Proxmox-Port/linux
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2025-08-15 04:03:13 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
master
linux/net/netfilter
History
Paul Chaignon 9e6448f7b1 bpf: Check netfilter ctx accesses are aligned 
Similarly to the previous patch fixing the flow_dissector ctx accesses,
nf_is_valid_access also doesn't check that ctx accesses are aligned.
Contrary to flow_dissector programs, netfilter programs don't have
context conversion. The unaligned ctx accesses are therefore allowed by
the verifier.

Fixes: fd9c663b9a ("bpf: minimal support for programs hooked into netfilter framework")
Signed-off-by: Paul Chaignon <paul.chaignon@gmail.com>
Acked-by: Yonghong Song <yonghong.song@linux.dev>
Acked-by: Eduard Zingerman <eddyz87@gmail.com>
Link: https://lore.kernel.org/r/853ae9ed5edaa5196e8472ff0f1bb1cc24059214.1754039605.git.paul.chaignon@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
2025-08-01 09:22:44 -07:00
..
ipset treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
ipvs ipvs: Rename del_timer in comment in ip_vs_conn_expire_now() 2025-07-25 18:39:29 +02:00
core.c netfilter: nf_dup{4, 6}: Move duplication check to task_struct 2025-05-23 13:57:12 +02:00
Kconfig netfilter: Exclude LEGACY TABLES on PREEMPT_RT. 2025-07-25 18:38:50 +02:00
Makefile netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nf_bpf_link.c bpf: Check netfilter ctx accesses are aligned 2025-08-01 09:22:44 -07:00
nf_conncount.c netfilter: nf_conncount: Fully initialize struct nf_conncount_tuple in insert_tree() 2025-03-12 15:28:33 +01:00
nf_conntrack_acct.c
nf_conntrack_amanda.c netfilter: conntrack: remove skb argument from nf_ct_refresh 2025-01-19 16:41:55 +01:00
nf_conntrack_bpf.c net: netfilter: Make ct zone opts configurable for bpf ct helpers 2024-05-22 15:00:56 -07:00
nf_conntrack_broadcast.c netfilter: conntrack: remove skb argument from nf_ct_refresh 2025-01-19 16:41:55 +01:00
nf_conntrack_core.c netfilter: conntrack: Remove unused net in nf_conntrack_double_lock() 2025-07-25 18:38:41 +02:00
nf_conntrack_ecache.c netfilter: conntrack: add conntrack event timestamp 2025-01-09 14:42:16 +01:00
nf_conntrack_expect.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nf_conntrack_extend.c
nf_conntrack_ftp.c
nf_conntrack_h323_asn1.c
nf_conntrack_h323_main.c netfilter: conntrack: remove skb argument from nf_ct_refresh 2025-01-19 16:41:55 +01:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c
nf_conntrack_irc.c
nf_conntrack_labels.c
nf_conntrack_netbios_ns.c
nf_conntrack_netlink.c netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nf_conntrack_ovs.c
nf_conntrack_pptp.c
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c
nf_conntrack_proto_icmp.c
nf_conntrack_proto_icmpv6.c netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery 2024-05-06 11:13:56 +02:00
nf_conntrack_proto_sctp.c netfilter: conntrack: cleanup timeout definitions 2025-01-12 20:21:01 -08:00
nf_conntrack_proto_tcp.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
nf_conntrack_proto_udp.c
nf_conntrack_proto.c netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nf_conntrack_sane.c
nf_conntrack_seqadj.c
nf_conntrack_sip.c netfilter: conntrack: remove skb argument from nf_ct_refresh 2025-01-19 16:41:55 +01:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: load nf_log_syslog on enabling nf_conntrack_log_invalid 2025-07-25 18:35:41 +02:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c
nf_conntrack_timestamp.c
nf_dup_netdev.c netfilter: nf_dup_netdev: Move the recursion counter struct netdev_xmit 2025-05-23 13:57:12 +02:00
nf_flow_table_bpf.c netfilter: Add bpf_xdp_flow_lookup kfunc 2024-07-01 17:03:01 +02:00
nf_flow_table_core.c netfilter: conntrack: fix erronous removal of offload bit 2025-04-17 11:14:22 +02:00
nf_flow_table_inet.c net: netfilter: move nf flowtable bpf initialization in nf_flow_table_module_init() 2024-09-12 15:41:03 +02:00
nf_flow_table_ip.c Revert "netfilter: flowtable: teardown flow if cached mtu is stale" 2025-02-12 10:35:20 +01:00
nf_flow_table_offload.c net: hold netdev instance lock during nft ndo_setup_tc 2025-03-06 12:59:43 -08:00
nf_flow_table_procfs.c
nf_flow_table_xdp.c netfilter: nf_tables: Add flowtable map for xdp offload 2024-07-01 17:01:53 +02:00
nf_hooks_lwtunnel.c sysctl: treewide: constify the ctl_table argument of proc_handlers 2024-07-24 20:59:29 +02:00
nf_internals.h netfilter: move the sysctl nf_hooks_lwtunnel into the netfilter core 2024-06-19 18:41:59 +02:00
nf_log_syslog.c tcp: extend TCP flags to allow AE bit/ACE field 2025-03-17 13:49:46 +00:00
nf_log.c netfilter: load nf_log_syslog on enabling nf_conntrack_log_invalid 2025-07-25 18:35:41 +02:00
nf_nat_amanda.c
nf_nat_bpf.c
nf_nat_core.c netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nf_nat_ftp.c
nf_nat_helper.c
nf_nat_irc.c
nf_nat_masquerade.c
nf_nat_ovs.c
nf_nat_proto.c netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nf_nat_redirect.c
nf_nat_sip.c
nf_nat_tftp.c
nf_queue.c
nf_sockopt.c
nf_synproxy_core.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
nf_tables_api.c netfilter: nfnetlink_hook: Dump flowtable info 2025-07-25 18:40:01 +02:00
nf_tables_core.c netfilter: nf_tables: Only use nf_skip_indirect_calls() when MITIGATION_RETPOLINE 2025-03-23 10:53:47 +01:00
nf_tables_offload.c netfilter: nf_tables: Have a list of nf_hook_ops in nft_hook 2025-05-23 13:57:13 +02:00
nf_tables_trace.c netfilter: nf_tables: hide clash bit from userspace 2025-07-14 15:22:35 +02:00
nfnetlink_acct.c
nfnetlink_cthelper.c
nfnetlink_cttimeout.c netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nfnetlink_hook.c netfilter: nfnetlink_hook: Dump flowtable info 2025-07-25 18:40:01 +02:00
nfnetlink_log.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
nfnetlink_osf.c
nfnetlink_queue.c netfilter: nfnetlink_queue: Initialize ctx to avoid memory allocation error 2025-03-23 10:20:33 +01:00
nfnetlink.c Revert "netfilter: nf_tables: Add notifications for hook changes" 2025-07-14 15:22:47 +02:00
nft_bitwise.c netfilter: bitwise: add support for doing AND, OR and XOR directly 2024-11-15 12:07:04 +01:00
nft_byteorder.c move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
nft_chain_filter.c Revert "netfilter: nf_tables: Add notifications for hook changes" 2025-07-14 15:22:47 +02:00
nft_chain_nat.c
nft_chain_route.c
nft_cmp.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_compat.c netfilter: nf_tables: make destruction work queue pernet 2025-03-06 13:35:54 +01:00
nft_connlimit.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_counter.c netfilter: nft_counter: Use u64_stats_t for statistic. 2024-09-03 10:47:16 +02:00
nft_ct_fast.c
nft_ct.c netfilter: nft_ct: Use __refcount_inc() for per-CPU nft_ct_pcpu_template. 2025-03-03 13:46:49 +01:00
nft_dup_netdev.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_dynset.c netfilter: nft_set: remove indirection from update API call 2025-07-25 18:40:23 +02:00
nft_exthdr.c netfilter: conntrack: remove DCCP protocol support 2025-07-03 13:51:39 +02:00
nft_fib_inet.c
nft_fib_netdev.c
nft_fib.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_flow_offload.c netfilter: nf_tables: Introduce nft_hook_find_ops{,_rcu}() 2025-05-23 13:57:12 +02:00
nft_fwd_netdev.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_hash.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_immediate.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_inner.c netfilter: nft_inner: Use nested-BH locking for nft_pcpu_tun_ctx 2025-05-23 13:57:12 +02:00
nft_last.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_limit.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_log.c netfilter: nf_tables: missing objects with no memcg accounting 2024-09-26 13:03:02 +02:00
nft_lookup.c netfilter: nft_set: remove one argument from lookup and update functions 2025-07-25 18:40:16 +02:00
nft_masq.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_meta.c netfilter: nf_tables: missing objects with no memcg accounting 2024-09-26 13:03:02 +02:00
nft_nat.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_numgen.c netfilter: nf_tables: missing objects with no memcg accounting 2024-09-26 13:03:02 +02:00
nft_objref.c netfilter: nft_set: remove one argument from lookup and update functions 2025-07-25 18:40:16 +02:00
nft_osf.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_payload.c netfilter: nft_payload: sanitize offset and length before calling skb_checksum() 2024-10-31 10:54:49 +01:00
nft_queue.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_quota.c netfilter: nft_quota: match correctly when the quota just depleted 2025-05-05 13:15:09 +02:00
nft_range.c netfilter: nf_tables: pass context structure to nft_parse_register_load 2024-08-20 12:37:24 +02:00
nft_redir.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_reject_inet.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_reject_netdev.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_reject.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_rt.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_set_bitmap.c netfilter: nft_set: remove one argument from lookup and update functions 2025-07-25 18:40:16 +02:00
nft_set_hash.c netfilter: nft_set: remove indirection from update API call 2025-07-25 18:40:23 +02:00
nft_set_pipapo_avx2.c netfilter: nft_set: remove indirection from update API call 2025-07-25 18:40:23 +02:00
nft_set_pipapo_avx2.h
nft_set_pipapo.c netfilter: nft_set_pipapo: prefer kvmalloc for scratch maps 2025-07-25 18:40:37 +02:00
nft_set_pipapo.h netfilter: nf_set_pipapo: fix initial map fill 2024-07-17 19:00:47 +02:00
nft_set_rbtree.c netfilter: nft_set: remove one argument from lookup and update functions 2025-07-25 18:40:16 +02:00
nft_socket.c netfilter: nft_socket: remove WARN_ON_ONCE on maximum cgroup level 2024-11-28 13:14:24 +01:00
nft_synproxy.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_tproxy.c netfilter: nf_tables: drop unused 3rd argument from validate callback ops 2024-09-03 10:47:17 +02:00
nft_tunnel.c netfilter: nft_tunnel: fix geneve_opt dump 2025-05-23 13:57:12 +02:00
nft_xfrm.c xfrm: add generic iptfs defines and functionality 2024-12-05 10:01:28 +01:00
utils.c
x_tables.c netfilter: Exclude LEGACY TABLES on PREEMPT_RT. 2025-07-25 18:38:50 +02:00
xt_addrtype.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_AUDIT.c
xt_bpf.c
xt_cgroup.c net: cgroup: Guard users of sock_cgroup_classid() 2025-04-24 16:04:02 +02:00
xt_CHECKSUM.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CLASSIFY.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_cluster.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_comment.c
xt_connbytes.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_connlabel.c
xt_connlimit.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_connmark.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_CONNSECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_conntrack.c
xt_cpu.c
xt_CT.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c
xt_ecn.c
xt_esp.c
xt_hashlimit.c netfilter: xt_hashlimit: replace vmalloc calls with kvmalloc 2025-03-12 16:37:48 +01:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c treewide, timers: Rename from_timer() to timer_container_of() 2025-06-08 09:07:37 +02:00
xt_length.c
xt_limit.c
xt_LOG.c
xt_mac.c
xt_mark.c netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 2025-05-22 17:16:02 +02:00
xt_MASQUERADE.c
xt_multiport.c
xt_nat.c
xt_NETMAP.c
xt_nfacct.c netfilter: xt_nfacct: don't assume acct name is null-terminated 2025-07-25 18:40:43 +02:00
xt_NFLOG.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-10-21 11:31:26 +02:00
xt_NFQUEUE.c
xt_osf.c
xt_owner.c
xt_physdev.c
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_RATEEST.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_realm.c
xt_recent.c netfilter: xt_recent: Lift restrictions on max hitcount value 2024-06-28 17:57:50 +02:00
xt_REDIRECT.c
xt_repldata.h netfilter: xtables: Use strscpy() instead of strscpy_pad() 2025-03-23 10:53:47 +01:00
xt_sctp.c
xt_SECMARK.c netfilter: xtables: avoid NFPROTO_UNSPEC where needed 2024-10-09 23:20:46 +02:00
xt_set.c
xt_socket.c
xt_state.c
xt_statistic.c
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c
xt_TCPOPTSTRIP.c netfilter: xtables: support arpt_mark and ipv6 optstrip for iptables-nft only builds 2025-05-22 17:16:02 +02:00
xt_tcpudp.c
xt_TEE.c
xt_time.c
xt_TPROXY.c
xt_TRACE.c netfilter: xtables: fix typo causing some targets not to load on IPv6 2024-10-21 11:31:26 +02:00
xt_u32.c