[PATCH AUTOSEL 4.19 48/56] netfilter: nf_tables: store transaction list locally while requesting module

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
	Marco Oliverio <marco.oliverio@tanaza.com>,
	Sasha Levin <sashal@kernel.org>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
	netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 48/56] netfilter: nf_tables: store transaction list locally while requesting module
Date: Fri, 24 Jan 2020 09:20:04 -0500	[thread overview]
Message-ID: <20200124142012.29752-48-sashal@kernel.org> (raw)
In-Reply-To: <20200124142012.29752-1-sashal@kernel.org>

From: Pablo Neira Ayuso <pablo@netfilter.org>

[ Upstream commit ec7470b834fe7b5d7eff11b6677f5d7fdf5e9a91 ]

This patch fixes a WARN_ON in nft_set_destroy() due to missing
set reference count drop from the preparation phase. This is triggered
by the module autoload path. Do not exercise the abort path from
nft_request_module() while preparation phase cleaning up is still
pending.

 WARNING: CPU: 3 PID: 3456 at net/netfilter/nf_tables_api.c:3740 nft_set_destroy+0x45/0x50 [nf_tables]
 [...]
 CPU: 3 PID: 3456 Comm: nft Not tainted 5.4.6-arch3-1 #1
 RIP: 0010:nft_set_destroy+0x45/0x50 [nf_tables]
 Code: e8 30 eb 83 c6 48 8b 85 80 00 00 00 48 8b b8 90 00 00 00 e8 dd 6b d7 c5 48 8b 7d 30 e8 24 dd eb c5 48 89 ef 5d e9 6b c6 e5 c5 <0f> 0b c3 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 8b 7f 10 e9 52
 RSP: 0018:ffffac4f43e53700 EFLAGS: 00010202
 RAX: 0000000000000001 RBX: ffff99d63a154d80 RCX: 0000000001f88e03
 RDX: 0000000001f88c03 RSI: ffff99d6560ef0c0 RDI: ffff99d63a101200
 RBP: ffff99d617721de0 R08: 0000000000000000 R09: 0000000000000318
 R10: 00000000f0000000 R11: 0000000000000001 R12: ffffffff880fabf0
 R13: dead000000000122 R14: dead000000000100 R15: ffff99d63a154d80
 FS:  00007ff3dbd5b740(0000) GS:ffff99d6560c0000(0000) knlGS:0000000000000000
 CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
 CR2: 00001cb5de6a9000 CR3: 000000016eb6a004 CR4: 00000000001606e0
 Call Trace:
  __nf_tables_abort+0x3e3/0x6d0 [nf_tables]
  nft_request_module+0x6f/0x110 [nf_tables]
  nft_expr_type_request_module+0x28/0x50 [nf_tables]
  nf_tables_expr_parse+0x198/0x1f0 [nf_tables]
  nft_expr_init+0x3b/0xf0 [nf_tables]
  nft_dynset_init+0x1e2/0x410 [nf_tables]
  nf_tables_newrule+0x30a/0x930 [nf_tables]
  nfnetlink_rcv_batch+0x2a0/0x640 [nfnetlink]
  nfnetlink_rcv+0x125/0x171 [nfnetlink]
  netlink_unicast+0x179/0x210
  netlink_sendmsg+0x208/0x3d0
  sock_sendmsg+0x5e/0x60
  ____sys_sendmsg+0x21b/0x290

Update comment on the code to describe the new behaviour.

Reported-by: Marco Oliverio <marco.oliverio@tanaza.com>
Fixes: 452238e8d5ff ("netfilter: nf_tables: add and use helper for module autoload")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/nf_tables_api.c | 19 ++++++++++---------
 1 file changed, 10 insertions(+), 9 deletions(-)

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 4711a8b56f32f..f7d1f66b29483 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -483,23 +483,21 @@ __nf_tables_chain_type_lookup(const struct nlattr *nla, u8 family)
 }
 
 /*
- * Loading a module requires dropping mutex that guards the
- * transaction.
- * We first need to abort any pending transactions as once
- * mutex is unlocked a different client could start a new
- * transaction.  It must not see any 'future generation'
- * changes * as these changes will never happen.
+ * Loading a module requires dropping mutex that guards the transaction.
+ * A different client might race to start a new transaction meanwhile. Zap the
+ * list of pending transaction and then restore it once the mutex is grabbed
+ * again. Users of this function return EAGAIN which implicitly triggers the
+ * transaction abort path to clean up the list of pending transactions.
  */
 #ifdef CONFIG_MODULES
-static int __nf_tables_abort(struct net *net);
-
 static void nft_request_module(struct net *net, const char *fmt, ...)
 {
 	char module_name[MODULE_NAME_LEN];
+	LIST_HEAD(commit_list);
 	va_list args;
 	int ret;
 
-	__nf_tables_abort(net);
+	list_splice_init(&net->nft.commit_list, &commit_list);
 
 	va_start(args, fmt);
 	ret = vsnprintf(module_name, MODULE_NAME_LEN, fmt, args);
@@ -510,6 +508,9 @@ static void nft_request_module(struct net *net, const char *fmt, ...)
 	mutex_unlock(&net->nft.commit_mutex);
 	request_module("%s", module_name);
 	mutex_lock(&net->nft.commit_mutex);
+
+	WARN_ON_ONCE(!list_empty(&net->nft.commit_list));
+	list_splice(&commit_list, &net->nft.commit_list);
 }
 #endif
 
-- 
2.20.1

next prev parent reply	other threads:[~2020-01-24 14:28 UTC|newest]

Thread overview: 77+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-24 14:19 [PATCH AUTOSEL 4.19 01/56] batman-adv: Fix DAT candidate selection on little endian systems Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 02/56] ARM: dts: meson8: fix the size of the PMU registers Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 03/56] dt-bindings: reset: meson8b: fix duplicate reset IDs Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 04/56] ARM: dts: sun8i: a83t: Correct USB3503 GPIOs polarity Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 05/56] ARM: dts: am57xx-beagle-x15/am57xx-idk: Remove "gpios" for endpoint dt nodes Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 06/56] ARM: dts: beagle-x15-common: Model 5V0 regulator Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 07/56] soc: ti: wkup_m3_ipc: Fix race condition with rproc_boot Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 08/56] tools lib traceevent: Fix memory leakage in filter_event Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 09/56] ARM: dts: imx6q-dhcom: fix rtc compatible Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 10/56] ARM: dts: imx6q-dhcom: Fix SGTL5000 VDDIO regulator connection Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 11/56] rseq: Unregister rseq for clone CLONE_VM Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 12/56] clk: Don't try to enable critical clocks if prepare failed Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 13/56] clk: sunxi-ng: h6-r: Fix AR100/R_APB2 parent order Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 14/56] mac80211: mesh: restrict airtime metric to peered established plinks Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 15/56] x86/resctrl: Fix potential memory leak Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 16/56] clk: qcom: gcc-sdm845: Add missing flag to votable GDSCs Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 17/56] clk: mmp2: Fix the order of timer mux parents Sasha Levin
2020-01-24 14:19 ` [alsa-devel] [PATCH AUTOSEL 4.19 18/56] ASoC: rt5640: Fix NULL dereference on module unload Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 19/56] ARM: dts: imx7: Fix Toradex Colibri iMX7S 256MB NAND flash support Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [Intel-wired-lan] [PATCH AUTOSEL 4.19 20/56] ixgbevf: Remove limit of 10 entries for unicast filter list Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [Intel-wired-lan] [PATCH AUTOSEL 4.19 21/56] ixgbe: Fix calculation of queue with VFs and flow director on interface flap Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [Intel-wired-lan] [PATCH AUTOSEL 4.19 22/56] igb: Fix SGMII SFP module discovery for 100FX/LX Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 23/56] sh_eth: check sh_eth_cpu_data::dual_port when dumping registers Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 24/56] platform/x86: GPD pocket fan: Allow somewhat lower/higher temperature limits Sasha Levin
2020-01-24 14:19 ` [alsa-devel] [PATCH AUTOSEL 4.19 25/56] ASoC: msm8916-wcd-analog: Fix selected events for MIC BIAS External1 Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [alsa-devel] [PATCH AUTOSEL 4.19 26/56] ASoC: sti: fix possible sleep-in-atomic Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [alsa-devel] [PATCH AUTOSEL 4.19 27/56] ASoC: msm8916-wcd-analog: Fix MIC BIAS Internal1 Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [alsa-devel] [PATCH AUTOSEL 4.19 28/56] ASoC: msm8916-wcd-digital: Reset RX interpolation path after use Sasha Levin
2020-01-24 14:19   ` Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 29/56] netfilter: fix a use-after-free in mtype_destroy() Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 30/56] netfilter: arp_tables: init netns pointer in xt_tgdtor_param struct Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 31/56] qmi_wwan: Add support for Quectel RM500Q Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 32/56] NFC: pn533: fix bulk-message timeout Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 33/56] parisc: Use proper printk format for resource_size_t Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 34/56] ptp: free ptp device pin descriptors properly Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 35/56] net: usb: lan78xx: limit size of local TSO packets Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 36/56] r8152: add missing endpoint sanity check Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 37/56] wireless: fix enabling channel 12 for custom regulatory domain Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 38/56] cfg80211: Fix radar event during another phy CAC Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 39/56] mac80211: Fix TKIP replay protection immediately after key setup Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 40/56] wireless: wext: avoid gcc -O3 warning Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 41/56] cfg80211: check for set_wiphy_params Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 42/56] tick/sched: Annotate lockless access to last_jiffies_update Sasha Levin
2020-01-24 14:19 ` [PATCH AUTOSEL 4.19 43/56] mlxsw: spectrum: Wipe xstats.backlog of down ports Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 44/56] hv_netvsc: Fix memory leak when removing rndis device Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 45/56] bpf: Fix incorrect verifier simulation of ARSH under ALU32 Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 46/56] net/wan/fsl_ucc_hdlc: fix out of bounds write on array utdm_info Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 47/56] scsi: mptfusion: Fix double fetch bug in ioctl Sasha Levin
2020-01-24 14:20 ` Sasha Levin [this message]
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 49/56] netfilter: nft_tunnel: fix null-attribute check Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 50/56] netfilter: nft_tunnel: ERSPAN_VERSION must not be null Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 51/56] netfilter: nf_tables: remove WARN and add NLA_STRING upper limits Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 52/56] netfilter: nf_tables: fix flowtable list del corruption Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 53/56] net: hns: fix soft lockup when there is not enough memory Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 54/56] net: dsa: bcm_sf2: Configure IMP port for 2Gb/sec Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 55/56] bnxt_en: Fix ipv6 RFS filter matching logic Sasha Levin
2020-01-24 14:20 ` [PATCH AUTOSEL 4.19 56/56] riscv: delete temporary files Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:4711a8b56f32 dfblob:f7d1f66b2948 )
 OR (
bs:"[PATCH AUTOSEL 4.19 48/56] netfilter: nf_tables: store transaction list locally while requesting module" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200124142012.29752-48-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=coreteam@netfilter.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=marco.oliverio@tanaza.com \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.