* [PATCH net 0/3] Netfilter fixes for net
@ 2022-11-09 11:28 Pablo Neira Ayuso
2022-11-09 11:28 ` [PATCH net 1/3] netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg() Pablo Neira Ayuso
` (2 more replies)
0 siblings, 3 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-11-09 11:28 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
Hi,
The following patchset contains Netfilter fixes for net:
1) Fix deadlock in nfnetlink due to missing mutex release in error path,
from Ziyang Xuan.
2) Clean up pending autoload module list from nf_tables_exit_net() path,
from Shigeru Yoshida.
3) Fixes for the netfilter's reverse path selftest, from Phil Sutter.
All of these bugs have been around for several releases.
Please, pull these changes from:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git
Thanks.
----------------------------------------------------------------
The following changes since commit ce9e57feeed81d17d5e80ed86f516ff0d39c3867:
drivers: net: xgene: disable napi when register irq failed in xgene_enet_open() (2022-11-08 15:15:55 +0100)
are available in the Git repository at:
git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf.git HEAD
for you to fetch changes up to 58bb78ce02269c0cf5b1f2bd2e4a605500b44c6b:
selftests: netfilter: Fix and review rpath.sh (2022-11-09 10:29:57 +0100)
----------------------------------------------------------------
Phil Sutter (1):
selftests: netfilter: Fix and review rpath.sh
Shigeru Yoshida (1):
netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()
Ziyang Xuan (1):
netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg()
net/netfilter/nf_tables_api.c | 3 ++-
net/netfilter/nfnetlink.c | 1 +
tools/testing/selftests/netfilter/rpath.sh | 14 ++++++++------
3 files changed, 11 insertions(+), 7 deletions(-)
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH net 1/3] netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg()
2022-11-09 11:28 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
@ 2022-11-09 11:28 ` Pablo Neira Ayuso
2022-11-09 15:00 ` patchwork-bot+netdevbpf
2022-11-09 11:28 ` [PATCH net 2/3] netfilter: Cleanup nft_net->module_list from nf_tables_exit_net() Pablo Neira Ayuso
2022-11-09 11:28 ` [PATCH net 3/3] selftests: netfilter: Fix and review rpath.sh Pablo Neira Ayuso
2 siblings, 1 reply; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-11-09 11:28 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Ziyang Xuan <william.xuanziyang@huawei.com>
When type is NFNL_CB_MUTEX and -EAGAIN error occur in nfnetlink_rcv_msg(),
it does not execute nfnl_unlock(). That would trigger potential dead lock.
Fixes: 50f2db9e368f ("netfilter: nfnetlink: consolidate callback types")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nfnetlink.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
index 9c44518cb70f..6d18fb346868 100644
--- a/net/netfilter/nfnetlink.c
+++ b/net/netfilter/nfnetlink.c
@@ -294,6 +294,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
nfnl_lock(subsys_id);
if (nfnl_dereference_protected(subsys_id) != ss ||
nfnetlink_find_client(type, ss) != nc) {
+ nfnl_unlock(subsys_id);
err = -EAGAIN;
break;
}
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 2/3] netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()
2022-11-09 11:28 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2022-11-09 11:28 ` [PATCH net 1/3] netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg() Pablo Neira Ayuso
@ 2022-11-09 11:28 ` Pablo Neira Ayuso
2022-11-09 11:28 ` [PATCH net 3/3] selftests: netfilter: Fix and review rpath.sh Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-11-09 11:28 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Shigeru Yoshida <syoshida@redhat.com>
syzbot reported a warning like below [1]:
WARNING: CPU: 3 PID: 9 at net/netfilter/nf_tables_api.c:10096 nf_tables_exit_net+0x71c/0x840
Modules linked in:
CPU: 2 PID: 9 Comm: kworker/u8:0 Tainted: G W 6.1.0-rc3-00072-g8e5423e991e8 #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
Workqueue: netns cleanup_net
RIP: 0010:nf_tables_exit_net+0x71c/0x840
...
Call Trace:
<TASK>
? __nft_release_table+0xfc0/0xfc0
ops_exit_list+0xb5/0x180
cleanup_net+0x506/0xb10
? unregister_pernet_device+0x80/0x80
process_one_work+0xa38/0x1730
? pwq_dec_nr_in_flight+0x2b0/0x2b0
? rwlock_bug.part.0+0x90/0x90
? _raw_spin_lock_irq+0x46/0x50
worker_thread+0x67e/0x10e0
? process_one_work+0x1730/0x1730
kthread+0x2e5/0x3a0
? kthread_complete_and_exit+0x40/0x40
ret_from_fork+0x1f/0x30
</TASK>
In nf_tables_exit_net(), there is a case where nft_net->commit_list is
empty but nft_net->module_list is not empty. Such a case occurs with
the following scenario:
1. nfnetlink_rcv_batch() is called
2. nf_tables_newset() returns -EAGAIN and NFNL_BATCH_FAILURE bit is
set to status
3. nf_tables_abort() is called with NFNL_ABORT_AUTOLOAD
(nft_net->commit_list is released, but nft_net->module_list is not
because of NFNL_ABORT_AUTOLOAD flag)
4. Jump to replay label
5. netlink_skb_clone() fails and returns from the function (this is
caused by fault injection in the reproducer of syzbot)
This patch fixes this issue by calling __nf_tables_abort() when
nft_net->module_list is not empty in nf_tables_exit_net().
Fixes: eb014de4fd41 ("netfilter: nf_tables: autoload modules from the abort path")
Link: https://syzkaller.appspot.com/bug?id=802aba2422de4218ad0c01b46c9525cc9d4e4aa3 [1]
Reported-by: syzbot+178efee9e2d7f87f5103@syzkaller.appspotmail.com
Signed-off-by: Shigeru Yoshida <syoshida@redhat.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
---
net/netfilter/nf_tables_api.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 76bd4d03dbda..e7152d599d73 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10090,7 +10090,8 @@ static void __net_exit nf_tables_exit_net(struct net *net)
struct nftables_pernet *nft_net = nft_pernet(net);
mutex_lock(&nft_net->commit_mutex);
- if (!list_empty(&nft_net->commit_list))
+ if (!list_empty(&nft_net->commit_list) ||
+ !list_empty(&nft_net->module_list))
__nf_tables_abort(net, NFNL_ABORT_NONE);
__nft_release_tables(net);
mutex_unlock(&nft_net->commit_mutex);
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH net 3/3] selftests: netfilter: Fix and review rpath.sh
2022-11-09 11:28 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2022-11-09 11:28 ` [PATCH net 1/3] netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg() Pablo Neira Ayuso
2022-11-09 11:28 ` [PATCH net 2/3] netfilter: Cleanup nft_net->module_list from nf_tables_exit_net() Pablo Neira Ayuso
@ 2022-11-09 11:28 ` Pablo Neira Ayuso
2 siblings, 0 replies; 5+ messages in thread
From: Pablo Neira Ayuso @ 2022-11-09 11:28 UTC (permalink / raw)
To: netfilter-devel; +Cc: davem, netdev, kuba, pabeni, edumazet
From: Phil Sutter <phil@nwl.cc>
Address a few problems with the initial test script version:
* On systems with ip6tables but no ip6tables-legacy, testing for
ip6tables was disabled by accident.
* Firewall setup phase did not respect possibly unavailable tools.
* Consistently call nft via '$nft'.
Fixes: 6e31ce831c63b ("selftests: netfilter: Test reverse path filtering")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
tools/testing/selftests/netfilter/rpath.sh | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/tools/testing/selftests/netfilter/rpath.sh b/tools/testing/selftests/netfilter/rpath.sh
index 2d8da7bd8ab7..f7311e66d219 100755
--- a/tools/testing/selftests/netfilter/rpath.sh
+++ b/tools/testing/selftests/netfilter/rpath.sh
@@ -15,7 +15,7 @@ fi
if ip6tables-legacy --version >/dev/null 2>&1; then
ip6tables='ip6tables-legacy'
-elif ! ip6tables --version >/dev/null 2>&1; then
+elif ip6tables --version >/dev/null 2>&1; then
ip6tables='ip6tables'
else
ip6tables=''
@@ -62,9 +62,11 @@ ip -net "$ns1" a a fec0:42::2/64 dev v0 nodad
ip -net "$ns2" a a fec0:42::1/64 dev d0 nodad
# firewall matches to test
-ip netns exec "$ns2" "$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter
-ip netns exec "$ns2" "$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter
-ip netns exec "$ns2" nft -f - <<EOF
+[ -n "$iptables" ] && ip netns exec "$ns2" \
+ "$iptables" -t raw -A PREROUTING -s 192.168.0.0/16 -m rpfilter
+[ -n "$ip6tables" ] && ip netns exec "$ns2" \
+ "$ip6tables" -t raw -A PREROUTING -s fec0::/16 -m rpfilter
+[ -n "$nft" ] && ip netns exec "$ns2" $nft -f - <<EOF
table inet t {
chain c {
type filter hook prerouting priority raw;
@@ -106,8 +108,8 @@ testrun() {
if [ -n "$nft" ]; then
(
echo "delete table inet t";
- ip netns exec "$ns2" nft -s list table inet t;
- ) | ip netns exec "$ns2" nft -f -
+ ip netns exec "$ns2" $nft -s list table inet t;
+ ) | ip netns exec "$ns2" $nft -f -
fi
# test 1: martian traffic should fail rpfilter matches
--
2.30.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH net 1/3] netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg()
2022-11-09 11:28 ` [PATCH net 1/3] netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg() Pablo Neira Ayuso
@ 2022-11-09 15:00 ` patchwork-bot+netdevbpf
0 siblings, 0 replies; 5+ messages in thread
From: patchwork-bot+netdevbpf @ 2022-11-09 15:00 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: netfilter-devel, davem, netdev, kuba, pabeni, edumazet
Hello:
This series was applied to netdev/net.git (master)
by Pablo Neira Ayuso <pablo@netfilter.org>:
On Wed, 9 Nov 2022 12:28:18 +0100 you wrote:
> From: Ziyang Xuan <william.xuanziyang@huawei.com>
>
> When type is NFNL_CB_MUTEX and -EAGAIN error occur in nfnetlink_rcv_msg(),
> it does not execute nfnl_unlock(). That would trigger potential dead lock.
>
> Fixes: 50f2db9e368f ("netfilter: nfnetlink: consolidate callback types")
> Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
>
> [...]
Here is the summary with links:
- [net,1/3] netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg()
https://git.kernel.org/netdev/net/c/03832a32bf8f
- [net,2/3] netfilter: Cleanup nft_net->module_list from nf_tables_exit_net()
https://git.kernel.org/netdev/net/c/03c1f1ef1584
- [net,3/3] selftests: netfilter: Fix and review rpath.sh
https://git.kernel.org/netdev/net/c/58bb78ce0226
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2022-11-09 15:00 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2022-11-09 11:28 [PATCH net 0/3] Netfilter fixes for net Pablo Neira Ayuso
2022-11-09 11:28 ` [PATCH net 1/3] netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg() Pablo Neira Ayuso
2022-11-09 15:00 ` patchwork-bot+netdevbpf
2022-11-09 11:28 ` [PATCH net 2/3] netfilter: Cleanup nft_net->module_list from nf_tables_exit_net() Pablo Neira Ayuso
2022-11-09 11:28 ` [PATCH net 3/3] selftests: netfilter: Fix and review rpath.sh Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).