Merge release-20250820.0-36-g093d944ca (automated)

Author: gvisor-bot

pkg/abi/linux/nf_tables.go

@@ -462,3 +462,14 @@ const (
 	NFT_META_SDIFNAME             // Slave device interface name
 	NFT_META_BRI_BROUTE           // Packet br_netfilter_broute bit
 )
+
+// Nftables Generation Attributes
+// These correspond to values in include/uapi/linux/netfilter/nf_tables.h.
+const (
+	NFTA_GEN_UNSPEC uint16 = iota
+	NFTA_GEN_ID
+	NFTA_GEN_PROC_PID
+	NFTA_GEN_PROC_NAME
+	__NFTA_GEN_MAX
+	NFTA_GEN_MAX = __NFTA_GEN_MAX - 1
+)

pkg/sentry/platform/kvm/physical_map.go

@@ -107,15 +107,20 @@ func fillAddressSpace() (specialRegions []specialVirtualRegion) {
 	}
 	required := uintptr(requiredAddr)
 	current := required // Attempted mmap size.
-	for filled := uintptr(0); filled < required && current > 0; {
-		suggestedAddr := uintptr(0)
-		if ring0.VirtualAddressBits > 48 {
-			// Even though it's safe to pass a high hint address on older kernel or
-			// older machine without 5-level paging support. We need to guard
-			// passing the hint based on `ring0.VirtualAddressBits` because Sentry might
-			// not support 5-level paging for the underlying CPU uarch i.e. arm64.
-			suggestedAddr = uintptr(1 << ring0.PhysicalAddressBits)
-		}
+	filled := uintptr(0)
+	suggestedAddr := uintptr(0)
+	if ring0.VirtualAddressBits > 48 {
+		// Pass a hint address above 47 bits to indicate to the kernel that
+		// we can handle, and want, mappings above 47 bits:
+		// https://docs.kernel.org/arch/x86/x86_64/5level-paging.html#user-space-and-large-virtual-address-space.
+		// Even though it's safe to pass a high hint address on older kernel or
+		// older machine without 5-level paging support. We need to guard
+		// passing the hint based on `ring0.VirtualAddressBits` because Sentry might
+		// not support 5-level paging for the underlying CPU uarch i.e. arm64.
+		suggestedAddr = ring0.UserspaceSize - hostarch.PageSize
+	}
+	var lastMmapErrno unix.Errno
+	for filled < required && current > 0 {
 		addr, errno := hostsyscall.RawSyscall6(
 			unix.SYS_MMAP,
 			suggestedAddr,
@@ -128,6 +133,7 @@ func fillAddressSpace() (specialRegions []specialVirtualRegion) {
 			// One page is the smallest mapping that can be allocated.
 			if current == hostarch.PageSize {
 				current = 0
+				lastMmapErrno = errno
 				break
 			}
 			// Attempt half the size; overflow not possible.
@@ -168,6 +174,17 @@ func fillAddressSpace() (specialRegions []specialVirtualRegion) {
 		}
 	}
 	if current == 0 {
+		log.Warningf("Filling address space failed (VirtualAddressBits=%d PhysicalAddressBits=%d vSize=%#x pSize=%#x faultBlockSize=%#x required=%#x filled=%#x); last mmap errno: %v; VMAs:", ring0.VirtualAddressBits, ring0.PhysicalAddressBits, vSize, pSize, faultBlockSize, required, filled, lastMmapErrno)
+		err := applyVirtualRegions(func(vr virtualRegion) {
+			ps := "p"
+			if vr.shared {
+				ps = "s"
+			}
+			log.Warningf("%x-%x %v%s %08x %s", vr.region.virtual, vr.region.virtual+vr.region.length, vr.accessType, ps, vr.offset, vr.filename)
+		})
+		if err != nil {
+			log.Warningf("Failed to get all VMAs: %v", err)
+		}
 		panic("filling address space failed")
 	}
 	sort.Slice(specialRegions, func(i, j int) bool {

pkg/sentry/socket/netlink/netfilter/protocol.go

@@ -1102,6 +1102,25 @@ func fillRuleInfo(rule *nftables.Rule, ms *nlmsg.MessageSet) *syserr.AnnotatedEr
 	return nil
 }
 
+// getGen returns the generation info for the current nftables instance.
+func (p *Protocol) getGen(nft *nftables.NFTables, task *kernel.Task, attrs map[uint16]nlmsg.BytesView, family stack.AddressFamily, msgFlags uint16, ms *nlmsg.MessageSet) *syserr.AnnotatedError {
+	m := ms.AddMessage(linux.NetlinkMessageHeader{
+		Type: uint16(linux.NFNL_SUBSYS_NFTABLES)<<8 | uint16(linux.NFT_MSG_NEWGEN),
+	})
+	m.Put(&linux.NetFilterGenMsg{
+		Family:  uint8(nftables.AfProtocol(stack.Unspec)),
+		Version: uint8(linux.NFNETLINK_V0),
+		// Unused, set to 0.
+		ResourceID: uint16(0),
+	})
+
+	m.PutAttr(linux.NFTA_GEN_ID, nlmsg.PutU32(nft.GetGenID()))
+	m.PutAttr(linux.NFTA_GEN_PROC_PID, nlmsg.PutU32(uint32(task.ThreadGroup().ID())))
+	// TODO - b/434244017: Add support for dumping the process name.
+	m.PutAttrString(linux.NFTA_GEN_PROC_NAME, "placeholder")
+	return nil
+}
+
 // isNetDevHook returns whether the given family and hook number represent a
 // netdev hook, or if the family is inet and is attempting to attach to
 // Ingress or Egress hooks.
@@ -1170,9 +1189,20 @@ func (p *Protocol) ProcessMessage(ctx context.Context, s *netlink.Socket, msg *n
 		}
 
 		return nil
-	case linux.NFT_MSG_GETRULE_RESET,
-		linux.NFT_MSG_GETSET, linux.NFT_MSG_GETSETELEM,
-		linux.NFT_MSG_GETSETELEM_RESET, linux.NFT_MSG_GETGEN,
+	case linux.NFT_MSG_GETGEN:
+		if err := p.getGen(nft, kernel.TaskFromContext(ctx), attrs, family, hdr.Flags, ms); err != nil {
+			log.Debugf("Nftables get gen error: %s", err)
+			return err.GetError()
+		}
+		return nil
+	case linux.NFT_MSG_GETSET:
+		// TODO - b/421437663: Implement sets for nftables. This skeleton is
+		// left here to satisfy auxiliary calls from the nft CLI not needed
+		// for packet filtering functionality.
+		ms.Multi = true
+		return nil
+	case linux.NFT_MSG_GETRULE_RESET, linux.NFT_MSG_GETSETELEM,
+		linux.NFT_MSG_GETSETELEM_RESET,
 		linux.NFT_MSG_GETOBJ, linux.NFT_MSG_GETOBJ_RESET,
 		linux.NFT_MSG_GETFLOWTABLE:
 

pkg/tcpip/nftables/nftables.go

@@ -243,7 +243,12 @@ func NewNFTables(clock tcpip.Clock, rng rand.RNG) *NFTables {
 	if rng.Reader == nil {
 		panic("nftables state must be initialized with a non-nil random number generator")
 	}
-	return &NFTables{clock: clock, startTime: clock.Now(), rng: rng, tableHandleCounter: atomicbitops.Uint64{}}
+	return &NFTables{clock: clock, startTime: clock.Now(), rng: rng, tableHandleCounter: atomicbitops.Uint64{}, genid: 1}
+}
+
+// GetGenID returns the generation ID for the NFTables object.
+func (nf *NFTables) GetGenID() uint32 {
+	return nf.genid
 }
 
 // Flush clears entire ruleset and all data for all address families

pkg/tcpip/nftables/nftables_types.go

@@ -87,6 +87,7 @@ const (
 
 // addressFamilyProtocols maps address families to their protocol number.
 var addressFamilyProtocols = map[stack.AddressFamily]uint8{
+	stack.Unspec: linux.NFPROTO_UNSPEC,
 	stack.IP:     linux.NFPROTO_IPV4,
 	stack.IP6:    linux.NFPROTO_IPV6,
 	stack.Inet:   linux.NFPROTO_INET,
@@ -243,6 +244,7 @@ type NFTables struct {
 	rng                rand.RNG                           // Random number generator.
 	tableHandleCounter atomicbitops.Uint64                // Table handle counter.
 	Mu                 nfTablesRWMutex                    // Mutex for tableHandles.
+	genid              uint32                             // Generation ID for nftables.
 }
 
 // Ensures NFTables implements the NFTablesInterface.
@@ -1260,4 +1262,5 @@ func (nf *NFTables) DeepCopy() *NFTables {
 // with the tables of the passed in NFTables struct.
 func (nf *NFTables) ReplaceNFTables(nftCopy *NFTables) {
 	nf.filters = nftCopy.filters
+	nf.genid++
 }