From: Florian Westphal <fw@strlen.de>
To: Hillf Danton <hdanton@sina.com>
Cc: Florian Westphal <fw@strlen.de>,
netfilter-devel@vger.kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com,
syzbot+4fd66a69358fc15ae2ad@syzkaller.appspotmail.com
Subject: Re: [PATCH nf] netfilter: nf_tables: unconditionally flush pending work before notifier
Date: Thu, 4 Jul 2024 12:54:18 +0200 [thread overview]
Message-ID: <20240704105418.GA31039@breakpoint.cc> (raw)
In-Reply-To: <20240704103514.3035-1-hdanton@sina.com>
Hillf Danton <hdanton@sina.com> wrote:
> On Wed, 3 Jul 2024 15:01:07 +0200 Florian Westphal <fw@strlen.de>
> > Hillf Danton <hdanton@sina.com> wrote:
> > > On Wed, 3 Jul 2024 12:52:15 +0200 Florian Westphal <fw@strlen.de>
> > > > Hillf Danton <hdanton@sina.com> wrote:
> > > > > Given trans->table goes thru the lifespan of trans, your proposal is a bandaid
> > > > > if trans outlives table.
> > > >
> > > > trans must never outlive table.
> > > >
> > > What is preventing trans from being freed after closing sock, given
> > > trans is freed in workqueue?
> > >
> > > close sock
> > > queue work
> >
> > The notifier acquires the transaction mutex, locking out all other
> > transactions, so no further transactions requests referencing
> > the table can be queued.
> >
> As per the syzbot report, trans->table could be instantiated before
> notifier acquires the transaction mutex. And in fact the lock helps
> trans outlive table even with your patch.
>
> cpu1 cpu2
> --- ---
> transB->table = A
> lock trans mutex
> flush work
> free A
> unlock trans mutex
>
> queue work to free transB
Can you show a crash reproducer or explain how this assign
and queueing happens unordered wrt. cpu2?
This should look like this:
cpu1 cpu2
--- ---
lock trans mutex
lock trans mutex -> blocks
transB->table = A
queue work to free transB
unlock trans mutex
lock trans mutex returns
flush work
free A
unlock trans mutex
next prev parent reply other threads:[~2024-07-04 10:54 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-07-01 20:19 [syzbot] [netfilter?] KASAN: slab-use-after-free Read in nf_tables_trans_destroy_work syzbot
2024-07-02 9:39 ` [syzbot] " syzbot
2024-07-02 11:28 ` Hillf Danton
2024-07-02 13:57 ` syzbot
2024-07-02 13:14 ` Edward Adam Davis
2024-07-02 14:13 ` syzbot
2024-07-02 14:08 ` [PATCH nf] netfilter: nf_tables: unconditionally flush pending work before notifier Florian Westphal
2024-07-03 10:35 ` Hillf Danton
2024-07-03 10:52 ` Florian Westphal
2024-07-03 12:09 ` Hillf Danton
2024-07-03 13:01 ` Florian Westphal
2024-07-04 10:35 ` Hillf Danton
2024-07-04 10:54 ` Florian Westphal [this message]
2024-07-05 10:48 ` Hillf Danton
2024-07-05 11:02 ` Florian Westphal
2024-07-07 7:56 ` Hillf Danton
2024-07-07 8:08 ` Florian Westphal
2024-07-08 10:56 ` Hillf Danton
2024-07-08 11:58 ` Florian Westphal
2024-07-08 12:17 ` Hillf Danton
2024-07-08 12:43 ` Florian Westphal
2024-07-05 11:18 ` [syzbot] [netfilter?] KASAN: slab-use-after-free Read in nf_tables_trans_destroy_work syzbot
2024-07-02 14:55 ` Edward Adam Davis
2024-07-02 15:28 ` syzbot
2024-07-06 23:13 ` Hillf Danton
2024-07-07 0:21 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240704105418.GA31039@breakpoint.cc \
--to=fw@strlen.de \
--cc=hdanton@sina.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=syzbot+4fd66a69358fc15ae2ad@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.