From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 65/96] netfilter: nf_tables: reject unbound anonymous set before commit phase
Date: Mon, 26 Jun 2023 20:12:20 +0200 [thread overview]
Message-ID: <20230626180749.643671404@linuxfoundation.org> (raw)
In-Reply-To: <20230626180746.943455203@linuxfoundation.org>
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 938154b93be8cd611ddfd7bafc1849f3c4355201 ]
Add a new list to track set transaction and to check for unbound
anonymous sets before entering the commit phase.
Bail out at the end of the transaction handling if an anonymous set
remains unbound.
Fixes: 96518518cc41 ("netfilter: add nftables")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables.h | 3 +++
net/netfilter/nf_tables_api.c | 35 ++++++++++++++++++++++++++++---
2 files changed, 35 insertions(+), 3 deletions(-)
diff --git a/include/net/netfilter/nf_tables.h b/include/net/netfilter/nf_tables.h
index 603c156da210b..7da74b9428b9f 100644
--- a/include/net/netfilter/nf_tables.h
+++ b/include/net/netfilter/nf_tables.h
@@ -1503,6 +1503,7 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
* struct nft_trans - nf_tables object update in transaction
*
* @list: used internally
+ * @binding_list: list of objects with possible bindings
* @msg_type: message type
* @put_net: ctx->net needs to be put
* @ctx: transaction context
@@ -1510,6 +1511,7 @@ static inline void nft_set_elem_clear_busy(struct nft_set_ext *ext)
*/
struct nft_trans {
struct list_head list;
+ struct list_head binding_list;
int msg_type;
bool put_net;
struct nft_ctx ctx;
@@ -1648,6 +1650,7 @@ static inline int nft_request_module(struct net *net, const char *fmt, ...) { re
struct nftables_pernet {
struct list_head tables;
struct list_head commit_list;
+ struct list_head binding_list;
struct list_head module_list;
struct list_head notify_list;
struct mutex commit_mutex;
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c4e3aaeeb795c..010ef3bce9e5f 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -153,6 +153,7 @@ static struct nft_trans *nft_trans_alloc_gfp(const struct nft_ctx *ctx,
return NULL;
INIT_LIST_HEAD(&trans->list);
+ INIT_LIST_HEAD(&trans->binding_list);
trans->msg_type = msg_type;
trans->ctx = *ctx;
@@ -165,9 +166,15 @@ static struct nft_trans *nft_trans_alloc(const struct nft_ctx *ctx,
return nft_trans_alloc_gfp(ctx, msg_type, size, GFP_KERNEL);
}
-static void nft_trans_destroy(struct nft_trans *trans)
+static void nft_trans_list_del(struct nft_trans *trans)
{
list_del(&trans->list);
+ list_del(&trans->binding_list);
+}
+
+static void nft_trans_destroy(struct nft_trans *trans)
+{
+ nft_trans_list_del(trans);
kfree(trans);
}
@@ -359,6 +366,14 @@ static void nft_trans_commit_list_add_tail(struct net *net, struct nft_trans *tr
{
struct nftables_pernet *nft_net = nft_pernet(net);
+ switch (trans->msg_type) {
+ case NFT_MSG_NEWSET:
+ if (!nft_trans_set_update(trans) &&
+ nft_set_is_anonymous(nft_trans_set(trans)))
+ list_add_tail(&trans->binding_list, &nft_net->binding_list);
+ break;
+ }
+
list_add_tail(&trans->list, &nft_net->commit_list);
}
@@ -8565,7 +8580,7 @@ static void nf_tables_trans_destroy_work(struct work_struct *w)
synchronize_rcu();
list_for_each_entry_safe(trans, next, &head, list) {
- list_del(&trans->list);
+ nft_trans_list_del(trans);
nft_commit_release(trans);
}
}
@@ -8883,6 +8898,19 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
return 0;
}
+ list_for_each_entry(trans, &nft_net->binding_list, binding_list) {
+ switch (trans->msg_type) {
+ case NFT_MSG_NEWSET:
+ if (!nft_trans_set_update(trans) &&
+ nft_set_is_anonymous(nft_trans_set(trans)) &&
+ !nft_trans_set_bound(trans)) {
+ pr_warn_once("nftables ruleset with unbound set\n");
+ return -EINVAL;
+ }
+ break;
+ }
+ }
+
/* 0. Validate ruleset, otherwise roll back for error reporting. */
if (nf_tables_validate(net) < 0)
return -EAGAIN;
@@ -9356,7 +9384,7 @@ static int __nf_tables_abort(struct net *net, enum nfnl_abort_action action)
list_for_each_entry_safe_reverse(trans, next,
&nft_net->commit_list, list) {
- list_del(&trans->list);
+ nft_trans_list_del(trans);
nf_tables_abort_release(trans);
}
@@ -10129,6 +10157,7 @@ static int __net_init nf_tables_init_net(struct net *net)
INIT_LIST_HEAD(&nft_net->tables);
INIT_LIST_HEAD(&nft_net->commit_list);
+ INIT_LIST_HEAD(&nft_net->binding_list);
INIT_LIST_HEAD(&nft_net->module_list);
INIT_LIST_HEAD(&nft_net->notify_list);
mutex_init(&nft_net->commit_mutex);
--
2.39.2
next prev parent reply other threads:[~2023-06-26 18:41 UTC|newest]
Thread overview: 104+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-26 18:11 [PATCH 5.15 00/96] 5.15.119-rc1 review Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 01/96] drm/amd/display: fix the system hang while disable PSR Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 02/96] tracing: Add tracing_reset_all_online_cpus_unlocked() function Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 03/96] tpm, tpm_tis: Claim locality in interrupt handler Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 04/96] drm/amd/display: Add minimal pipe split transition state Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 05/96] drm/amd/display: Use dc_update_planes_and_stream Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 06/96] drm/amd/display: Add wrapper to call planes and stream update Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 07/96] tick/common: Align tick period during sched_timer setup Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 08/96] selftests: mptcp: lib: skip if missing symbol Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 09/96] selftests: mptcp: lib: skip if not below kernel version Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 10/96] selftests/mount_setattr: fix redefine struct mount_attr build error Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 11/96] selftests: mptcp: pm nl: remove hardcoded default limits Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 12/96] selftests: mptcp: join: use iptables-legacy if available Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 13/96] selftests: mptcp: join: skip check if MIB counter not supported Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 14/96] nilfs2: fix buffer corruption due to concurrent device reads Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 15/96] ACPI: sleep: Avoid breaking S3 wakeup due to might_sleep() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 16/96] KVM: Avoid illegal stage2 mapping on invalid memory slot Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 17/96] Drivers: hv: vmbus: Call hv_synic_free() if hv_synic_alloc() fails Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 18/96] Drivers: hv: vmbus: Fix vmbus_wait_for_unload() to scan present CPUs Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 19/96] PCI: hv: Fix a race condition bug in hv_pci_query_relations() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 20/96] Revert "PCI: hv: Fix a timing issue which causes kdump to fail occasionally" Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 21/96] PCI: hv: Remove the useless hv_pcichild_state from struct hv_pci_dev Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 22/96] PCI: hv: Fix a race condition in hv_irq_unmask() that can cause panic Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 23/96] PCI: hv: Add a per-bus mutex state_lock Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 24/96] cgroup: Do not corrupt task iteration when rebinding subsystem Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 25/96] mmc: sdhci-msm: Disable broken 64-bit DMA on MSM8916 Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 26/96] mmc: meson-gx: remove redundant mmc_request_done() call from irq context Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 27/96] mmc: mmci: stm32: fix max busy timeout calculation Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 28/96] ip_tunnels: allow VXLAN/GENEVE to inherit TOS/TTL from VLAN Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 29/96] regulator: pca9450: Fix LDO3OUT and LDO4OUT MASK Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 30/96] regmap: spi-avmm: Fix regmap_bus max_raw_write Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 31/96] writeback: fix dereferencing NULL mapping->host on writeback_page_template Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 32/96] io_uring/net: save msghdr->msg_control for retries Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 33/96] io_uring/net: clear msg_controllen on partial sendmsg retry Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 34/96] io_uring/net: disable partial retries for recvmsg with cmsg Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 35/96] nilfs2: prevent general protection fault in nilfs_clear_dirty_page() Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 36/96] x86/mm: Avoid using set_pgd() outside of real PGD pages Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 37/96] memfd: check for non-NULL file_seals in memfd_create() syscall Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 38/96] mmc: meson-gx: fix deferred probing Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 39/96] ieee802154: hwsim: Fix possible memory leaks Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 40/96] xfrm: Treat already-verified secpath entries as optional Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 41/96] xfrm: interface: rename xfrm_interface.c to xfrm_interface_core.c Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 42/96] xfrm: Ensure policies always checked on XFRM-I input path Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 43/96] bpf: track immediate values written to stack by BPF_ST instruction Greg Kroah-Hartman
2023-06-26 18:11 ` [PATCH 5.15 44/96] bpf: Fix verifier id tracking of scalars on spill Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 45/96] xfrm: fix inbound ipv4/udp/esp packets to UDPv6 dualstack sockets Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 46/96] selftests: net: fcnal-test: check if FIPS mode is enabled Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 47/96] xfrm: Linearize the skb after offloading if needed Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 48/96] net: qca_spi: Avoid high load if QCA7000 is not available Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 49/96] mmc: mtk-sd: fix deferred probing Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 50/96] mmc: mvsdio: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 51/96] mmc: omap: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 52/96] mmc: omap_hsmmc: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 53/96] mmc: owl: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 54/96] mmc: sdhci-acpi: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 55/96] mmc: sh_mmcif: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 56/96] mmc: usdhi60rol0: " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 57/96] ipvs: align inner_mac_header for encapsulation Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 58/96] net: dsa: mt7530: fix trapping frames on non-MT7621 SoC MT7530 switch Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 59/96] net: dsa: mt7530: fix handling of BPDUs on " Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 60/96] be2net: Extend xmit workaround to BE3 chip Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 61/96] netfilter: nf_tables: fix chain binding transaction logic Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 62/96] netfilter: nf_tables: add NFT_TRANS_PREPARE_ERROR to deal with bound set/chain Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 63/96] netfilter: nft_set_pipapo: .walk does not deal with generations Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 64/96] netfilter: nf_tables: disallow element updates of bound anonymous sets Greg Kroah-Hartman
2023-06-26 18:12 ` Greg Kroah-Hartman [this message]
2023-06-26 18:12 ` [PATCH 5.15 66/96] netfilter: nf_tables: reject unbound chain set before commit phase Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 67/96] netfilter: nf_tables: disallow updates of anonymous sets Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 68/96] netfilter: nfnetlink_osf: fix module autoload Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 69/96] Revert "net: phy: dp83867: perform soft reset and retain established link" Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 70/96] bpf/btf: Accept function names that contain dots Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 71/96] selftests: forwarding: Fix race condition in mirror installation Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 72/96] sch_netem: acquire qdisc lock in netem_change() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 73/96] gpio: Allow per-parent interrupt data Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 74/96] gpiolib: Fix GPIO chip IRQ initialization restriction Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 75/96] gpio: sifive: add missing check for platform_get_irq Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 76/96] scsi: target: iscsi: Prevent login threads from racing between each other Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 77/96] HID: wacom: Add error check to wacom_parse_and_register() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 78/96] arm64: Add missing Set/Way CMO encodings Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 79/96] media: cec: core: dont set last_initiator if tx in progress Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 80/96] nfcsim.c: Fix error checking for debugfs_create_dir Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 81/96] usb: gadget: udc: fix NULL dereference in remove() Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 82/96] nvme: double KA polling frequency to avoid KATO with TBKAS on Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 83/96] Input: soc_button_array - add invalid acpi_index DMI quirk handling Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 84/96] s390/cio: unregister device when the only path is gone Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 85/96] spi: lpspi: disable lpspi module irq in DMA mode Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 86/96] ASoC: simple-card: Add missing of_node_put() in case of error Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 87/96] soundwire: dmi-quirks: add new mapping for HP Spectre x360 Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 88/96] ASoC: nau8824: Add quirk to active-high jack-detect Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 89/96] s390/purgatory: disable branch profiling Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 90/96] ARM: dts: Fix erroneous ADS touchscreen polarities Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 91/96] drm/exynos: vidi: fix a wrong error return Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 92/96] drm/exynos: fix race condition UAF in exynos_g2d_exec_ioctl Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 93/96] drm/radeon: fix race condition UAF in radeon_gem_set_domain_ioctl Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 94/96] vhost_net: revert upend_idx only on retriable error Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 95/96] x86/apic: Fix kernel panic when booting with intremap=off and x2apic_phys Greg Kroah-Hartman
2023-06-26 18:12 ` [PATCH 5.15 96/96] i2c: imx-lpi2c: fix type char overflow issue when calculating the clock cycle Greg Kroah-Hartman
2023-06-27 9:04 ` [PATCH 5.15 00/96] 5.15.119-rc1 review Jon Hunter
2023-06-27 20:09 ` Chris Paterson
2023-06-27 21:34 ` Guenter Roeck
2023-06-28 6:42 ` Naresh Kamboju
2023-06-28 7:27 ` Ron Economos
2023-06-28 17:38 ` Allen Pais
2023-07-21 23:29 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230626180749.643671404@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=pablo@netfilter.org \
--cc=patches@lists.linux.dev \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).