From 91e771f082c58fd2fba56d1944117c88c8fb26e7 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 27 Sep 2024 08:58:19 +0200 Subject: [PATCH] 6.6-stable patches added patches: netfilter-nft_socket-fix-a-null-vs-is_err-bug-in-nft_socket_cgroup_subtree_level.patch netfilter-nft_socket-make-cgroupsv2-matching-work-with-namespaces.patch --- ...g-in-nft_socket_cgroup_subtree_level.patch | 36 +++++ ...oupsv2-matching-work-with-namespaces.patch | 144 ++++++++++++++++++ queue-6.6/series | 2 + 3 files changed, 182 insertions(+) create mode 100644 queue-6.6/netfilter-nft_socket-fix-a-null-vs-is_err-bug-in-nft_socket_cgroup_subtree_level.patch create mode 100644 queue-6.6/netfilter-nft_socket-make-cgroupsv2-matching-work-with-namespaces.patch diff --git a/queue-6.6/netfilter-nft_socket-fix-a-null-vs-is_err-bug-in-nft_socket_cgroup_subtree_level.patch b/queue-6.6/netfilter-nft_socket-fix-a-null-vs-is_err-bug-in-nft_socket_cgroup_subtree_level.patch new file mode 100644 index 00000000000..63861d997c1 --- /dev/null +++ b/queue-6.6/netfilter-nft_socket-fix-a-null-vs-is_err-bug-in-nft_socket_cgroup_subtree_level.patch @@ -0,0 +1,36 @@ +From 7052622fccb1efb850c6b55de477f65d03525a30 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 14 Sep 2024 12:56:51 +0300 +Subject: netfilter: nft_socket: Fix a NULL vs IS_ERR() bug in nft_socket_cgroup_subtree_level() + +From: Dan Carpenter + +commit 7052622fccb1efb850c6b55de477f65d03525a30 upstream. + +The cgroup_get_from_path() function never returns NULL, it returns error +pointers. Update the error handling to match. + +Fixes: 7f3287db6543 ("netfilter: nft_socket: make cgroupsv2 matching work with namespaces") +Signed-off-by: Dan Carpenter +Acked-by: Florian Westphal +Acked-by: Pablo Neira Ayuso +Link: https://patch.msgid.link/bbc0c4e0-05cc-4f44-8797-2f4b3920a820@stanley.mountain +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nft_socket.c ++++ b/net/netfilter/nft_socket.c +@@ -61,8 +61,8 @@ static noinline int nft_socket_cgroup_su + struct cgroup *cgrp = cgroup_get_from_path("/"); + int level; + +- if (!cgrp) +- return -ENOENT; ++ if (IS_ERR(cgrp)) ++ return PTR_ERR(cgrp); + + level = cgrp->level; + diff --git a/queue-6.6/netfilter-nft_socket-make-cgroupsv2-matching-work-with-namespaces.patch b/queue-6.6/netfilter-nft_socket-make-cgroupsv2-matching-work-with-namespaces.patch new file mode 100644 index 00000000000..75090b07c53 --- /dev/null +++ b/queue-6.6/netfilter-nft_socket-make-cgroupsv2-matching-work-with-namespaces.patch @@ -0,0 +1,144 @@ +From 7f3287db654395f9c5ddd246325ff7889f550286 Mon Sep 17 00:00:00 2001 +From: Florian Westphal +Date: Sat, 7 Sep 2024 16:07:49 +0200 +Subject: netfilter: nft_socket: make cgroupsv2 matching work with namespaces + +From: Florian Westphal + +commit 7f3287db654395f9c5ddd246325ff7889f550286 upstream. + +When running in container environmment, /sys/fs/cgroup/ might not be +the real root node of the sk-attached cgroup. + +Example: + +In container: +% stat /sys//fs/cgroup/ +Device: 0,21 Inode: 2214 .. +% stat /sys/fs/cgroup/foo +Device: 0,21 Inode: 2264 .. + +The expectation would be for: + + nft add rule .. socket cgroupv2 level 1 "foo" counter + +to match traffic from a process that got added to "foo" via +"echo $pid > /sys/fs/cgroup/foo/cgroup.procs". + +However, 'level 3' is needed to make this work. + +Seen from initial namespace, the complete hierarchy is: + +% stat /sys/fs/cgroup/system.slice/docker-.../foo + Device: 0,21 Inode: 2264 .. + +i.e. hierarchy is +0 1 2 3 +/ -> system.slice -> docker-1... -> foo + +... but the container doesn't know that its "/" is the "docker-1.." +cgroup. Current code will retrieve the 'system.slice' cgroup node +and store its kn->id in the destination register, so compare with +2264 ("foo" cgroup id) will not match. + +Fetch "/" cgroup from ->init() and add its level to the level we try to +extract. cgroup root-level is 0 for the init-namespace or the level +of the ancestor that is exposed as the cgroup root inside the container. + +In the above case, cgrp->level of "/" resolved in the container is 2 +(docker-1...scope/) and request for 'level 1' will get adjusted +to fetch the actual level (3). + +v2: use CONFIG_SOCK_CGROUP_DATA, eval function depends on it. + (kernel test robot) + +Cc: cgroups@vger.kernel.org +Fixes: e0bb96db96f8 ("netfilter: nft_socket: add support for cgroupsv2") +Reported-by: Nadia Pinaeva +Signed-off-by: Florian Westphal +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nft_socket.c | 41 ++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 38 insertions(+), 3 deletions(-) + +--- a/net/netfilter/nft_socket.c ++++ b/net/netfilter/nft_socket.c +@@ -9,7 +9,8 @@ + + struct nft_socket { + enum nft_socket_keys key:8; +- u8 level; ++ u8 level; /* cgroupv2 level to extract */ ++ u8 level_user; /* cgroupv2 level provided by userspace */ + u8 len; + union { + u8 dreg; +@@ -53,6 +54,28 @@ nft_sock_get_eval_cgroupv2(u32 *dest, st + memcpy(dest, &cgid, sizeof(u64)); + return true; + } ++ ++/* process context only, uses current->nsproxy. */ ++static noinline int nft_socket_cgroup_subtree_level(void) ++{ ++ struct cgroup *cgrp = cgroup_get_from_path("/"); ++ int level; ++ ++ if (!cgrp) ++ return -ENOENT; ++ ++ level = cgrp->level; ++ ++ cgroup_put(cgrp); ++ ++ if (WARN_ON_ONCE(level > 255)) ++ return -ERANGE; ++ ++ if (WARN_ON_ONCE(level < 0)) ++ return -EINVAL; ++ ++ return level; ++} + #endif + + static struct sock *nft_socket_do_lookup(const struct nft_pktinfo *pkt) +@@ -174,9 +197,10 @@ static int nft_socket_init(const struct + case NFT_SOCKET_MARK: + len = sizeof(u32); + break; +-#ifdef CONFIG_CGROUPS ++#ifdef CONFIG_SOCK_CGROUP_DATA + case NFT_SOCKET_CGROUPV2: { + unsigned int level; ++ int err; + + if (!tb[NFTA_SOCKET_LEVEL]) + return -EINVAL; +@@ -185,6 +209,17 @@ static int nft_socket_init(const struct + if (level > 255) + return -EOPNOTSUPP; + ++ err = nft_socket_cgroup_subtree_level(); ++ if (err < 0) ++ return err; ++ ++ priv->level_user = level; ++ ++ level += err; ++ /* Implies a giant cgroup tree */ ++ if (WARN_ON_ONCE(level > 255)) ++ return -EOPNOTSUPP; ++ + priv->level = level; + len = sizeof(u64); + break; +@@ -209,7 +244,7 @@ static int nft_socket_dump(struct sk_buf + if (nft_dump_register(skb, NFTA_SOCKET_DREG, priv->dreg)) + return -1; + if (priv->key == NFT_SOCKET_CGROUPV2 && +- nla_put_be32(skb, NFTA_SOCKET_LEVEL, htonl(priv->level))) ++ nla_put_be32(skb, NFTA_SOCKET_LEVEL, htonl(priv->level_user))) + return -1; + return 0; + } diff --git a/queue-6.6/series b/queue-6.6/series index 4f803e8d835..abed7ce7d07 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -40,3 +40,5 @@ drm-use-xarray-instead-of-idr-for-minors.patch accel-use-xarray-instead-of-idr-for-minors.patch drm-expand-max-drm-device-number-to-full-minorbits.patch powercap-intel_rapl-add-support-for-amd-family-1ah.patch +netfilter-nft_socket-make-cgroupsv2-matching-work-with-namespaces.patch +netfilter-nft_socket-fix-a-null-vs-is_err-bug-in-nft_socket_cgroup_subtree_level.patch -- 2.47.3