[{"id":3684462,"web_url":"http://patchwork.ozlabs.org/comment/3684462/","msgid":"","list_archive_url":null,"date":"2026-04-30T06:11:07","subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Mon, Apr 27, 2026 at 11:21:18AM +0200, Fernando Fernandez Mancera wrote:\n> For lshift and rshift, the shift operations are performed in a loop over\n> 32-bit words. The loop calculates the shifted value and write it to dst,\n> and then immediately reads from src to calculate the carry for the next\n> iteration. Because src and dst could point to the same memory location,\n> the carry is incorrectly calculated using the newly modified dst value\n> instead of the original src value.\n> \n> Adding a temporary local variable to cache the original value before\n> writing to dst and using it for the carry calculation solves the\n> problem. In addition, partial overlap is rejected from control plane for\n> all kind of operations. This was tested with the following bytecode:\n> \n> table test_table ip flags 0 use 1 handle 1\n> ip test_table test_chain use 3 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1\n> ip test_table test_chain 2\n> [ immediate reg 1 0x44332211 0x88776655 ]\n> [ bitwise reg 1 = ( reg 1 << 0x08000000 ) ]\n> [ cmp eq reg 1 0x66443322 0x00887766 ]\n> [ counter pkts 0 bytes 0 ]\n> ip test_table test_chain 4 3\n> [ immediate reg 1 0x44332211 0x88776655 ]\n> [ bitwise reg 1 = ( reg 1 << 0x08000000 ) ]\n> [ cmp eq reg 1 0x55443322 0x00887766 ]\n> [ counter pkts 21794 bytes 1917798 ]\n> \n> Fixes: 567d746b55bc (\"netfilter: bitwise: add support for shifts.\")\n> Signed-off-by: Fernando Fernandez Mancera \n> ---\n> v2: handled partially register overlap\n> v3: reject partially overlap from control plane\n> v4: applied the partial overlap check to all operations\n> ---\n> net/netfilter/nft_bitwise.c | 19 +++++++++++++++----\n> 1 file changed, 15 insertions(+), 4 deletions(-)\n> \n> diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c\n> index 13808e9cd999..76e7ae96429d 100644\n> --- a/net/netfilter/nft_bitwise.c\n> +++ b/net/netfilter/nft_bitwise.c\n> @@ -43,8 +43,10 @@ static void nft_bitwise_eval_lshift(u32 *dst, const u32 *src,\n> \tu32 carry = 0;\n> \n> \tfor (i = DIV_ROUND_UP(priv->len, sizeof(u32)); i > 0; i--) {\n> -\t\tdst[i - 1] = (src[i - 1] << shift) | carry;\n> -\t\tcarry = src[i - 1] >> (BITS_PER_TYPE(u32) - shift);\n> +\t\tu32 tmp_src = src[i - 1];\n> +\n> +\t\tdst[i - 1] = (tmp_src << shift) | carry;\n> +\t\tcarry = tmp_src >> (BITS_PER_TYPE(u32) - shift);\n> \t}\n> }\n> \n> @@ -56,8 +58,10 @@ static void nft_bitwise_eval_rshift(u32 *dst, const u32 *src,\n> \tu32 carry = 0;\n> \n> \tfor (i = 0; i < DIV_ROUND_UP(priv->len, sizeof(u32)); i++) {\n> -\t\tdst[i] = carry | (src[i] >> shift);\n> -\t\tcarry = src[i] << (BITS_PER_TYPE(u32) - shift);\n> +\t\tu32 tmp_src = src[i];\n> +\n> +\t\tdst[i] = carry | (tmp_src >> shift);\n> +\t\tcarry = tmp_src << (BITS_PER_TYPE(u32) - shift);\n> \t}\n> }\n> \n> @@ -244,6 +248,7 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,\n> \t\t\t const struct nlattr * const tb[])\n> {\n> \tstruct nft_bitwise *priv = nft_expr_priv(expr);\n> +\tunsigned int n;\n> \tu32 len;\n> \tint err;\n> \n> @@ -264,6 +269,12 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,\n> \tif (err < 0)\n> \t\treturn err;\n> \n> +\tn = DIV_ROUND_UP(priv->len, sizeof(u32));\n> +\tif (priv->sreg != priv->dreg &&\n> +\t priv->dreg < priv->sreg + n &&\n> +\t priv->sreg < priv->dreg + n)\n> +\t\treturn -EINVAL;\n\nIn some cases, there is also sreg2 that probably needs to be handled\ntoo.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=fc7yE3Ck;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c0a:e001:db::12fc:5321; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12317-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"fc7yE3Ck\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org\n [IPv6:2600:3c0a:e001:db::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5kNp1jWyz1yGq\n\tfor ; Thu, 30 Apr 2026 16:12:42 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 7DB643035825\n\tfor ; Thu, 30 Apr 2026 06:11:14 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 5FF7437475C;\n\tThu, 30 Apr 2026 06:11:14 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 99E5936D9EC\n\tfor ; Thu, 30 Apr 2026 06:11:12 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id AA7BC60181;\n\tThu, 30 Apr 2026 08:11:10 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777529473; cv=none;\n b=ga9jkM1gUICq88Ww2zpQDfuQICP7DfD4UcwBR5+nTH0LVsKaoCXStnVdzulrc8mf2BRiQxe/+vearw8VXfCS2bjY8gjmi6fl6N7xviNjpS3fRCDG81vUhbRJ9jPurUuwZ3Hun40PbEZ0FuBfL/5nlJ4G3rzuw3CdLJiBqjqzc+M=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777529473; c=relaxed/simple;\n\tbh=H8zTKiaaZ4XCK5J3XTKDFGbezJpcGpBAiAeizwDhd9Y=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=QxmEfpJSCKmmMgJ1mC13biFmHc7Ovq+AVw9ANPIvt1dFYeNVD2oB4fa660RiKHZYCMP8SJZSdhefcrdDyXtapvRf2c566CddUyT/jIbPWLXieu6ioxkw2q0fhg9690pP0t8HOOqPbxclXm4tAlysdhI7r/pAm/rYeUE+AmxqWr0=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=fc7yE3Ck; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777529470;\n\tbh=UniIGOwle02YOvkSqGbwyJ2ga11T2yfkhaM/rXBG1LE=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=fc7yE3Ck2yv+ZIDDJoQ856DsxQRZ3QZeDIfaji2QBRAk4z287+U+1LyDaC3a+L2Ct\n\t TG0oSeC2u48nGvzvvKfSg0ns5MGEGxINBcBHbxnYdptmk1KW0LtvIKrhQ1ocB56ssO\n\t ML46NArbfBKIVQxq3NdWLAkl2munMgnP/9+TprxEjHaW9xcB6hrF8mfO0MoOQ14lJi\n\t Q2Qw6cLJFXz7I8y6jlJlpLMfZWgXcwSNdhMNBmWp79hJ0NK1IqjRnzQ+yzGJ5B09Fg\n\t 541ptKMa2PNbd6DPcr3SABX0M28zgL/JsqHzWOQWBbPLY5pF+4TD+FiypZAqtOHe8p\n\t 19rA4SCP8dPUw==","Date":"Thu, 30 Apr 2026 08:11:07 +0200","From":"Pablo Neira Ayuso ","To":"Fernando Fernandez Mancera ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tjeremy@azazel.net, phil@nwl.cc, fw@strlen.de","Subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","Message-ID":"","References":"<20260427092117.4160-2-fmancera@suse.de>","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":"<20260427092117.4160-2-fmancera@suse.de>"}},{"id":3684466,"web_url":"http://patchwork.ozlabs.org/comment/3684466/","msgid":"","list_archive_url":null,"date":"2026-04-30T06:26:29","subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Thu, Apr 30, 2026 at 08:11:07AM +0200, Pablo Neira Ayuso wrote:\n> On Mon, Apr 27, 2026 at 11:21:18AM +0200, Fernando Fernandez Mancera wrote:\n> > For lshift and rshift, the shift operations are performed in a loop over\n> > 32-bit words. The loop calculates the shifted value and write it to dst,\n> > and then immediately reads from src to calculate the carry for the next\n> > iteration. Because src and dst could point to the same memory location,\n> > the carry is incorrectly calculated using the newly modified dst value\n> > instead of the original src value.\n> > \n> > Adding a temporary local variable to cache the original value before\n> > writing to dst and using it for the carry calculation solves the\n> > problem. In addition, partial overlap is rejected from control plane for\n> > all kind of operations. This was tested with the following bytecode:\n> > \n> > table test_table ip flags 0 use 1 handle 1\n> > ip test_table test_chain use 3 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1\n> > ip test_table test_chain 2\n> > [ immediate reg 1 0x44332211 0x88776655 ]\n> > [ bitwise reg 1 = ( reg 1 << 0x08000000 ) ]\n> > [ cmp eq reg 1 0x66443322 0x00887766 ]\n> > [ counter pkts 0 bytes 0 ]\n> > ip test_table test_chain 4 3\n> > [ immediate reg 1 0x44332211 0x88776655 ]\n> > [ bitwise reg 1 = ( reg 1 << 0x08000000 ) ]\n> > [ cmp eq reg 1 0x55443322 0x00887766 ]\n> > [ counter pkts 21794 bytes 1917798 ]\n> > \n> > Fixes: 567d746b55bc (\"netfilter: bitwise: add support for shifts.\")\n> > Signed-off-by: Fernando Fernandez Mancera \n> > ---\n> > v2: handled partially register overlap\n> > v3: reject partially overlap from control plane\n> > v4: applied the partial overlap check to all operations\n> > ---\n> > net/netfilter/nft_bitwise.c | 19 +++++++++++++++----\n> > 1 file changed, 15 insertions(+), 4 deletions(-)\n> > \n> > diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c\n> > index 13808e9cd999..76e7ae96429d 100644\n> > --- a/net/netfilter/nft_bitwise.c\n> > +++ b/net/netfilter/nft_bitwise.c\n[...]\n> > @@ -264,6 +269,12 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,\n> > \tif (err < 0)\n> > \t\treturn err;\n> > \n> > +\tn = DIV_ROUND_UP(priv->len, sizeof(u32));\n> > +\tif (priv->sreg != priv->dreg &&\n> > +\t priv->dreg < priv->sreg + n &&\n> > +\t priv->sreg < priv->dreg + n)\n> > +\t\treturn -EINVAL;\n> \n> In some cases, there is also sreg2 that probably needs to be handled\n> too.\n\nAnd probably nft_byteorder needs something similar to check for\npartial overlaps too for sreg and dreg. Also nft_lookup.\n\nMaybe add this to a helper function and use it from there?","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=p+M+Ds8T;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12318-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"p+M+Ds8T\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5khy5jH5z1yGq\n\tfor ; Thu, 30 Apr 2026 16:26:42 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 2E38D3014439\n\tfor ; Thu, 30 Apr 2026 06:26:38 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 242F8262A6;\n\tThu, 30 Apr 2026 06:26:35 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 65DDD72622\n\tfor ; Thu, 30 Apr 2026 06:26:33 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 761D160177;\n\tThu, 30 Apr 2026 08:26:31 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777530394; cv=none;\n b=YsX7ffU0kb8y9Fqf6cvHjD4SUu+KQEQE/11DsLfse5/DDojkoO3e+/3N5pBs/Z2vP/HxSwaE4Uf1wyD3TZAQQxTPUUm0R5pY21CALyCZbExGD+xSkXO2ynR+SQOfCet3lUWcEEDawlgh99zNnTEXXkoKHjQSA9dfEdKld3o+Zr4=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777530394; c=relaxed/simple;\n\tbh=VljmIqNxeJXJa/sC5OTRHndcZXFcJTxg94hicXg4+IA=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=ovENzposaJuWq6vRMGyKJB+KuoWLzO0hs5zbnInLTw4KFeoLWVBOujZBMnZ8s2ZG9IhPqOKdOqgrLLqLPXfAOa49QeepnYdPeKMy83Ob1nK6Z2jtp4THJJtYXebgDEsruR1bQ+q2fY5WIfib6cO1TcX2jkVAfkx2SIm8LmJ9X2g=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=p+M+Ds8T; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777530391;\n\tbh=m16fJVWDMuCExRHgffvQMnG+4NUslTtgmMa4kRR8oHg=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=p+M+Ds8T4uQh0SzxiG2E5k0RutI3UPQYDu8PQoPB46mzk+XEcNx6xjS3aUn4UPNs2\n\t e7NqsLwPwL4DE5viBURQIdBDG60lw8m9gyHlCwk09kD+UbWQI3KpK53NrN9pJzcMe9\n\t jIKjq3Vdl9ymIvHr2L1fjPHGtGswg0k7TzSvkNbXLgX5VFUNyxdg6oyZz5h+0p8cpy\n\t qgWJAlvjwIWGa49bqBe4EwYka+h4uyc5tVMZJeRjuAKXWuIOunD1wTLUfkHEQ+1nMN\n\t 58Qqu61P0kHLgyTNq/d7Ln8G31efZKcxAZeu8QxxP1ctwMqenQp7JtkB/jhrnYm0jq\n\t waQ8AHGjEAgww==","Date":"Thu, 30 Apr 2026 08:26:29 +0200","From":"Pablo Neira Ayuso ","To":"Fernando Fernandez Mancera ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tjeremy@azazel.net, phil@nwl.cc, fw@strlen.de","Subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","Message-ID":"","References":"<20260427092117.4160-2-fmancera@suse.de>\n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}},{"id":3684467,"web_url":"http://patchwork.ozlabs.org/comment/3684467/","msgid":"","list_archive_url":null,"date":"2026-04-30T06:32:17","subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Thu, Apr 30, 2026 at 08:26:32AM +0200, Pablo Neira Ayuso wrote:\n> On Thu, Apr 30, 2026 at 08:11:07AM +0200, Pablo Neira Ayuso wrote:\n> > On Mon, Apr 27, 2026 at 11:21:18AM +0200, Fernando Fernandez Mancera wrote:\n> > > For lshift and rshift, the shift operations are performed in a loop over\n> > > 32-bit words. The loop calculates the shifted value and write it to dst,\n> > > and then immediately reads from src to calculate the carry for the next\n> > > iteration. Because src and dst could point to the same memory location,\n> > > the carry is incorrectly calculated using the newly modified dst value\n> > > instead of the original src value.\n> > > \n> > > Adding a temporary local variable to cache the original value before\n> > > writing to dst and using it for the carry calculation solves the\n> > > problem. In addition, partial overlap is rejected from control plane for\n> > > all kind of operations. This was tested with the following bytecode:\n> > > \n> > > table test_table ip flags 0 use 1 handle 1\n> > > ip test_table test_chain use 3 type filter hook input prio 0 policy accept packets 0 bytes 0 flags 1\n> > > ip test_table test_chain 2\n> > > [ immediate reg 1 0x44332211 0x88776655 ]\n> > > [ bitwise reg 1 = ( reg 1 << 0x08000000 ) ]\n> > > [ cmp eq reg 1 0x66443322 0x00887766 ]\n> > > [ counter pkts 0 bytes 0 ]\n> > > ip test_table test_chain 4 3\n> > > [ immediate reg 1 0x44332211 0x88776655 ]\n> > > [ bitwise reg 1 = ( reg 1 << 0x08000000 ) ]\n> > > [ cmp eq reg 1 0x55443322 0x00887766 ]\n> > > [ counter pkts 21794 bytes 1917798 ]\n> > > \n> > > Fixes: 567d746b55bc (\"netfilter: bitwise: add support for shifts.\")\n> > > Signed-off-by: Fernando Fernandez Mancera \n> > > ---\n> > > v2: handled partially register overlap\n> > > v3: reject partially overlap from control plane\n> > > v4: applied the partial overlap check to all operations\n> > > ---\n> > > net/netfilter/nft_bitwise.c | 19 +++++++++++++++----\n> > > 1 file changed, 15 insertions(+), 4 deletions(-)\n> > > \n> > > diff --git a/net/netfilter/nft_bitwise.c b/net/netfilter/nft_bitwise.c\n> > > index 13808e9cd999..76e7ae96429d 100644\n> > > --- a/net/netfilter/nft_bitwise.c\n> > > +++ b/net/netfilter/nft_bitwise.c\n> [...]\n> > > @@ -264,6 +269,12 @@ static int nft_bitwise_init(const struct nft_ctx *ctx,\n> > > \tif (err < 0)\n> > > \t\treturn err;\n> > > \n> > > +\tn = DIV_ROUND_UP(priv->len, sizeof(u32));\n> > > +\tif (priv->sreg != priv->dreg &&\n> > > +\t priv->dreg < priv->sreg + n &&\n> > > +\t priv->sreg < priv->dreg + n)\n> > > +\t\treturn -EINVAL;\n> > \n> > In some cases, there is also sreg2 that probably needs to be handled\n> > too.\n> \n> And probably nft_byteorder needs something similar to check for\n> partial overlaps too for sreg and dreg. Also nft_lookup.\n\nI think it is only nft_byteorder needs this since iteration pattern is\nsimilar.\n\n> Maybe add this to a helper function and use it from there?","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=s8e08tyf;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=172.234.253.10; helo=sea.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12319-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"s8e08tyf\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sea.lore.kernel.org (sea.lore.kernel.org [172.234.253.10])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5kqb676Mz1yHZ\n\tfor ; Thu, 30 Apr 2026 16:32:27 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sea.lore.kernel.org (Postfix) with ESMTP id 0ABA03026312\n\tfor ; Thu, 30 Apr 2026 06:32:24 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 471AC33F37F;\n\tThu, 30 Apr 2026 06:32:23 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 9D6C91C695\n\tfor ; Thu, 30 Apr 2026 06:32:21 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id AD53F6017D;\n\tThu, 30 Apr 2026 08:32:19 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777530742; cv=none;\n b=kgWvVCXed7Yd3HI5h8oNW4WJEg1DQ/0465/P3RGDnTnW0z07w/IM5GmHrn9hIRkSMnEEL757OLf2nPF9W9dykvAbe27W95JPXzI5PJl3erF66je3F6OAeHxULIBzmhnyVyJQCN4m9E7K6G+IUipH0r2z3WB4tqbEaQB81yGfaEU=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777530742; c=relaxed/simple;\n\tbh=2QSiDgJGtbwy7LUElonYUWlC2yFKlHflcEfUnpk5YEE=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=O4h1O2Yast/WFnHzRbhi4xn0/JdI3rnUbNMGzbtzO3vWQZfIggW7p2qMyDuaE4KoXU6bBqfNP5kWYfy3b9mW/MSeW3iQrMyqLKsYQMYe0aaRVZSrz8Q5a58dRSVWnrtefmjsTWX1eZ4l4Ul4egyqqU7OUJQs5S6ap4Z12XBOUjo=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=s8e08tyf; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777530739;\n\tbh=cE014h18+6rATJCPfwqcERIO0Ct8AEl+uiqKmtQU9hE=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=s8e08tyfbKmh0cce84TsLnVCdW6waK+BfVZNs5Yrgem6VwmAMyfd2SQt6oYJ6Agwe\n\t AtpwdkQ1pIep9NH0a7gZhSEWuBms2W447hqDeaC0Wbv/K9ui/kkaREM9ARww9AUmrr\n\t LZAZPsptdngBUBRHGU0FZXbzv+t5utfmgilhMdEFaYXy+2btvVnQe0JGobaLukeqyK\n\t WmoxDdZWMbvXA/lljIfrWQhnNwK++aHZy3jXaV/fA3SdSch0l79gYhnT3ox0O4E7qJ\n\t 6mHG/GKldhR8c8fhBIsI2Gg3T+3pMjQJS28uPhYNuffdkW3VEtvV+KEDY2ATcFVrvA\n\t vEK5yBR7egSRg==","Date":"Thu, 30 Apr 2026 08:32:17 +0200","From":"Pablo Neira Ayuso ","To":"Fernando Fernandez Mancera ","Cc":"netfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tjeremy@azazel.net, phil@nwl.cc, fw@strlen.de","Subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","Message-ID":"","References":"<20260427092117.4160-2-fmancera@suse.de>\n \n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}},{"id":3684473,"web_url":"http://patchwork.ozlabs.org/comment/3684473/","msgid":"","list_archive_url":null,"date":"2026-04-30T06:47:10","subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","submitter":{"id":1025,"url":"http://patchwork.ozlabs.org/api/people/1025/","name":"Florian Westphal","email":"fw@strlen.de"},"content":"Pablo Neira Ayuso wrote:\n> And probably nft_byteorder needs something similar to check for\n> partial overlaps too for sreg and dreg. Also nft_lookup.\n\nnft_lookup might be fine. Key could be larger than result, and vice\nversa. Userspace could be chaining lookups too. I think we should not\nrestrict nft_lookup.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c04:e001:36c::12fc:5321; helo=tor.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12320-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=91.216.245.30","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=strlen.de"],"Received":["from tor.lore.kernel.org (tor.lore.kernel.org\n [IPv6:2600:3c04:e001:36c::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5l995QCKz1yHZ\n\tfor ; Thu, 30 Apr 2026 16:47:41 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby tor.lore.kernel.org (Postfix) with ESMTP id 762333015A50\n\tfor ; Thu, 30 Apr 2026 06:47:23 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id 0A6CF363C55;\n\tThu, 30 Apr 2026 06:47:21 +0000 (UTC)","from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc\n [91.216.245.30])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id B24A834DCC8\n\tfor ; Thu, 30 Apr 2026 06:47:18 +0000 (UTC)","by Chamillionaire.breakpoint.cc (Postfix, from userid 1003)\n\tid CDCB36028A; Thu, 30 Apr 2026 08:47:10 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777531640; cv=none;\n b=BYTRPwNzzf6ftAvXJOslpcj1UQeUYzXKv7/zZ2+AOTIzoPw8CkteoFMa+i32BB9BGmcEFkVg+Y40IjsRvrH2QR28AGdICMcPwR1X4auvH9SGkfg4HfJvpCOY/nmgznMiDH2wz2f30rQJ5e8Hav1MqeigyI0/5x8sAMLjJ8IL+1I=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777531640; c=relaxed/simple;\n\tbh=QcwoPHtI7t/ImqeHyyDwdYDjKSC+FZGOUv8J9kg6kBE=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=SocV2FrI4thko6m2jdIfMdu0kJrMszT5vJ9lAXzkQVIpxzwfiEszy5DSkq6AQrsffO7Gd2Fc6XywE5wQJTUOyhF1rJep8a+840yOkJWXU/qFhpNadFR8BSyNYuFeZV9w68j2Y175u5fdup2GCgDXvdA2x18AHsCT8GJbiUBP/MQ=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=strlen.de;\n spf=pass smtp.mailfrom=strlen.de; arc=none smtp.client-ip=91.216.245.30","Date":"Thu, 30 Apr 2026 08:47:10 +0200","From":"Florian Westphal ","To":"Pablo Neira Ayuso ","Cc":"Fernando Fernandez Mancera ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tjeremy@azazel.net, phil@nwl.cc","Subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","Message-ID":"","References":"<20260427092117.4160-2-fmancera@suse.de>\n \n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=us-ascii","Content-Disposition":"inline","In-Reply-To":""}},{"id":3684636,"web_url":"http://patchwork.ozlabs.org/comment/3684636/","msgid":"","list_archive_url":null,"date":"2026-04-30T11:46:49","subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","submitter":{"id":1315,"url":"http://patchwork.ozlabs.org/api/people/1315/","name":"Pablo Neira Ayuso","email":"pablo@netfilter.org"},"content":"On Thu, Apr 30, 2026 at 08:47:10AM +0200, Florian Westphal wrote:\n> Pablo Neira Ayuso wrote:\n> > And probably nft_byteorder needs something similar to check for\n> > partial overlaps too for sreg and dreg. Also nft_lookup.\n> \n> nft_lookup might be fine. Key could be larger than result, and vice\n> versa. Userspace could be chaining lookups too. I think we should not\n> restrict nft_lookup.\n\nAgreed.","headers":{"Return-Path":"\n ","X-Original-To":["incoming@patchwork.ozlabs.org","netfilter-devel@vger.kernel.org"],"Delivered-To":"patchwork-incoming@legolas.ozlabs.org","Authentication-Results":["legolas.ozlabs.org;\n\tdkim=pass (2048-bit key;\n unprotected) header.d=netfilter.org header.i=@netfilter.org\n header.a=rsa-sha256 header.s=2025 header.b=tUjTboDJ;\n\tdkim-atps=neutral","legolas.ozlabs.org;\n spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org\n (client-ip=2600:3c09:e001:a7::12fc:5321; helo=sto.lore.kernel.org;\n envelope-from=netfilter-devel+bounces-12331-incoming=patchwork.ozlabs.org@vger.kernel.org;\n receiver=patchwork.ozlabs.org)","smtp.subspace.kernel.org;\n\tdkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=\"tUjTboDJ\"","smtp.subspace.kernel.org;\n arc=none smtp.client-ip=217.70.190.124","smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org","smtp.subspace.kernel.org;\n spf=pass smtp.mailfrom=netfilter.org"],"Received":["from sto.lore.kernel.org (sto.lore.kernel.org\n [IPv6:2600:3c09:e001:a7::12fc:5321])\n\t(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)\n\t key-exchange x25519 server-signature ECDSA (secp384r1) server-digest SHA384)\n\t(No client certificate requested)\n\tby legolas.ozlabs.org (Postfix) with ESMTPS id 4g5sqC1RMWz1yHZ\n\tfor ; Thu, 30 Apr 2026 21:47:35 +1000 (AEST)","from smtp.subspace.kernel.org (conduit.subspace.kernel.org\n [100.90.174.1])\n\tby sto.lore.kernel.org (Postfix) with ESMTP id 7BB343010251\n\tfor ; Thu, 30 Apr 2026 11:47:01 +0000 (UTC)","from localhost.localdomain (localhost.localdomain [127.0.0.1])\n\tby smtp.subspace.kernel.org (Postfix) with ESMTP id C08A33FF8A2;\n\tThu, 30 Apr 2026 11:46:55 +0000 (UTC)","from mail.netfilter.org (mail.netfilter.org [217.70.190.124])\n\t(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))\n\t(No client certificate requested)\n\tby smtp.subspace.kernel.org (Postfix) with ESMTPS id 6869D25A2A4\n\tfor ; Thu, 30 Apr 2026 11:46:53 +0000 (UTC)","from netfilter.org (mail-agni [217.70.190.124])\n\tby mail.netfilter.org (Postfix) with UTF8SMTPSA id 74A1D600B9;\n\tThu, 30 Apr 2026 13:46:51 +0200 (CEST)"],"ARC-Seal":"i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;\n\tt=1777549615; cv=none;\n b=jyTAyOb1bkFt5HO99NhuJn9gBHkk3S1pDHzNZ5EuSOfnIyVp1b5Dv0sBzkzhaKVhyEZUH2SSjeStI3D2iqEMipYmoiovjzzvdbniUNxSbSU8DXGwZUbB9uFN1BKerN0g+xlx5UByLZDYQ7AUZKwutu954KwvHn7u/2x3NOlqMxo=","ARC-Message-Signature":"i=1; a=rsa-sha256; d=subspace.kernel.org;\n\ts=arc-20240116; t=1777549615; c=relaxed/simple;\n\tbh=UuUmGDLXY5vET4/tEhRxCavGwPNo2i2KQeenfOcMep0=;\n\th=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:\n\t Content-Type:Content-Disposition:In-Reply-To;\n b=Aa7CjPjyv+UJoVw+b+sSWDtsO/4241Am0xclBuDoyqUyFIqDyGj4YXHW7Zzy6Lm1GtMlQEsFlpANaY40ZvPLAc8+oYlCjnbZOY/S4YgUyATdoKYWL//UMVAeCrLvm0N/WIXhDpKUaYTgxLLRkGaIRgns+SisSODmPofp2n6Zr0A=","ARC-Authentication-Results":"i=1; smtp.subspace.kernel.org;\n dmarc=none (p=none dis=none) header.from=netfilter.org;\n spf=pass smtp.mailfrom=netfilter.org;\n dkim=pass (2048-bit key) header.d=netfilter.org header.i=@netfilter.org\n header.b=tUjTboDJ; arc=none smtp.client-ip=217.70.190.124","DKIM-Signature":"v=1; a=rsa-sha256; c=relaxed/relaxed; d=netfilter.org;\n\ts=2025; t=1777549611;\n\tbh=7sn6qrP0dmfFQp7zsYVRU236/XLfwSmCtJzpA7B6Z8I=;\n\th=Date:From:To:Cc:Subject:References:In-Reply-To:From;\n\tb=tUjTboDJWCH/F2M88myMrJYOsc4hQaP7gbqdbeoFNxRUsqP0Nry8CvXL4NGfe3fNT\n\t IrpshrCFVtTpdR5Q7ZrAbiNVUy8UKnufI+Y55hYO2fvIRamqIIs2qnr16+5GKjLL58\n\t by8XivTAaGbYMJbsoubnR4gEYzUQbIFFQKnt29VtaAtm+wyXMepxdPlTXX+sYm5dao\n\t DWX5sOVAuh9f63zUM7P6EcMuW5ssdDoIyTeF/q+Drrtv5S71ru6okdpULps4RfPcKr\n\t n0IeMWM1K2Gcm0bmsgWj+28/m0CwGTP9VYa0C+2KYxyEF7+mS7FmYVt9SFqRuR2LNw\n\t 5Wx1RwbT4EQqw==","Date":"Thu, 30 Apr 2026 13:46:49 +0200","From":"Pablo Neira Ayuso ","To":"Florian Westphal ","Cc":"Fernando Fernandez Mancera ,\n\tnetfilter-devel@vger.kernel.org, coreteam@netfilter.org,\n\tjeremy@azazel.net, phil@nwl.cc","Subject":"Re: [PATCH nf v4] netfilter: nft_bitwise: fix dst corruption in same\n register shifts","Message-ID":"","References":"<20260427092117.4160-2-fmancera@suse.de>\n \n \n ","Precedence":"bulk","X-Mailing-List":"netfilter-devel@vger.kernel.org","List-Id":"","List-Subscribe":"","List-Unsubscribe":"","MIME-Version":"1.0","Content-Type":"text/plain; charset=utf-8","Content-Disposition":"inline","In-Reply-To":""}}]