[PATCH net 2/7] netfilter: conntrack: fix possible bug_on with enable_hooks=1

public inbox for netdev@vger.kernel.org
 help / color / mirror / Atom feed

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
	pabeni@redhat.com, edumazet@google.com
Subject: [PATCH net 2/7] netfilter: conntrack: fix possible bug_on with enable_hooks=1
Date: Wed, 10 May 2023 10:33:08 +0200	[thread overview]
Message-ID: <20230510083313.152961-3-pablo@netfilter.org> (raw)
In-Reply-To: <20230510083313.152961-1-pablo@netfilter.org>

From: Florian Westphal <fw@strlen.de>

I received a bug report (no reproducer so far) where we trip over

712         rcu_read_lock();
713         ct_hook = rcu_dereference(nf_ct_hook);
714         BUG_ON(ct_hook == NULL);  // here

In nf_conntrack_destroy().

First turn this BUG_ON into a WARN.  I think it was triggered
via enable_hooks=1 flag.

When this flag is turned on, the conntrack hooks are registered
before nf_ct_hook pointer gets assigned.
This opens a short window where packets enter the conntrack machinery,
can have skb->_nfct set up and a subsequent kfree_skb might occur
before nf_ct_hook is set.

Call nf_conntrack_init_end() to set nf_ct_hook before we register the
pernet ops.

Fixes: ba3fbe663635 ("netfilter: nf_conntrack: provide modparam to always register conntrack hooks")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/core.c                    | 6 ++++--
 net/netfilter/nf_conntrack_standalone.c | 3 ++-
 2 files changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index f0783e42108b..5f76ae86a656 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -711,9 +711,11 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct)
 
 	rcu_read_lock();
 	ct_hook = rcu_dereference(nf_ct_hook);
-	BUG_ON(ct_hook == NULL);
-	ct_hook->destroy(nfct);
+	if (ct_hook)
+		ct_hook->destroy(nfct);
 	rcu_read_unlock();
+
+	WARN_ON(!ct_hook);
 }
 EXPORT_SYMBOL(nf_conntrack_destroy);
 
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index 57f6724c99a7..169e16fc2bce 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -1218,11 +1218,12 @@ static int __init nf_conntrack_standalone_init(void)
 	nf_conntrack_htable_size_user = nf_conntrack_htable_size;
 #endif
 
+	nf_conntrack_init_end();
+
 	ret = register_pernet_subsys(&nf_conntrack_net_ops);
 	if (ret < 0)
 		goto out_pernet;
 
-	nf_conntrack_init_end();
 	return 0;
 
 out_pernet:
-- 
2.30.2

next prev parent reply	other threads:[~2023-05-10  8:41 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-05-10  8:33 [PATCH net 0/7] Netfilter updates for net Pablo Neira Ayuso
2023-05-10  8:33 ` [PATCH net 1/7] netfilter: nf_tables: always release netdev hooks from notifier Pablo Neira Ayuso
2023-05-11  2:20   ` patchwork-bot+netdevbpf
2023-05-10  8:33 ` Pablo Neira Ayuso [this message]
2023-05-10  8:33 ` [PATCH net 3/7] selftests: nft_flowtable.sh: use /proc for pid checking Pablo Neira Ayuso
2023-05-10  8:33 ` [PATCH net 4/7] selftests: nft_flowtable.sh: no need for ps -x option Pablo Neira Ayuso
2023-05-10  8:33 ` [PATCH net 5/7] selftests: nft_flowtable.sh: wait for specific nc pids Pablo Neira Ayuso
2023-05-10  8:33 ` [PATCH net 6/7] selftests: nft_flowtable.sh: monitor result file sizes Pablo Neira Ayuso
2023-05-10  8:33 ` [PATCH net 7/7] selftests: nft_flowtable.sh: check ingress/egress chain too Pablo Neira Ayuso

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:f0783e42108 dfblob:5f76ae86a65 dfblob:57f6724c99a
dfblob:169e16fc2bc )
 OR (
bs:"[PATCH net 2/7] netfilter: conntrack: fix possible bug_on with enable_hooks=1" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230510083313.152961-3-pablo@netfilter.org \
    --to=pablo@netfilter.org \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=kuba@kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=netfilter-devel@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox