4.19-stable patches

added patches:
	netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch

diff --git a/queue-4.19/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch b/queue-4.19/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch
new file mode 100644 (file)
index 0000000..02e49d1
--- /dev/null
+++ b/queue-4.19/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch
@@ -0,0 +1,58 @@
+From 24225011d81b471acc0e1e315b7d9905459a6304 Mon Sep 17 00:00:00 2001
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+Date: Wed, 3 Apr 2024 15:22:04 +0800
+Subject: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get()
+
+From: Ziyang Xuan <william.xuanziyang@huawei.com>
+
+commit 24225011d81b471acc0e1e315b7d9905459a6304 upstream.
+
+nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can
+concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable().
+And thhere is not any protection when iterate over nf_tables_flowtables
+list in __nft_flowtable_type_get(). Therefore, there is pertential
+data-race of nf_tables_flowtables list entry.
+
+Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list
+in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller
+nft_flowtable_type_get() to protect the entire type query process.
+
+Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
+Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/netfilter/nf_tables_api.c |    9 +++++++--
+ 1 file changed, 7 insertions(+), 2 deletions(-)
+
+--- a/net/netfilter/nf_tables_api.c
++++ b/net/netfilter/nf_tables_api.c
+@@ -5721,11 +5721,12 @@ static int nf_tables_flowtable_parse_hoo
+       return err;
+ }
+ 
++/* call under rcu_read_lock */
+ static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family)
+ {
+       const struct nf_flowtable_type *type;
+ 
+-      list_for_each_entry(type, &nf_tables_flowtables, list) {
++      list_for_each_entry_rcu(type, &nf_tables_flowtables, list) {
+               if (family == type->family)
+                       return type;
+       }
+@@ -5737,9 +5738,13 @@ nft_flowtable_type_get(struct net *net,
+ {
+       const struct nf_flowtable_type *type;
+ 
++      rcu_read_lock();
+       type = __nft_flowtable_type_get(family);
+-      if (type != NULL && try_module_get(type->owner))
++      if (type != NULL && try_module_get(type->owner)) {
++              rcu_read_unlock();
+               return type;
++      }
++      rcu_read_unlock();
+ 
+       lockdep_nfnl_nft_mutex_not_held();
+ #ifdef CONFIG_MODULES

diff --git a/queue-4.19/series b/queue-4.19/series
index 219b644b9bca270f693c0915e5efd9a448a05878..89e2013465c714bc3d18d6a9b786b26324764f06 100644 (file)
--- a/queue-4.19/series
+++ b/queue-4.19/series
@@ -124,3 +124,4 @@ netfilter-nf_tables-disallow-timeout-for-anonymous-sets.patch
 net-rds-fix-possible-cp-null-dereference.patch
 revert-x86-mm-ident_map-use-gbpages-only-where-full-gb-page-should-be-mapped.patch
 mm-vmscan-prevent-infinite-loop-for-costly-gfp_noio-__gfp_retry_mayfail-allocations.patch
+netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch