From: Pablo Neira Ayuso <pablo@netfilter.org>
To: Jianbo Liu <jianbol@nvidia.com>
Cc: "netdev@vger.kernel.org" <netdev@vger.kernel.org>,
"fw@strlen.de" <fw@strlen.de>,
"netfilter-devel@vger.kernel.org"
<netfilter-devel@vger.kernel.org>,
"davem@davemloft.net" <davem@davemloft.net>
Subject: Re: [BUG] kernel warning from br_nf_local_in+0x157/0x180
Date: Tue, 26 Mar 2024 02:28:48 +0100 [thread overview]
Message-ID: <ZgIkm3KNK78qpptx@calendula> (raw)
In-Reply-To: <d6084a1cdd0e6d2133c8586936266aedd8eb3564.camel@nvidia.com>
[-- Attachment #1: Type: text/plain, Size: 802 bytes --]
On Sat, Mar 23, 2024 at 10:37:16AM +0000, Jianbo Liu wrote:
> On Fri, 2024-03-22 at 13:27 +0100, Pablo Neira Ayuso wrote:
> > Hi Jianbo,
> >
> > On Mon, Mar 18, 2024 at 09:41:46AM +0000, Jianbo Liu wrote:
> > > Hi Florian and Pablo,
> > >
> > > We hit the following warning from br_nf_local_in+0x157/0x180.
> >
> > Can you give a try to this patch?
> >
>
> Sorry, it doesn't fix.
> It looks fine when running the test manually. But the warning still
> appeared in our regression tests.
You mean different test triggers now the warning splat?
Not sure yet if this is the bug that is triggering the issue in your
testbed yet, but I find it odd that packets hitting the local_in hook
because promisc flag is set on can confirm conntrack entries.
Would you please give a try to this patch? Thanks!
[-- Attachment #2: x.patch --]
[-- Type: text/x-diff, Size: 2877 bytes --]
diff --git a/net/bridge/br_input.c b/net/bridge/br_input.c
index f21097e73482..0abdec77f0b0 100644
--- a/net/bridge/br_input.c
+++ b/net/bridge/br_input.c
@@ -137,7 +137,9 @@ int br_handle_frame_finish(struct net *net, struct sock *sk, struct sk_buff *skb
if (p->flags & BR_LEARNING)
br_fdb_update(br, p, eth_hdr(skb)->h_source, vid, 0);
- local_rcv = !!(br->dev->flags & IFF_PROMISC);
+ BR_INPUT_SKB_CB(skb)->promisc = !!(br->dev->flags & IFF_PROMISC);
+ local_rcv = BR_INPUT_SKB_CB(skb)->promisc;
+
if (is_multicast_ether_addr(eth_hdr(skb)->h_dest)) {
/* by definition the broadcast is also a multicast address */
if (is_broadcast_ether_addr(eth_hdr(skb)->h_dest)) {
diff --git a/net/bridge/br_netfilter_hooks.c b/net/bridge/br_netfilter_hooks.c
index 35e10c5a766d..22e35623c148 100644
--- a/net/bridge/br_netfilter_hooks.c
+++ b/net/bridge/br_netfilter_hooks.c
@@ -600,11 +600,17 @@ static unsigned int br_nf_local_in(void *priv,
struct sk_buff *skb,
const struct nf_hook_state *state)
{
+ bool promisc = BR_INPUT_SKB_CB(skb)->promisc;
struct nf_conntrack *nfct = skb_nfct(skb);
const struct nf_ct_hook *ct_hook;
struct nf_conn *ct;
int ret;
+ if (promisc) {
+ nf_reset_ct(skb);
+ return NF_ACCEPT;
+ }
+
if (!nfct || skb->pkt_type == PACKET_HOST)
return NF_ACCEPT;
diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h
index 86ea5e6689b5..d4bedc87b1d8 100644
--- a/net/bridge/br_private.h
+++ b/net/bridge/br_private.h
@@ -589,6 +589,7 @@ struct br_input_skb_cb {
#endif
u8 proxyarp_replied:1;
u8 src_port_isolated:1;
+ u8 promisc:1;
#ifdef CONFIG_BRIDGE_VLAN_FILTERING
u8 vlan_filtered:1;
#endif
diff --git a/net/bridge/netfilter/nf_conntrack_bridge.c b/net/bridge/netfilter/nf_conntrack_bridge.c
index 6f877e31709b..c3c51b9a6826 100644
--- a/net/bridge/netfilter/nf_conntrack_bridge.c
+++ b/net/bridge/netfilter/nf_conntrack_bridge.c
@@ -294,18 +294,24 @@ static unsigned int nf_ct_bridge_pre(void *priv, struct sk_buff *skb,
static unsigned int nf_ct_bridge_in(void *priv, struct sk_buff *skb,
const struct nf_hook_state *state)
{
- enum ip_conntrack_info ctinfo;
+ bool promisc = BR_INPUT_SKB_CB(skb)->promisc;
+ struct nf_conntrack *nfct = skb_nfct(skb);
struct nf_conn *ct;
- if (skb->pkt_type == PACKET_HOST)
+ if (promisc) {
+ nf_reset_ct(skb);
+ return NF_ACCEPT;
+ }
+
+ if (!nfct || skb->pkt_type == PACKET_HOST)
return NF_ACCEPT;
/* nf_conntrack_confirm() cannot handle concurrent clones,
* this happens for broad/multicast frames with e.g. macvlan on top
* of the bridge device.
*/
- ct = nf_ct_get(skb, &ctinfo);
- if (!ct || nf_ct_is_confirmed(ct) || nf_ct_is_template(ct))
+ ct = container_of(nfct, struct nf_conn, ct_general);
+ if (nf_ct_is_confirmed(ct) || nf_ct_is_template(ct))
return NF_ACCEPT;
/* let inet prerouting call conntrack again */
next prev parent reply other threads:[~2024-03-26 1:28 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-03-18 9:41 [BUG] kernel warning from br_nf_local_in+0x157/0x180 Jianbo Liu
2024-03-18 14:19 ` Florian Westphal
2024-03-22 12:27 ` Pablo Neira Ayuso
2024-03-23 10:37 ` Jianbo Liu
2024-03-26 1:28 ` Pablo Neira Ayuso [this message]
2024-04-01 9:39 ` Jianbo Liu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZgIkm3KNK78qpptx@calendula \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=fw@strlen.de \
--cc=jianbol@nvidia.com \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.