Received: by 2002:a05:7412:31a9:b0:e2:908c:2ebd with SMTP id et41csp2581885rdb; Tue, 12 Sep 2023 06:26:38 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHC9uK3gVo/0NYNcr/ozB2w/vmJUM/zZMOeQ6r2twbBnC9oW/6spw7MxH9VkE8FZe0uuNCX X-Received: by 2002:a05:6a20:244d:b0:153:591b:4101 with SMTP id t13-20020a056a20244d00b00153591b4101mr15588893pzc.49.1694525198561; Tue, 12 Sep 2023 06:26:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1694525198; cv=none; d=google.com; s=arc-20160816; b=ewzFad4uiw7r/0Al3we8cXT8RHBMpIdtJwJmrlYIbk+WyIeyUDcOeLkhsfmxrpwO6z rVhCt8AuDxvWCoE4hXyzT9HvBctmAvKnCTH6xEez44ZGiuv7n2nW0iw6/STLHzXn8jVw 4h7H3r/SgrwIc9T/FHB30p/qK54+RAZ3XF6Ci688wQNeQAb3ds3lXkjz/n/fFMVmWXDH oG+bejUtDnIvhOtKTb/vdyhS4g/E1eK0Sw0T5P55V1y0akOjJrcXVFsKojUuzvdfd7ts gE4wxegmLjNWI8NHK5PI9BHJPqXv2qLKKlmV+45kbQ7hhsXuOj2vxEPv667JFtX+SuQF vviQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=YhwXbqYwTjmL8lT2masBbZ7Y4TQLfyVE/PS+fFEcrr4=; fh=iNI54mCr28mBeRyM+DNtQUw5Krg+ZAVrAjT/nlFtHPs=; b=iz2yHZoZrtLQrowJ5EVVK9nVXcR1SMVE/JjP0e2q1xl1NPSRClxnvvgglAatvJAsrZ ovqUmCCUuW/J2nNbVfnZQJokDxwfjwTOVaxrIn4JfR9A0aEDu/LjZ1qm72Gv3mZgy6vT HeY8ONkv1KkwTCK6XuAhXRNv4k6Ge+Wd7Y6U5W1hcFbSgJGLVDs0xAVz9vYFWHvohuRj LSBXrX5C7ZX9h4z7CRdDVfP95PxkcCWmSCVF1LSxKhdUKzmYW1d5PbLNC4yg/KIJnGe6 ni/VmGNEg/gAO1Q/vHCD2HO2DbrXSHmgA+ENjGBL0OWx8/+KQ65K25vvHZ3kaoE92vwm FJWg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from fry.vger.email (fry.vger.email. [23.128.96.38]) by mx.google.com with ESMTPS id m9-20020a654389000000b0056535e2b751si8011665pgp.782.2023.09.12.06.26.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 12 Sep 2023 06:26:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) client-ip=23.128.96.38; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.38 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by fry.vger.email (Postfix) with ESMTP id 5891D80DCCB6; Tue, 12 Sep 2023 04:53:21 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at fry.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234860AbjILLxM (ORCPT + 99 others); Tue, 12 Sep 2023 07:53:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58118 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S234743AbjILLxH (ORCPT ); Tue, 12 Sep 2023 07:53:07 -0400 Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc [IPv6:2a0a:51c0:0:237:300::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4180510CE; Tue, 12 Sep 2023 04:53:03 -0700 (PDT) Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92) (envelope-from ) id 1qg1wr-0004bL-Km; Tue, 12 Sep 2023 13:52:53 +0200 Date: Tue, 12 Sep 2023 13:52:53 +0200 From: Florian Westphal To: Timo Sigurdsson Cc: regressions@lists.linux.dev, fw@strlen.de, pablo@netfilter.org, kadlec@netfilter.org, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org, sashal@kernel.org, carnil@debian.org, 1051592@bugs.debian.org Subject: Re: Regression: Commit "netfilter: nf_tables: disallow rule addition to bound chain via NFTA_RULE_CHAIN_ID" breaks ruleset loading in linux-stable Message-ID: <20230912115253.GB13516@breakpoint.cc> References: <20230911213750.5B4B663206F5@dd20004.kasserver.com> <20230912102701.GA13516@breakpoint.cc> <20230912114729.EFBC26320998@dd20004.kasserver.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20230912114729.EFBC26320998@dd20004.kasserver.com> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (fry.vger.email [0.0.0.0]); Tue, 12 Sep 2023 04:53:21 -0700 (PDT) X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on fry.vger.email Timo Sigurdsson wrote: > > Linux regression tracking (Thorsten Leemhuis) > > wrote: > >> On 12.09.23 00:57, Pablo Neira Ayuso wrote: > >> > Userspace nftables v1.0.6 generates incorrect bytecode that hits a new > >> > kernel check that rejects adding rules to bound chains. The incorrect > >> > bytecode adds the chain binding, attach it to the rule and it adds the > >> > rules to the chain binding. I have cherry-picked these three patches > >> > for nftables v1.0.6 userspace and your ruleset restores fine. > >> > [...] > >> > >> Hmmmm. Well, this sounds like a kernel regression to me that normally > >> should be dealt with on the kernel level, as users after updating the > >> kernel should never have to update any userspace stuff to continue what > >> they have been doing before the kernel update. > > > > This is a combo of a userspace bug and this new sanity check that > > rejects the incorrect ordering (adding rules to the already-bound > > anonymous chain). > > > > Out of curiosity, did the incorrect ordering or bytecode from the older userspace components actually lead to a wrong representation of the rules in the kernel or did the rules still work despite all that? It works, but without the stricter behaviour userspace can trigger memory corruption in the kernel. nftables userland will not trigger this.