Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp1768411ybl;
        Sat, 11 Jan 2020 02:25:52 -0800 (PST)
X-Google-Smtp-Source: APXvYqw2bwQiVWY0I/RHUU8Cu9b+1yk/uQicCiVcz6QDLKyYMbADeruooufJ9OWzpFqhJJ7uR2Ru
X-Received: by 2002:a9d:198b:: with SMTP id k11mr6580340otk.295.1578738352427;
        Sat, 11 Jan 2020 02:25:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1578738352; cv=none;
        d=google.com; s=arc-20160816;
        b=puSd7SLn7K+PaedxdlNr9W6UhetaTxAF+zvw2QiendXJZckUvbAbqnHjaqCkoC5/DZ
         Z7UvVcQahpNsnzMyXFv1opcBnV+eRGeeg0xao6pwuy9yYkpRfKWfBAgxS5Zz8rPrlqWi
         PvwQjXdI7z57DYxvoh8ZUI7C71MsOq5hct1uZsn4YmrD6hIOKBLbkXKrBfy09/jChRu9
         dqCwGYDiwxsV1Ubs4fMEbIFD6o5Wk7F3kmzNqF0rHK6KDsI5YamJR/ABBTcbpYylM9Rs
         UUMBUophkLeCtbd/16WJ+uNDHj6bEaDv4CqsfhIoUtIDzpTRgbDPhgNeeyKmSJ6ONSQ7
         3Z6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=/CmXsxg1f/taP002GlPAk9QCg0R1ZxQcLquzNwLziHU=;
        b=mfI+AD2sQczXZArbpHUrLmq4+MYFNXyGkROhX3Tkm7laamKhcrMguAs5+Ui/qYMCeY
         2sYZtedICuBttm51mNP8PgpI951xQORgzaF7OgIIljpxZ45k28L+vz3biHTXd5vzB7qW
         FIEZmgKUPYw9ahdhlyg8g9tQQoO3ZeHGRuoCq/K7dKV0HZhtMmqY65AVlJcHImFAiUV4
         HbDL51kOVhMupBnT7bmSd/PCNGVB77vGeE1deCZwKHxEyIfoMmBSQ3Sr73nGOxPHQK3Z
         LSgjVcYcPcwFQLtBtfiRFvJ3gVq+NizjAd8/aE7I6I6b9XAWNfzVV1CyJRXDWzw6SfVp
         V6hg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ZBtQ+LmG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p11si3211447ota.300.2020.01.11.02.25.41;
        Sat, 11 Jan 2020 02:25:52 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=ZBtQ+LmG;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730867AbgAKKX5 (ORCPT <rfc822;lxz1983@gmail.com> + 99 others);
        Sat, 11 Jan 2020 05:23:57 -0500
Received: from mail.kernel.org ([198.145.29.99]:51786 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730776AbgAKKXw (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 11 Jan 2020 05:23:52 -0500
Received: from localhost (unknown [62.119.166.9])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 4D3342082E;
        Sat, 11 Jan 2020 10:23:50 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1578738231;
        bh=FI2zumC+h06Z1xumFA3Cq4/NFMfxrB4/U/qNtkyGovA=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=ZBtQ+LmGCM1wlzEx1uMwVtlV31Y83/f7wkXuUjHSaJnX17tNDp4yDzMVa7MacqbiC
         Np6VAqdOPa4R3EftsiQdjpIwDUyzseMokMZVI3tg9yXdfFMHxZ6aTgobLTUZKgit9P
         WuUh2kImybx/ohqOf2ZutL3PwzXq8hQTDC7m7oDE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 028/165] netfilter: nft_set_rbtree: bogus lookup/get on consecutive elements in named sets
Date:   Sat, 11 Jan 2020 10:49:07 +0100
Message-Id: <20200111094923.091623278@linuxfoundation.org>
X-Mailer: git-send-email 2.24.1
In-Reply-To: <20200111094921.347491861@linuxfoundation.org>
References: <20200111094921.347491861@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit db3b665dd77b34e34df00e17d7b299c98fcfb2c5 ]

The existing rbtree implementation might store consecutive elements
where the closing element and the opening element might overlap, eg.

	[ a, a+1) [ a+1, a+2)

This patch removes the optimization for non-anonymous sets in the exact
matching case, where it is assumed to stop searching in case that the
closing element is found. Instead, invalidate candidate interval and
keep looking further in the tree.

The lookup/get operation might return false, while there is an element
in the rbtree. Moreover, the get operation returns true as if a+2 would
be in the tree. This happens with named sets after several set updates.

The existing lookup optimization (that only works for the anonymous
sets) might not reach the opening [ a+1,... element if the closing
...,a+1) is found in first place when walking over the rbtree. Hence,
walking the full tree in that case is needed.

This patch fixes the lookup and get operations.

Fixes: e701001e7cbe ("netfilter: nft_rbtree: allow adjacent intervals with dynamic updates")
Fixes: ba0e4d9917b4 ("netfilter: nf_tables: get set elements via netlink")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nft_set_rbtree.c | 21 ++++++++++++++++-----
 1 file changed, 16 insertions(+), 5 deletions(-)

diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index 57123259452f..a9f804f7a04a 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -74,8 +74,13 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
 				parent = rcu_dereference_raw(parent->rb_left);
 				continue;
 			}
-			if (nft_rbtree_interval_end(rbe))
-				goto out;
+			if (nft_rbtree_interval_end(rbe)) {
+				if (nft_set_is_anonymous(set))
+					return false;
+				parent = rcu_dereference_raw(parent->rb_left);
+				interval = NULL;
+				continue;
+			}
 
 			*ext = &rbe->ext;
 			return true;
@@ -88,7 +93,7 @@ static bool __nft_rbtree_lookup(const struct net *net, const struct nft_set *set
 		*ext = &interval->ext;
 		return true;
 	}
-out:
+
 	return false;
 }
 
@@ -139,8 +144,10 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set,
 			if (flags & NFT_SET_ELEM_INTERVAL_END)
 				interval = rbe;
 		} else {
-			if (!nft_set_elem_active(&rbe->ext, genmask))
+			if (!nft_set_elem_active(&rbe->ext, genmask)) {
 				parent = rcu_dereference_raw(parent->rb_left);
+				continue;
+			}
 
 			if (!nft_set_ext_exists(&rbe->ext, NFT_SET_EXT_FLAGS) ||
 			    (*nft_set_ext_flags(&rbe->ext) & NFT_SET_ELEM_INTERVAL_END) ==
@@ -148,7 +155,11 @@ static bool __nft_rbtree_get(const struct net *net, const struct nft_set *set,
 				*elem = rbe;
 				return true;
 			}
-			return false;
+
+			if (nft_rbtree_interval_end(rbe))
+				interval = NULL;
+
+			parent = rcu_dereference_raw(parent->rb_left);
 		}
 	}
 
-- 
2.20.1