From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: gregkh@linuxfoundation.org, sashal@kernel.org, stable@vger.kernel.org
Subject: [PATCH -stable,4.19.x 21/40] netfilter: nf_tables: unregister flowtable hooks on netns exit
Date: Thu, 13 Jun 2024 03:01:50 +0200 [thread overview]
Message-ID: <20240613010209.104423-22-pablo@netfilter.org> (raw)
In-Reply-To: <20240613010209.104423-1-pablo@netfilter.org>
commit 6069da443bf65f513bb507bb21e2f87cfb1ad0b6 upstream.
Unregister flowtable hooks before they are releases via
nf_tables_flowtable_destroy() otherwise hook core reports UAF.
BUG: KASAN: use-after-free in nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
Read of size 4 at addr ffff8880736f7438 by task syz-executor579/3666
CPU: 0 PID: 3666 Comm: syz-executor579 Not tainted 5.16.0-rc5-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:88 [inline]
__dump_stack lib/dump_stack.c:88 [inline] lib/dump_stack.c:106
dump_stack_lvl+0x1dc/0x2d8 lib/dump_stack.c:106 lib/dump_stack.c:106
print_address_description+0x65/0x380 mm/kasan/report.c:247 mm/kasan/report.c:247
__kasan_report mm/kasan/report.c:433 [inline]
__kasan_report mm/kasan/report.c:433 [inline] mm/kasan/report.c:450
kasan_report+0x19a/0x1f0 mm/kasan/report.c:450 mm/kasan/report.c:450
nf_hook_entries_grow+0x5a7/0x700 net/netfilter/core.c:142 net/netfilter/core.c:142
__nf_register_net_hook+0x27e/0x8d0 net/netfilter/core.c:429 net/netfilter/core.c:429
nf_register_net_hook+0xaa/0x180 net/netfilter/core.c:571 net/netfilter/core.c:571
nft_register_flowtable_net_hooks+0x3c5/0x730 net/netfilter/nf_tables_api.c:7232 net/netfilter/nf_tables_api.c:7232
nf_tables_newflowtable+0x2022/0x2cf0 net/netfilter/nf_tables_api.c:7430 net/netfilter/nf_tables_api.c:7430
nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline]
nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline] net/netfilter/nfnetlink.c:652
nfnetlink_rcv_skb_batch net/netfilter/nfnetlink.c:634 [inline] net/netfilter/nfnetlink.c:652
nfnetlink_rcv+0x10e6/0x2550 net/netfilter/nfnetlink.c:652 net/netfilter/nfnetlink.c:652
__nft_release_hook() calls nft_unregister_flowtable_net_hooks() which
only unregisters the hooks, then after RCU grace period, it is
guaranteed that no packets add new entries to the flowtable (no flow
offload rules and flowtable hooks are reachable from packet path), so it
is safe to call nf_flow_table_free() which cleans up the remaining
entries from the flowtable (both software and hardware) and it unbinds
the flow_block.
Fixes: ff4bf2f42a40 ("netfilter: nf_tables: add nft_unregister_flowtable_hook()")
Reported-by: syzbot+e918523f77e62790d6d9@syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 1f303d29597e..719b30d6ec64 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7863,6 +7863,8 @@ static void __nft_release_table(struct net *net, struct nft_table *table)
list_for_each_entry(chain, &table->chains, list)
nf_tables_unregister_hook(net, table, chain);
+ list_for_each_entry(flowtable, &table->flowtables, list)
+ nft_unregister_flowtable_net_hooks(net, flowtable);
/* No packets are walking on these chains anymore. */
ctx.table = table;
list_for_each_entry(chain, &table->chains, list) {
--
2.30.2
next prev parent reply other threads:[~2024-06-13 1:02 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-13 1:01 [PATCH -stable,4.19.x 00/40] Netfilter fixes for -stable Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 01/40] netfilter: nf_tables: pass context to nft_set_destroy() Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 02/40] netfilter: nftables: rename set element data activation/deactivation functions Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 03/40] netfilter: nf_tables: drop map element references from preparation phase Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 04/40] netfilter: nft_set_rbtree: allow loose matching of closing element in interval Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 05/40] netfilter: nft_set_rbtree: Add missing expired checks Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 06/40] netfilter: nft_set_rbtree: Switch to node list walk for overlap detection Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 07/40] netfilter: nft_set_rbtree: fix null deref on element insertion Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 08/40] netfilter: nft_set_rbtree: fix overlap expiration walk Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 09/40] netfilter: nf_tables: don't skip expired elements during walk Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 10/40] netfilter: nf_tables: GC transaction API to avoid race with control plane Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 11/40] netfilter: nf_tables: adapt set backend to use GC transaction API Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 12/40] netfilter: nf_tables: remove busy mark and gc batch API Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 13/40] netfilter: nf_tables: fix GC transaction races with netns and netlink event exit path Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 14/40] netfilter: nf_tables: GC transaction race with netns dismantle Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 15/40] netfilter: nf_tables: GC transaction race with abort path Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 16/40] netfilter: nf_tables: defer gc run if previous batch is still pending Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 17/40] netfilter: nft_set_rbtree: skip sync GC for new elements in this transaction Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 18/40] netfilter: nft_set_rbtree: use read spinlock to avoid datapath contention Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 19/40] netfilter: nft_set_hash: try later when GC hits EAGAIN on iteration Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 20/40] netfilter: nf_tables: fix memleak when more than 255 elements expired Pablo Neira Ayuso
2024-06-13 1:01 ` Pablo Neira Ayuso [this message]
2024-06-13 1:01 ` [PATCH -stable,4.19.x 22/40] netfilter: nf_tables: double hook unregistration in netns path Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 23/40] netfilter: nftables: update table flags from the commit phase Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 24/40] netfilter: nf_tables: fix table flag updates Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 25/40] netfilter: nf_tables: disable toggling dormant table state more than once Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 26/40] netfilter: nf_tables: bogus EBUSY when deleting flowtable after flush (for 4.19) Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 27/40] netfilter: nft_dynset: fix timeouts later than 23 days Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 28/40] netfilter: nftables: exthdr: fix 4-byte stack OOB write Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 29/40] netfilter: nft_dynset: report EOPNOTSUPP on missing set feature Pablo Neira Ayuso
2024-06-13 1:01 ` [PATCH -stable,4.19.x 30/40] netfilter: nft_dynset: relax superfluous check on set updates Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 31/40] netfilter: nf_tables: mark newset as dead on transaction abort Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 32/40] netfilter: nf_tables: skip dead set elements in netlink dump Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 33/40] netfilter: nf_tables: validate NFPROTO_* family Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 34/40] netfilter: nft_set_rbtree: skip end interval element from gc Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 35/40] netfilter: nf_tables: set dormant flag on hook register failure Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 36/40] netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 37/40] netfilter: nf_tables: do not compare internal table flags on updates Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 38/40] netfilter: nf_tables: mark set as dead when unbinding anonymous set with timeout Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 39/40] netfilter: nf_tables: reject new basechain after table flag update Pablo Neira Ayuso
2024-06-13 1:02 ` [PATCH -stable,4.19.x 40/40] netfilter: nf_tables: discard table flag update with pending basechain deletion Pablo Neira Ayuso
2024-06-13 6:43 ` [PATCH -stable,4.19.x 00/40] Netfilter fixes for -stable Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240613010209.104423-22-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=gregkh@linuxfoundation.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox