netfilter: fix crash in flow offload by adding netns support

Commit fcb41decf6c6 ("config: enable some useful features on
!SMALL_FLASH devices") enabled netns, which in turn lead to the crash in
the flow offload target.

When the flow offloading framework intends to delete a flow from the
hardware table, it is necessary to retrieve the namespace from
nf_flowtable->ft_net. However, no one ever wrote the namespace into
nf_flowtable->ft_net in advance. So the framework will mistakenly use a
NULL namespace to execute dev_get_by_index_rcu(net, ifindex), leading to
the kernel panic.

Ref: FS#2321
Fixes: fcb41decf6c6 ("config: enable some useful features on !SMALL_FLASH devices")
Tested-by: Simon Tretter <simon@mediaarchitectu.re>
Signed-off-by: HsiuWen Yen <y.hsiuwen@gmail.com>
[merged patch into offload patch, fix for 4.19, SOB fix, commit subj/msg touches]
Signed-off-by: Petr Štetiar <ynezz@true.cz>
(cherry-picked from commit d344591e72e5ca96a2bf70a2df38961553185ce8)
master
HsiuWen Yen 5 years ago committed by Felix Fietkau
parent 9200b4a6a0
commit ac04be82c4
  1. 9
      target/linux/generic/hack-4.14/650-netfilter-add-xt_OFFLOAD-target.patch

@ -98,7 +98,7 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o obj-$(CONFIG_NETFILTER_XT_TARGET_LED) += xt_LED.o
--- /dev/null --- /dev/null
+++ b/net/netfilter/xt_FLOWOFFLOAD.c +++ b/net/netfilter/xt_FLOWOFFLOAD.c
@@ -0,0 +1,403 @@ @@ -0,0 +1,408 @@
+/* +/*
+ * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name> + * Copyright (C) 2018 Felix Fietkau <nbd@nbd.name>
+ * + *
@ -342,12 +342,13 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
+flowoffload_tg(struct sk_buff *skb, const struct xt_action_param *par) +flowoffload_tg(struct sk_buff *skb, const struct xt_action_param *par)
+{ +{
+ const struct xt_flowoffload_target_info *info = par->targinfo; + const struct xt_flowoffload_target_info *info = par->targinfo;
+ const struct nf_conn_help *help;
+ enum ip_conntrack_info ctinfo; + enum ip_conntrack_info ctinfo;
+ enum ip_conntrack_dir dir; + enum ip_conntrack_dir dir;
+ struct nf_flow_route route; + struct nf_flow_route route;
+ struct flow_offload *flow; + struct flow_offload *flow;
+ struct nf_conn *ct; + struct nf_conn *ct;
+ const struct nf_conn_help *help; + struct net *net;
+ +
+ if (xt_flowoffload_skip(skb)) + if (xt_flowoffload_skip(skb))
+ return XT_CONTINUE; + return XT_CONTINUE;
@ -396,6 +397,10 @@ Signed-off-by: Felix Fietkau <nbd@nbd.name>
+ xt_flowoffload_check_device(xt_in(par)); + xt_flowoffload_check_device(xt_in(par));
+ xt_flowoffload_check_device(xt_out(par)); + xt_flowoffload_check_device(xt_out(par));
+ +
+ net = read_pnet(&nf_flowtable.ft_net);
+ if (!net)
+ write_pnet(&nf_flowtable.ft_net, xt_net(par));
+
+ if (info->flags & XT_FLOWOFFLOAD_HW) + if (info->flags & XT_FLOWOFFLOAD_HW)
+ nf_flow_offload_hw_add(xt_net(par), flow, ct); + nf_flow_offload_hw_add(xt_net(par), flow, ct);
+ +

Loading…
Cancel
Save