From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.20 07/72] netfilter: nft_compat: destroy function must not have side effects
Date: Sat, 23 Feb 2019 16:03:17 -0500 [thread overview]
Message-ID: <20190223210422.199966-7-sashal@kernel.org> (raw)
In-Reply-To: <20190223210422.199966-1-sashal@kernel.org>
From: Florian Westphal <fw@strlen.de>
[ Upstream commit b2e3d68d1251a051a620f9086e18f7ffa6833b5b ]
The nft_compat destroy function deletes the nft_xt object from a list.
This isn't allowed anymore. Destroy functions are called asynchronously,
i.e. next batch can find the object that has a pending ->destroy()
invocation:
cpu0 cpu1
worker
->destroy for_each_entry()
if (x == ...
return x->ops;
list_del(x)
kfree_rcu(x)
expr->ops->... // ops was free'd
To resolve this, the list_del needs to occur before the transaction
mutex gets released. nf_tables has a 'deactivate' hook for this
purpose, so use that to unlink the object from the list.
Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release")
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_compat.c | 48 +++++++++++++++++++++++++++++++++++++-
1 file changed, 47 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index abed3490a8f8a..5eb269428832c 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -29,6 +29,9 @@ struct nft_xt {
struct nft_expr_ops ops;
refcount_t refcnt;
+ /* used only when transaction mutex is locked */
+ unsigned int listcnt;
+
/* Unlike other expressions, ops doesn't have static storage duration.
* nft core assumes they do. We use kfree_rcu so that nft core can
* can check expr->ops->size even after nft_compat->destroy() frees
@@ -61,7 +64,7 @@ static struct nft_compat_net *nft_compat_pernet(struct net *net)
static bool nft_xt_put(struct nft_xt *xt)
{
if (refcount_dec_and_test(&xt->refcnt)) {
- list_del(&xt->head);
+ WARN_ON_ONCE(!list_empty(&xt->head));
kfree_rcu(xt, rcu_head);
return true;
}
@@ -555,6 +558,43 @@ nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
__nft_match_destroy(ctx, expr, nft_expr_priv(expr));
}
+static void nft_compat_activate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr,
+ struct list_head *h)
+{
+ struct nft_xt *xt = container_of(expr->ops, struct nft_xt, ops);
+
+ if (xt->listcnt == 0)
+ list_add(&xt->head, h);
+
+ xt->listcnt++;
+}
+
+static void nft_compat_activate_mt(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ struct nft_compat_net *cn = nft_compat_pernet(ctx->net);
+
+ nft_compat_activate(ctx, expr, &cn->nft_match_list);
+}
+
+static void nft_compat_activate_tg(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ struct nft_compat_net *cn = nft_compat_pernet(ctx->net);
+
+ nft_compat_activate(ctx, expr, &cn->nft_target_list);
+}
+
+static void nft_compat_deactivate(const struct nft_ctx *ctx,
+ const struct nft_expr *expr)
+{
+ struct nft_xt *xt = container_of(expr->ops, struct nft_xt, ops);
+
+ if (--xt->listcnt == 0)
+ list_del_init(&xt->head);
+}
+
static void
nft_match_large_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
{
@@ -808,6 +848,8 @@ nft_match_select_ops(const struct nft_ctx *ctx,
nft_match->ops.eval = nft_match_eval;
nft_match->ops.init = nft_match_init;
nft_match->ops.destroy = nft_match_destroy;
+ nft_match->ops.activate = nft_compat_activate_mt;
+ nft_match->ops.deactivate = nft_compat_deactivate;
nft_match->ops.dump = nft_match_dump;
nft_match->ops.validate = nft_match_validate;
nft_match->ops.data = match;
@@ -824,6 +866,7 @@ nft_match_select_ops(const struct nft_ctx *ctx,
nft_match->ops.size = matchsize;
+ nft_match->listcnt = 1;
list_add(&nft_match->head, &cn->nft_match_list);
return &nft_match->ops;
@@ -910,6 +953,8 @@ nft_target_select_ops(const struct nft_ctx *ctx,
nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
nft_target->ops.init = nft_target_init;
nft_target->ops.destroy = nft_target_destroy;
+ nft_target->ops.activate = nft_compat_activate_tg;
+ nft_target->ops.deactivate = nft_compat_deactivate;
nft_target->ops.dump = nft_target_dump;
nft_target->ops.validate = nft_target_validate;
nft_target->ops.data = target;
@@ -919,6 +964,7 @@ nft_target_select_ops(const struct nft_ctx *ctx,
else
nft_target->ops.eval = nft_target_eval_xt;
+ nft_target->listcnt = 1;
list_add(&nft_target->head, &cn->nft_target_list);
return &nft_target->ops;
--
2.19.1
next prev parent reply other threads:[~2019-02-23 21:04 UTC|newest]
Thread overview: 74+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-23 21:03 [PATCH AUTOSEL 4.20 01/72] vti4: Fix a ipip packet processing bug in 'IPCOMP' virtual tunnel Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 02/72] xfrm: refine validation of template and selector families Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 03/72] xfrm: Make set-mark default behavior backward compatible Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 04/72] perf ordered_events: Fix crash in ordered_events__free Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 05/72] netfilter: nft_compat: use refcnt_t type for nft_xt reference count Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 06/72] netfilter: nft_compat: make lists per netns Sasha Levin
2019-02-23 21:03 ` Sasha Levin [this message]
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 08/72] perf script: Fix crash with printing mixed trace point and other events Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 09/72] perf core: Fix perf_proc_update_handler() bug Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 10/72] perf python: Remove -fstack-clash-protection when building with some clang versions Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 11/72] perf tools: Handle TOPOLOGY headers with no CPU Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 12/72] perf script: Fix crash when processing recorded stat data Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 13/72] IB/{hfi1, qib}: Fix WC.byte_len calculation for UD_SEND_WITH_IMM Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 14/72] iommu/amd: Call free_iova_fast with pfn in map_sg Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 15/72] iommu/amd: Unmap all mapped pages in error path of map_sg Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 16/72] riscv: fixup max_low_pfn with PFN_DOWN Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 17/72] ipvs: Fix signed integer overflow when setsockopt timeout Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 18/72] iommu/amd: Fix IOMMU page flush when detach device from a domain Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 19/72] clk: ti: Fix error handling in ti_clk_parse_divider_data() Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 20/72] clk: qcom: gcc: Use active only source for CPUSS clocks Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 21/72] xtensa: SMP: fix ccount_timer_shutdown Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 22/72] RDMA/umem: Add missing initialization of owning_mm Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 23/72] riscv: Adjust mmap base address at a third of task size Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 24/72] IB/ipoib: Fix for use-after-free in ipoib_cm_tx_start Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 25/72] selftests: cpu-hotplug: fix case where CPUs offline > CPUs present Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 26/72] xtensa: SMP: fix secondary CPU initialization Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 27/72] xtensa: smp_lx200_defconfig: fix vectors clash Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 28/72] xtensa: SMP: mark each possible CPU as present Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 29/72] iomap: get/put the page in iomap_page_create/release() Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 30/72] iomap: fix a use after free in iomap_dio_rw Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 31/72] xtensa: SMP: limit number of possible CPUs by NR_CPUS Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 32/72] net: altera_tse: fix msgdma_tx_completion on non-zero fill_level case Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 33/72] net: hns: Fix for missing of_node_put() after of_parse_phandle() Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 34/72] net: hns: Restart autoneg need return failed when autoneg off Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 35/72] net: hns: Fix wrong read accesses via Clause 45 MDIO protocol Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 36/72] net: stmmac: dwmac-rk: fix error handling in rk_gmac_powerup() Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 37/72] netfilter: ebtables: compat: un-break 32bit setsockopt when no rules are present Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 38/72] netfilter: nfnetlink_osf: add missing fmatch check Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 39/72] gpio: vf610: Mask all GPIO interrupts Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 40/72] selftests: net: use LDLIBS instead of LDFLAGS Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 41/72] selftests: timers: " Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 42/72] nfs: Fix NULL pointer dereference of dev_name Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 43/72] qed: Fix bug in tx promiscuous mode settings Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 44/72] qed: Fix LACP pdu drops for VFs Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 45/72] qed: Fix VF probe failure while FLR Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 46/72] qed: Fix system crash in ll2 xmit Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 47/72] qed: Fix stack out of bounds bug Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 48/72] scsi: libfc: free skb when receiving invalid flogi resp Sasha Levin
2019-02-23 21:03 ` [PATCH AUTOSEL 4.20 49/72] scsi: scsi_debug: fix write_same with virtual_gb problem Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 50/72] scsi: bnx2fc: Fix error handling in probe() Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 51/72] scsi: 53c700: pass correct "dev" to dma_alloc_attrs() Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 52/72] platform/x86: Fix unmet dependency warning for ACPI_CMPC Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 53/72] platform/x86: Fix unmet dependency warning for SAMSUNG_Q10 Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 54/72] x86/cpu: Add Atom Tremont (Jacobsville) Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 55/72] net: macb: Apply RXUBR workaround only to versions with errata Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 56/72] x86/boot/compressed/64: Set EFER.LME=1 in 32-bit trampoline before returning to long mode Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 57/72] cifs: fix computation for MAX_SMB2_HDR_SIZE Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 58/72] blk-mq: fix a hung issue when fsync Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 59/72] x86/microcode/amd: Don't falsely trick the late loading mechanism Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 60/72] apparmor: Fix warning about unused function apparmor_ipv6_postroute Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 61/72] arm64: kprobe: Always blacklist the KVM world-switch code Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 62/72] apparmor: Fix aa_label_build() error handling for failed merges Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 63/72] x86/kexec: Don't setup EFI info if EFI runtime is not enabled Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 64/72] proc: fix /proc/net/* after setns(2) Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 65/72] x86_64: increase stack size for KASAN_EXTRA Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 66/72] mm, memory_hotplug: is_mem_section_removable do not pass the end of a zone Sasha Levin
2019-02-26 12:46 ` Mike Rapoport
2019-03-11 15:21 ` Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 67/72] mm, memory_hotplug: test_pages_in_a_zone do not pass the end of zone Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 68/72] psi: fix aggregation idle shut-off Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 69/72] lib/test_kmod.c: potential double free in error handling Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 70/72] fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 71/72] autofs: drop dentry reference only when it is never used Sasha Levin
2019-02-23 21:04 ` [PATCH AUTOSEL 4.20 72/72] autofs: fix error return in autofs_fill_super() Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190223210422.199966-7-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox