From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 4/7] netfilter: nf_tables: fix transaction race condition
Date: Thu, 5 Mar 2015 21:48:46 +0100 [thread overview]
Message-ID: <1425588529-4573-5-git-send-email-pablo@netfilter.org> (raw)
In-Reply-To: <1425588529-4573-1-git-send-email-pablo@netfilter.org>
From: Patrick McHardy <kaber@trash.net>
A race condition exists in the rule transaction code for rules that
get added and removed within the same transaction.
The new rule starts out as inactive in the current and active in the
next generation and is inserted into the ruleset. When it is deleted,
it is additionally set to inactive in the next generation as well.
On commit the next generation is begun, then the actions are finalized.
For the new rule this would mean clearing out the inactive bit for
the previously current, now next generation.
However nft_rule_clear() clears out the bits for *both* generations,
activating the rule in the current generation, where it should be
deactivated due to being deleted. The rule will thus be active until
the deletion is finalized, removing the rule from the ruleset.
Similarly, when aborting a transaction for the same case, the undo
of insertion will remove it from the RCU protected rule list, the
deletion will clear out all bits. However until the next RCU
synchronization after all operations have been undone, the rule is
active on CPUs which can still see the rule on the list.
Generally, there may never be any modifications of the current
generations' inactive bit since this defeats the entire purpose of
atomicity. Change nft_rule_clear() to only touch the next generations
bit to fix this.
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index a8c9462..6fb532b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -227,7 +227,7 @@ nft_rule_deactivate_next(struct net *net, struct nft_rule *rule)
static inline void nft_rule_clear(struct net *net, struct nft_rule *rule)
{
- rule->genmask = 0;
+ rule->genmask &= ~(1 << gencursor_next(net));
}
static int
--
1.7.10.4
next prev parent reply other threads:[~2015-03-05 20:48 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-05 20:48 [PATCH 0/7] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2015-03-05 20:48 ` [PATCH 1/7] netfilter: nft_compat: don't truncate ethernet protocol type to u8 Pablo Neira Ayuso
2015-03-05 20:48 ` [PATCH 2/7] netfilter: nf_tables: fix addition/deletion of elements from commit/abort Pablo Neira Ayuso
2015-03-05 20:48 ` [PATCH 3/7] ipvs: add missing ip_vs_pe_put in sync code Pablo Neira Ayuso
2015-03-05 20:48 ` Pablo Neira Ayuso [this message]
2015-03-05 20:48 ` [PATCH 5/7] netfilter: nf_tables: check for overflow of rule dlen field Pablo Neira Ayuso
2015-03-05 20:48 ` [PATCH 6/7] netfilter: nf_tables: fix userdata length overflow Pablo Neira Ayuso
2015-03-05 20:48 ` [PATCH 7/7] netfilter: nf_tables: fix error handling of rule replacement Pablo Neira Ayuso
2015-03-06 2:51 ` [PATCH 0/7] Netfilter/IPVS fixes for net David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1425588529-4573-5-git-send-email-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).