From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17691C433FE for ; Tue, 8 Nov 2022 14:09:22 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235167AbiKHOJU (ORCPT ); Tue, 8 Nov 2022 09:09:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45656 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235159AbiKHOJT (ORCPT ); Tue, 8 Nov 2022 09:09:19 -0500 Received: from ams.source.kernel.org (ams.source.kernel.org [145.40.68.75]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 286EABF7 for ; Tue, 8 Nov 2022 06:09:19 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id C77F4B81AF7 for ; Tue, 8 Nov 2022 14:09:17 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id E09C1C433B5; Tue, 8 Nov 2022 14:09:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1667916556; bh=WU6TAw4mouUDecrmHg5Fci0NCHJslXhqqT+K7JkslzA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=zb3MDmREJah+MhFEQgmoDORnxQ2irlMyOnF0EgtbqJGjCjea3ZjuE8Oyusl/0xogu Ks7f/yWML89q54PQxLeC5U49KjVjKtnnmoNsZNS3QYGmYuvBRLLSnHBolh7qXeevL8 tgjpUs08vEfZCsR9JGP8G6rUN3ECaRPqUyVBUyhw= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com, Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 6.0 030/197] netfilter: nf_tables: netlink notifier might race to release objects Date: Tue, 8 Nov 2022 14:37:48 +0100 Message-Id: <20221108133356.176967212@linuxfoundation.org> X-Mailer: git-send-email 2.38.1 In-Reply-To: <20221108133354.787209461@linuxfoundation.org> References: <20221108133354.787209461@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Pablo Neira Ayuso [ Upstream commit d4bc8271db21ea9f1c86a1ca4d64999f184d4aae ] commit release path is invoked via call_rcu and it runs lockless to release the objects after rcu grace period. The netlink notifier handler might win race to remove objects that the transaction context is still referencing from the commit release path. Call rcu_barrier() to ensure pending rcu callbacks run to completion if the list of transactions to be destroyed is not empty. Fixes: 6001a930ce03 ("netfilter: nftables: introduce table ownership") Reported-by: syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_tables_api.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 5897afd12466..cc598504bc10 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -10030,6 +10030,8 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event, nft_net = nft_pernet(net); deleted = 0; mutex_lock(&nft_net->commit_mutex); + if (!list_empty(&nf_tables_destroy_list)) + rcu_barrier(); again: list_for_each_entry(table, &nft_net->tables, list) { if (nft_table_has_owner(table) && -- 2.35.1