Re: [PATCH nf] netfilter: nfnetlink_queue: fix rcu splat on program exit

[Pablo Neira Ayuso <pablo@netfilter.org>]

Hi Florian,

On Tue, May 14, 2024 at 12:31:30PM +0200, Florian Westphal wrote:
> If userspace program exits while the queue its subscribed to has packets
> available we get following (harmless) RCU splat:
> 
>  net/netfilter/nfnetlink_queue.c:261 suspicious rcu_dereference_check() usage!
>  other info that might help us debug this:
>  rcu_scheduler_active = 2, debug_locks = 1
>  2 locks held by swapper/0/0:
>   #0: (rcu_callback){....}-{0:0}, at: rcu_core
>   #1: (&inst->lock){+.-.}-{3:3}, at: instance_destroy_rcu
>  [..] Call Trace:
>   lockdep_rcu_suspicious+0x1ab/0x250
>   nfqnl_reinject+0x5d3/0xfb0
>   instance_destroy_rcu+0x1b5/0x220
>   rcu_core+0xe32 [..]
> 
> This is harmless because the incorrectly-obtained pointer will not be
> dereferenced in case nfqnl_reinject is called with NF_DROP verdict.
> 
> Fix this by open-coding skb+entry release without going through
> nfqnl_reinject().  kfree_skb+release_ref is exactly what nfql_reinject
> ends up doing when called with NF_DROP, except that it also does a
> truckload of other things that are irrelevant for DROP.
> 
> A similar warning can be triggered by flushing the ruleset while
> packets are being reinjected.
> 
> This is harmless as well, the WARN_ON_ONCE() should be removed.
> 
> Reported-by: Yi Chen <yiche@redhat.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> ---
>  Due to MR cloed this patch is actually vs nf-next tree.
>  It will also conflict with the pending sctp checksum patch
>  from Antonio Ojea (nft_queue.sh), I can resend if needed once
>  Antonios patch is applied (conflict resulution is simple: use
>  both changes).

I can route this through nf.git and deal with conflict resolution if
you prefer it that way.

Thanks.