Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote: > Hi Florian, Pablo, > > After the recent netfilter pull syzkaller in compat mode started failing with: > > getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22) > > I think this is caused by: > > commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd > Author: Florian Westphal <fw@xxxxxxxxx> > Date: Tue Feb 27 19:42:35 2018 +0100 > netfilter: compat: reject huge allocation requests > > But I don't know if it's a problem with kernel or with our code (it kernel. > The idea behind checkpoint_ebtables() and reset_ebtables() is to reset > ebtables to initial state after each test (unfortunately, creating new > net namespaces is too damn expensive). > > It does EBT_SO_GET_INIT_INFO and then EBT_SO_GET_INIT_ENTRIES to > memorize initial state. And EBT_SO_GET_INIT_ENTRIES started failing. > It fails on the first filter table, here is debug output: > > checkpoint ebtable filter: entries=0 hooks=e size=144 > getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22) Yes, looks like ebtables 'entries' only counts user rules, not base policies. > Any insight will be appreciated. Is it something to fix in our code? No. > Also, what's the difference between EBT_SO_GET_INFO/ENTRIES and > EBT_SO_GET_INIT_INFO/ENTRIES? I guessed from the name that INIT is > what we want to use if we want to memorize initial state. Is it > correct? Looks like it. We will need to special-case compat_table_info() in ebtables.c to either not allocate the compat array for nentries == 0, or pretend it was 1. Dmitry, I can send a patch tomorrow, if you can/want to submit a patch yourself go ahead. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
