From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id E47E315CAE for ; Tue, 8 Nov 2022 14:09:16 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E09C1C433B5; Tue, 8 Nov 2022 14:09:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1667916556; bh=WU6TAw4mouUDecrmHg5Fci0NCHJslXhqqT+K7JkslzA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zb3MDmREJah+MhFEQgmoDORnxQ2irlMyOnF0EgtbqJGjCjea3ZjuE8Oyusl/0xogu Ks7f/yWML89q54PQxLeC5U49KjVjKtnnmoNsZNS3QYGmYuvBRLLSnHBolh7qXeevL8 tgjpUs08vEfZCsR9JGP8G6rUN3ECaRPqUyVBUyhw= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 6.0 030/197] netfilter: nf_tables: netlink notifier might race to release objects Date: Tue, 8 Nov 2022 14:37:48 +0100 Message-Id: <20221108133356.176967212@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221108133354.787209461@linuxfoundation.org> References: <20221108133354.787209461@linuxfoundation.org> User-Agent: quilt/0.67 Precedence: bulk X-Mailing-List: patches@lists.linux.dev List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit From: Pablo Neira Ayuso [ Upstream commit d4bc8271db21ea9f1c86a1ca4d64999f184d4aae ] commit release path is invoked via call_rcu and it runs lockless to release the objects after rcu grace period. The netlink notifier handler might win race to remove objects that the transaction context is still referencing from the commit release path. Call rcu_barrier() to ensure pending rcu callbacks run to completion if the list of transactions to be destroyed is not empty. Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership") Reported-by: syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_tables_api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 5897afd12466..cc598504bc10 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -10030,6 +10030,8 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, nft_net = nft_pernet(net); deleted = 0; mutex_lock(&nft_net->commit_mutex); + if (!list_empty(&nf_tables_destroy_list)) + rcu_barrier(); again: list_for_each_entry(table, &nft_net->tables, list) { if (nft_table_has_owner(table) && -- 2.35.1