; 4912 4892 4913 - set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 4893 + set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask); 4914 4894 if (IS_ERR(set)) { 4915 4895 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); 4916 4896 return PTR_ERR(set); ··· 5246 5226 5247 5227 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 5248 5228 5249 - set = nft_set_lookup(table, nla[NFTA_SET_NAME], genmask); 5229 + set = nft_set_lookup(net, table, nla[NFTA_SET_NAME], genmask); 5250 5230 if (IS_ERR(set)) { 5251 5231 if (PTR_ERR(set) != -ENOENT) { 5252 5232 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_NAME]); ··· 5448 5428 set = nft_set_lookup_byhandle(table, attr, genmask); 5449 5429 } else { 5450 5430 attr = nla[NFTA_SET_NAME]; 5451 - set = nft_set_lookup(table, attr, genmask); 5431 + set = nft_set_lookup(net, table, attr, genmask); 5452 5432 } 5453 5433 5454 5434 if (IS_ERR(set)) { ··· 5512 5492 struct nft_set_ext *ext; 5513 5493 int ret = 0; 5514 5494 5515 - list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 5495 + list_for_each_entry_rcu(catchall, &set->catchall_list, list, 5496 + lockdep_commit_lock_is_held(ctx->net)) { 5516 5497 ext = nft_set_elem_ext(set, catchall->elem); 5517 5498 if (!nft_set_elem_active(ext, genmask)) 5518 5499 continue; ··· 6279 6258 return PTR_ERR(table); 6280 6259 } 6281 6260 6282 - set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6261 + set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 6283 6262 if (IS_ERR(set)) { 6284 6263 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 6285 6264 return PTR_ERR(set); ··· 6430 6409 nfnetlink_set_err(net, portid, NFNLGRP_NFTABLES, -ENOBUFS); 6431 6410 } 6432 6411 6433 - static struct nft_trans *nft_trans_elem_alloc(struct nft_ctx *ctx, 6412 + static struct nft_trans *nft_trans_elem_alloc(const struct nft_ctx *ctx, 6434 6413 int msg_type, 6435 6414 struct nft_set *set) 6436 6415 { ··· 7492 7471 { 7493 7472 struct nft_trans *trans; 7494 7473 7495 - trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM, 7496 - sizeof(struct nft_trans_elem), GFP_KERNEL); 7474 + trans = nft_trans_elem_alloc(ctx, NFT_MSG_DELSETELEM, set); 7497 7475 if (!trans) 7498 7476 return -ENOMEM; 7499 7477 7500 7478 nft_setelem_data_deactivate(ctx->net, set, elem_priv); 7501 - nft_trans_elem_set(trans) = set; 7502 7479 nft_trans_elem_priv(trans) = elem_priv; 7503 7480 nft_trans_commit_list_add_tail(ctx->net, trans); 7504 7481 ··· 7511 7492 struct nft_set_ext *ext; 7512 7493 int ret = 0; 7513 7494 7514 - list_for_each_entry_rcu(catchall, &set->catchall_list, list) { 7495 + list_for_each_entry_rcu(catchall, &set->catchall_list, list, 7496 + lockdep_commit_lock_is_held(ctx->net)) { 7515 7497 ext = nft_set_elem_ext(set, catchall->elem); 7516 7498 if (!nft_set_elem_active(ext, genmask)) 7517 7499 continue; ··· 7562 7542 return PTR_ERR(table); 7563 7543 } 7564 7544 7565 - set = nft_set_lookup(table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 7545 + set = nft_set_lookup(net, table, nla[NFTA_SET_ELEM_LIST_SET], genmask); 7566 7546 if (IS_ERR(set)) { 7567 7547 NL_SET_BAD_ATTR(extack, nla[NFTA_SET_ELEM_LIST_SET]); 7568 7548 return PTR_ERR(set); ··· 7809 7789 struct nft_trans *trans; 7810 7790 int err = -ENOMEM; 7811 7791 7812 - if (!try_module_get(type->owner)) 7813 - return -ENOENT; 7814 - 7792 + /* caller must have obtained type->owner reference. */ 7815 7793 trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ, 7816 7794 sizeof(struct nft_trans_obj)); 7817 7795 if (!trans) ··· 7877 7859 if (info->nlh->nlmsg_flags & NLM_F_REPLACE) 7878 7860 return -EOPNOTSUPP; 7879 7861 7880 - type = __nft_obj_type_get(objtype, family); 7881 - if (WARN_ON_ONCE(!type)) 7882 - return -ENOENT; 7883 - 7884 7862 if (!obj->ops->update) 7885 7863 return 0; 7886 7864 7865 + type = nft_obj_type_get(net, objtype, family); 7866 + if (WARN_ON_ONCE(IS_ERR(type))) 7867 + return PTR_ERR(type); 7868 + 7887 7869 nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla); 7888 7870 7871 + /* type->owner reference is put when transaction object is released. */ 7889 7872 return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj); 7890 7873 } 7891 7874 ··· 8122 8103 return 0; 8123 8104 } 8124 8105 8125 - /* called with rcu_read_lock held */ 8106 + /* Caller must hold rcu read lock or transaction mutex */ 8126 8107 static struct sk_buff * 8127 8108 nf_tables_getobj_single(u32 portid, const struct nfnl_info *info, 8128 8109 const struct nlattr * const nla[], bool reset) ··· 8391 8372 [NFTA_FLOWTABLE_FLAGS] = { .type = NLA_U32 }, 8392 8373 }; 8393 8374 8394 - struct nft_flowtable *nft_flowtable_lookup(const struct nft_table *table, 8375 + struct nft_flowtable *nft_flowtable_lookup(const struct net *net, 8376 + const struct nft_table *table, 8395 8377 const struct nlattr *nla, u8 genmask) 8396 8378 { 8397 8379 struct nft_flowtable *flowtable; 8398 8380 8399 - list_for_each_entry_rcu(flowtable, &table->flowtables, list) { 8381 + list_for_each_entry_rcu(flowtable, &table->flowtables, list, 8382 + lockdep_commit_lock_is_held(net)) { 8400 8383 if (!nla_strcmp(nla, flowtable->name) && 8401 8384 nft_active_genmask(flowtable, genmask)) 8402 8385 return flowtable; ··· 8754 8733 return PTR_ERR(table); 8755 8734 } 8756 8735 8757 - flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 8736 + flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME], 8758 8737 genmask); 8759 8738 if (IS_ERR(flowtable)) { 8760 8739 err = PTR_ERR(flowtable); ··· 8948 8927 flowtable = nft_flowtable_lookup_byhandle(table, attr, genmask); 8949 8928 } else { 8950 8929 attr = nla[NFTA_FLOWTABLE_NAME]; 8951 - flowtable = nft_flowtable_lookup(table, attr, genmask); 8930 + flowtable = nft_flowtable_lookup(net, table, attr, genmask); 8952 8931 } 8953 8932 8954 8933 if (IS_ERR(flowtable)) { ··· 9018 8997 if (!hook_list) 9019 8998 hook_list = &flowtable->hook_list; 9020 8999 9021 - list_for_each_entry_rcu(hook, hook_list, list) { 9000 + list_for_each_entry_rcu(hook, hook_list, list, 9001 + lockdep_commit_lock_is_held(net)) { 9022 9002 if (nla_put_string(skb, NFTA_DEVICE_NAME, hook->ops.dev->name)) 9023 9003 goto nla_put_failure; 9024 9004 } ··· 9161 9139 return PTR_ERR(table); 9162 9140 } 9163 9141 9164 - flowtable = nft_flowtable_lookup(table, nla[NFTA_FLOWTABLE_NAME], 9142 + flowtable = nft_flowtable_lookup(net, table, nla[NFTA_FLOWTABLE_NAME], 9165 9143 genmask); 9166 9144 if (IS_ERR(flowtable)) { 9167 9145 NL_SET_BAD_ATTR(extack, nla[NFTA_FLOWTABLE_NAME]);
+2 -2
net/netfilter/nft_flow_offload.c
··· 409 409 if (!tb[NFTA_FLOW_TABLE_NAME]) 410 410 return -EINVAL; 411 411 412 - flowtable = nft_flowtable_lookup(ctx->table, tb[NFTA_FLOW_TABLE_NAME], 413 - genmask); 412 + flowtable = nft_flowtable_lookup(ctx->net, ctx->table, 413 + tb[NFTA_FLOW_TABLE_NAME], genmask); 414 414 if (IS_ERR(flowtable)) 415 415 return PTR_ERR(flowtable); 416 416
+6 -4
net/netfilter/nft_set_bitmap.c
··· 88 88 } 89 89 90 90 static struct nft_bitmap_elem * 91 - nft_bitmap_elem_find(const struct nft_set *set, struct nft_bitmap_elem *this, 91 + nft_bitmap_elem_find(const struct net *net, 92 + const struct nft_set *set, struct nft_bitmap_elem *this, 92 93 u8 genmask) 93 94 { 94 95 const struct nft_bitmap *priv = nft_set_priv(set); 95 96 struct nft_bitmap_elem *be; 96 97 97 - list_for_each_entry_rcu(be, &priv->list, head) { 98 + list_for_each_entry_rcu(be, &priv->list, head, 99 + lockdep_is_held(&nft_pernet(net)->commit_mutex)) { 98 100 if (memcmp(nft_set_ext_key(&be->ext), 99 101 nft_set_ext_key(&this->ext), set->klen) || 100 102 !nft_set_elem_active(&be->ext, genmask)) ··· 134 132 u8 genmask = nft_genmask_next(net); 135 133 u32 idx, off; 136 134 137 - be = nft_bitmap_elem_find(set, new, genmask); 135 + be = nft_bitmap_elem_find(net, set, new, genmask); 138 136 if (be) { 139 137 *elem_priv = &be->priv; 140 138 return -EEXIST; ··· 203 201 204 202 nft_bitmap_location(set, elem->key.val.data, &idx, &off); 205 203 206 - be = nft_bitmap_elem_find(set, this, genmask); 204 + be = nft_bitmap_elem_find(net, set, this, genmask); 207 205 if (!be) 208 206 return NULL; 209 207
+2 -1
net/netfilter/nft_set_hash.c
··· 647 647 int i; 648 648 649 649 for (i = 0; i < priv->buckets; i++) { 650 - hlist_for_each_entry_rcu(he, &priv->table[i], node) { 650 + hlist_for_each_entry_rcu(he, &priv->table[i], node, 651 + lockdep_is_held(&nft_pernet(ctx->net)->commit_mutex)) { 651 652 if (iter->count < iter->skip) 652 653 goto cont; 653 654