From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org
Subject: [PATCH net-next 08/28] netfilter: nft_log: perform module load from nf_tables
Date: Tue, 6 Apr 2021 14:21:13 +0200 [thread overview]
Message-ID: <20210406122133.1644-9-pablo@netfilter.org> (raw)
In-Reply-To: <20210406122133.1644-1-pablo@netfilter.org>
From: Florian Westphal <fw@strlen.de>
modprobe calls from the nf_logger_find_get() API causes deadlock in very
special cases because they occur with the nf_tables transaction mutex held.
In the specific case of nf_log, deadlock is via:
A nf_tables -> transaction mutex -> nft_log -> modprobe -> nf_log_syslog \
-> pernet_ops rwsem -> wait for C
B netlink event -> rtnl_mutex -> nf_tables transaction mutex -> wait for A
C close() -> ip6mr_sk_done -> rtnl_mutex -> wait for B
Earlier patch added NFLOG/xt_LOG module softdeps to avoid the need to load
the backend module during a transaction.
For nft_log we would have to add a softdep for both nfnetlink_log or
nf_log_syslog, since we do not know in advance which of the two backends
are going to be configured.
This defers the modprobe op until after the transaction mutex is released.
Tested-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
include/net/netfilter/nf_tables.h | 5 +++++
net/netfilter/nf_log.c | 3 ---
net/netfilter/nf_tables_api.c | 5 +++--
net/netfilter/nft_log.c | 20 +++++++++++++++++++-
4 files changed, 27 insertions(+), 6 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 0cef5ad9768a..8fefa112ae89 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1562,4 +1562,9 @@ void nf_tables_trans_destroy_flush_work(void);
int nf_msecs_to_jiffies64(const struct nlattr *nla, u64 *result);
__be64 nf_jiffies64_to_msecs(u64 input);
+#ifdef CONFIG_MODULES
+__printf(2, 3) int nft_request_module(struct net *net, const char *fmt, ...);
+#else
+static inline int nft_request_module(struct net *net, const char *fmt, ...) { return -ENOENT; }
+#endif
#endif /* _NET_NF_TABLES_H */
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index eaa8181f5ef7..edee7fa944c1 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -170,9 +170,6 @@ int nf_logger_find_get(int pf, enum nf_log_type type)
return 0;
}
- if (rcu_access_pointer(loggers[pf][type]) == NULL)
- request_module("nf-logger-%u-%u", pf, type);
-
rcu_read_lock();
logger = rcu_dereference(loggers[pf][type]);
if (logger == NULL)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index fc2526b8bd55..c09b67f2f64c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -586,8 +586,8 @@ struct nft_module_request {
};
#ifdef CONFIG_MODULES
-static __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
- ...)
+__printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
+ ...)
{
char module_name[MODULE_NAME_LEN];
struct nft_module_request *req;
@@ -620,6 +620,7 @@ static __printf(2, 3) int nft_request_module(struct net *net, const char *fmt,
return -EAGAIN;
}
+EXPORT_SYMBOL_GPL(nft_request_module);
#endif
static void lockdep_nfnl_nft_mutex_not_held(void)
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index a06a46b039c5..54f6c2035e84 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -128,6 +128,20 @@ static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = {
[NFTA_LOG_FLAGS] = { .type = NLA_U32 },
};
+static int nft_log_modprobe(struct net *net, enum nf_log_type t)
+{
+ switch (t) {
+ case NF_LOG_TYPE_LOG:
+ return nft_request_module(net, "%s", "nf_log_syslog");
+ case NF_LOG_TYPE_ULOG:
+ return nft_request_module(net, "%s", "nfnetlink_log");
+ case NF_LOG_TYPE_MAX:
+ break;
+ }
+
+ return -ENOENT;
+}
+
static int nft_log_init(const struct nft_ctx *ctx,
const struct nft_expr *expr,
const struct nlattr * const tb[])
@@ -197,8 +211,12 @@ static int nft_log_init(const struct nft_ctx *ctx,
return 0;
err = nf_logger_find_get(ctx->family, li->type);
- if (err < 0)
+ if (err < 0) {
+ if (nft_log_modprobe(ctx->net, li->type) == -EAGAIN)
+ err = -EAGAIN;
+
goto err1;
+ }
return 0;
--
2.30.2
next prev parent reply other threads:[~2021-04-06 12:22 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-04-06 12:21 [PATCH net-next 00/28] Netfilter updates for net-next Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 01/28] netfilter: nf_log_ipv4: rename to nf_log_syslog Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 02/28] netfilter: nf_log_arp: merge with nf_log_syslog Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 03/28] netfilter: nf_log_ipv6: " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 04/28] netfilter: nf_log_netdev: " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 05/28] netfilter: nf_log_bridge: " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 06/28] netfilter: nf_log_common: " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 07/28] netfilter: nf_log: add module softdeps Pablo Neira Ayuso
2021-04-06 12:21 ` Pablo Neira Ayuso [this message]
2021-04-06 12:21 ` [PATCH net-next 09/28] audit: log nftables configuration change events once per table Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 10/28] netfilter: ipset: Remove duplicate declaration Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 11/28] netfilter: flowtable: dst_check() from garbage collector path Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 12/28] netfilter: nftables: remove unnecessary spin_lock_init() Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 13/28] netfilter: nftables: add helper function to set the base sequence number Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 14/28] netfilter: add helper function to set up the nfnetlink header and use it Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 15/28] netfilter: ipvs: do not printk on netns creation Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 16/28] netfilter: nftables: fix a warning message in nf_tables_commit_audit_collect() Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 17/28] netfilter: nftables: remove documentation on static functions Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 18/28] netfilter: nfnetlink: add and use nfnetlink_broadcast Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 19/28] netfilter: nfnetlink: use net_generic infra Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 20/28] netfilter: cttimeout: " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 21/28] netfilter: nf_defrag_ipv6: " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 22/28] netfilter: nf_defrag_ipv4: " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 23/28] netfilter: ebtables: " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 24/28] netfilter: nf_tables: use net_generic infra for transaction data Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 25/28] netfilter: x_tables: move known table lists to net_generic infra Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 26/28] netfilter: conntrack: move sysctl pointer " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 27/28] netfilter: conntrack: move ecache dwork " Pablo Neira Ayuso
2021-04-06 12:21 ` [PATCH net-next 28/28] net: remove obsolete members from struct net Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210406122133.1644-9-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).