On Wed, Apr 4, 2018 at 8:51 PM, Florian Westphal <fw@xxxxxxxxx> wrote: > Dmitry Vyukov <dvyukov@xxxxxxxxxx> wrote: >> Hi Florian, Pablo, >> >> After the recent netfilter pull syzkaller in compat mode started failing with: >> >> getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22) >> >> I think this is caused by: >> >> commit 7d7d7e02111e9a4dc9d0658597f528f815d820fd >> Author: Florian Westphal <fw@xxxxxxxxx> >> Date: Tue Feb 27 19:42:35 2018 +0100 >> netfilter: compat: reject huge allocation requests >> >> But I don't know if it's a problem with kernel or with our code (it > > kernel. > >> The idea behind checkpoint_ebtables() and reset_ebtables() is to reset >> ebtables to initial state after each test (unfortunately, creating new >> net namespaces is too damn expensive). >> >> It does EBT_SO_GET_INIT_INFO and then EBT_SO_GET_INIT_ENTRIES to >> memorize initial state. And EBT_SO_GET_INIT_ENTRIES started failing. >> It fails on the first filter table, here is debug output: >> >> checkpoint ebtable filter: entries=0 hooks=e size=144 >> getsockopt(EBT_SO_GET_INIT_ENTRIES) (errno 22) > > Yes, looks like ebtables 'entries' only counts user rules, not base > policies. > >> Any insight will be appreciated. Is it something to fix in our code? > > No. > >> Also, what's the difference between EBT_SO_GET_INFO/ENTRIES and >> EBT_SO_GET_INIT_INFO/ENTRIES? I guessed from the name that INIT is >> what we want to use if we want to memorize initial state. Is it >> correct? > > Looks like it. > > We will need to special-case compat_table_info() in ebtables.c to > either not allocate the compat array for nentries == 0, or pretend > it was 1. > > Dmitry, I can send a patch tomorrow, if you can/want to submit a patch > yourself go ahead. Thanks! I will wait for you. If it gets into 4.17, then it's good enough for us. For now compat syzbot just tests the last good image before the pull. One question: > We will need to special-case compat_table_info() in ebtables.c to > either not allocate the compat array for nentries == 0, or pretend > it was 1. nentries == 0 is returned to us by EBT_SO_GET_INIT_INFO, and I think there are actually 3 or 4 entries, and we do want to get all of them (to restore them later). If EBT_SO_GET_INIT_ENTRIES will give us no entries (or 1 entry), then we won't be able to restore them later. Am I missing something? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
