From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
Asbjoern Sloth Toennesen <asbjorn@asbjorn.biz>,
Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH 3.18 52/61] netfilter: nf_tables: fix flush ruleset chain dependencies
Date: Tue, 27 Jan 2015 17:27:04 -0800 [thread overview]
Message-ID: <20150128012642.623051200@linuxfoundation.org> (raw)
In-Reply-To: <20150128012636.936333725@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit a2f18db0c68fec96631c10cad9384c196e9008ac upstream.
Jumping between chains doesn't mix well with flush ruleset. Rules
from a different chain and set elements may still refer to us.
[ 353.373791] ------------[ cut here ]------------
[ 353.373845] kernel BUG at net/netfilter/nf_tables_api.c:1159!
[ 353.373896] invalid opcode: 0000 [#1] SMP
[ 353.373942] Modules linked in: intel_powerclamp uas iwldvm iwlwifi
[ 353.374017] CPU: 0 PID: 6445 Comm: 31c3.nft Not tainted 3.18.0 #98
[ 353.374069] Hardware name: LENOVO 5129CTO/5129CTO, BIOS 6QET47WW (1.17 ) 07/14/2010
[...]
[ 353.375018] Call Trace:
[ 353.375046] [<ffffffff81964c31>] ? nf_tables_commit+0x381/0x540
[ 353.375101] [<ffffffff81949118>] nfnetlink_rcv+0x3d8/0x4b0
[ 353.375150] [<ffffffff81943fc5>] netlink_unicast+0x105/0x1a0
[ 353.375200] [<ffffffff8194438e>] netlink_sendmsg+0x32e/0x790
[ 353.375253] [<ffffffff818f398e>] sock_sendmsg+0x8e/0xc0
[ 353.375300] [<ffffffff818f36b9>] ? move_addr_to_kernel.part.20+0x19/0x70
[ 353.375357] [<ffffffff818f44f9>] ? move_addr_to_kernel+0x19/0x30
[ 353.375410] [<ffffffff819016d2>] ? verify_iovec+0x42/0xd0
[ 353.375459] [<ffffffff818f3e10>] ___sys_sendmsg+0x3f0/0x400
[ 353.375510] [<ffffffff810615fa>] ? native_sched_clock+0x2a/0x90
[ 353.375563] [<ffffffff81176697>] ? acct_account_cputime+0x17/0x20
[ 353.375616] [<ffffffff8110dc78>] ? account_user_time+0x88/0xa0
[ 353.375667] [<ffffffff818f4bbd>] __sys_sendmsg+0x3d/0x80
[ 353.375719] [<ffffffff81b184f4>] ? int_check_syscall_exit_work+0x34/0x3d
[ 353.375776] [<ffffffff818f4c0d>] SyS_sendmsg+0xd/0x20
[ 353.375823] [<ffffffff81b1826d>] system_call_fastpath+0x16/0x1b
Release objects in this order: rules -> sets -> chains -> tables, to
make sure no references to chains are held anymore.
Reported-by: Asbjoern Sloth Toennesen <asbjorn@asbjorn.biz>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -713,16 +713,12 @@ static int nft_flush_table(struct nft_ct
struct nft_chain *chain, *nc;
struct nft_set *set, *ns;
- list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
+ list_for_each_entry(chain, &ctx->table->chains, list) {
ctx->chain = chain;
err = nft_delrule_by_chain(ctx);
if (err < 0)
goto out;
-
- err = nft_delchain(ctx);
- if (err < 0)
- goto out;
}
list_for_each_entry_safe(set, ns, &ctx->table->sets, list) {
@@ -734,6 +730,14 @@ static int nft_flush_table(struct nft_ct
if (err < 0)
goto out;
}
+
+ list_for_each_entry_safe(chain, nc, &ctx->table->chains, list) {
+ ctx->chain = chain;
+
+ err = nft_delchain(ctx);
+ if (err < 0)
+ goto out;
+ }
err = nft_deltable(ctx);
out:
next prev parent reply other threads:[~2015-01-28 1:32 UTC|newest]
Thread overview: 72+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-01-28 1:26 [PATCH 3.18 00/61] 3.18.5-stable review Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 01/61] can: dev: fix crtlmode_supported check Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 02/61] can: m_can: tag current CAN FD controllers as non-ISO Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 03/61] pinctrl: qcom: Dont iterate past end of function array Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 04/61] pinctrl: Fix two deadlocks Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 05/61] mfd: tps65218: Make INT[12] and STATUS registers volatile Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 06/61] mfd: tps65218: Make INT1 our status_base register Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 07/61] mfd: rtsx_usb: Fix runtime PM deadlock Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 08/61] libata: allow sata_sil24 to opt-out of tag ordered submission Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 09/61] libata: prevent HSM state change race between ISR and PIO Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 10/61] ALSA: usb-audio: Add mic volume fix quirk for Logitech Webcam C210 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 11/61] workqueue: fix subtle pool management issue which can stall whole worker_pool Greg Kroah-Hartman
2015-01-28 1:51 ` Lai Jiangshan
2015-01-28 2:24 ` Tejun Heo
2015-01-28 3:15 ` Lai Jiangshan
2015-01-28 15:07 ` Tejun Heo
2015-01-28 17:54 ` Greg Kroah-Hartman
2015-01-29 20:33 ` Tejun Heo
2015-02-02 11:28 ` Luis Henriques
2015-01-28 1:26 ` [PATCH 3.18 12/61] scripts/recordmcount.pl: There is no -m32 gcc option on Super-H anymore Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 13/61] drm/i915: Ban Haswell from using RCS flips Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 14/61] drm/i915: Fix mutex->owner inspection race under DEBUG_MUTEXES Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 15/61] drm/radeon: add a dpm quirk list Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 16/61] drm/radeon: add si " Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 17/61] drm/radeon: use rv515_ring_start on r5xx Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 18/61] PCI: Pass bridge device, not bus, when updating bridge windows Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 19/61] PCI: Add pci_claim_bridge_resource() to clip window if necessary Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 20/61] PCI: Add pci_bus_clip_resource() to clip to fit upstream window Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 21/61] x86/PCI: Clip bridge windows to fit in upstream windows Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 22/61] PCI: Add flag for devices where we cant use bus reset Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 23/61] PCI: Mark Atheros AR93xx to avoid " Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 24/61] ipr: wait for aborted command responses Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 25/61] [media] cx23885: Split Hauppauge WinTV Starburst from HVR4400 card entry Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 26/61] [media] vb2: fix vb2_thread_stop race conditions Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 27/61] dm cache: share cache-metadata object across inactive and active DM tables Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 28/61] dm cache: fix problematic dual use of a single migration count variable Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 29/61] irqchip: omap-intc: Fix legacy DMA regression Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 30/61] time: settimeofday: Validate the values of tv from user Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 31/61] time: adjtimex: Validate the ADJ_FREQUENCY values Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 32/61] ARM: dts: imx25: Fix PWM "per" clocks Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 33/61] ARM: mvebu: completely disable hardware I/O coherency Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 34/61] bus: mvebu-mbus: fix support of MBus window 13 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 35/61] fix deadlock in cifs_ioctl_clone() Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 36/61] irqchip: atmel-aic-common: Prevent clobbering of priority when changing IRQ type Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 37/61] x86, irq: Properly tag virtualization entry in /proc/interrupts Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 38/61] clocksource: exynos_mct: Fix bitmask regression for exynos4_mct_write Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 39/61] x86, hyperv: Mark the Hyper-V clocksource as being continuous Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 40/61] x86/tsc: Change Fast TSC calibration failed from error to info Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 41/61] x86, boot: Skip relocs when load address unchanged Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 42/61] KVM: x86: SYSENTER emulation is broken Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 43/61] KVM: x86: Fix of previously incomplete fix for CVE-2014-8480 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 44/61] x86, tls, ldt: Stop checking lm in LDT_empty Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 45/61] x86, tls: Interpret an all-zero struct user_desc as "no segment" Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 46/61] x86/apic: Re-enable PCI_MSI support for non-SMP X86_32 Greg Kroah-Hartman
2015-01-28 1:26 ` [PATCH 3.18 47/61] sata_dwc_460ex: fix resource leak on error path Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 48/61] ahci_xgene: Fix the endianess issue in APM X-Gene SoC AHCI SATA controller driver Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 49/61] KEYS: close race between key lookup and freeing Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 50/61] mm: get rid of radix tree gfp mask for pagecache_get_page Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 51/61] netfilter: nfnetlink: validate nfnetlink header from batch Greg Kroah-Hartman
2015-01-28 1:27 ` Greg Kroah-Hartman [this message]
2015-01-28 1:27 ` [PATCH 3.18 53/61] netfilter: nfnetlink: relax strict multicast group check from netlink_bind Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 54/61] netfilter: conntrack: fix race between confirmation and flush Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 55/61] ipvs: uninitialized data with IP_VS_IPV6 Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 56/61] Revert "swiotlb-xen: pass dev_addr to swiotlb_tbl_unmap_single" Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 57/61] iwlwifi: mvm: add a flag to enable match found notification Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 58/61] ACPI / PM: Do not disable wakeup GPEs that have not been enabled Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 59/61] crypto: prefix module autoloading with "crypto-" Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 60/61] crypto: include crypto- module prefix in template Greg Kroah-Hartman
2015-01-28 1:27 ` [PATCH 3.18 61/61] crypto: add missing crypto module aliases Greg Kroah-Hartman
2015-01-28 14:15 ` [PATCH 3.18 00/61] 3.18.5-stable review Guenter Roeck
2015-01-28 17:55 ` Greg Kroah-Hartman
2015-01-28 16:50 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150128012642.623051200@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=asbjorn@asbjorn.biz \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).