[thirdparty/kernel/stable-queue.git] / releases / 6.6.26 / netfilter-nf_tables-release-mutex-after-nft_gc_seq_end-from-abort-path.patch

From 0d459e2ffb541841714839e8228b845458ed3b27 Mon Sep 17 00:00:00 2001
From: Pablo Neira Ayuso <pablo@netfilter.org>
Date: Thu, 28 Mar 2024 14:23:55 +0100
Subject: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path

From: Pablo Neira Ayuso <pablo@netfilter.org>

commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream.

The commit mutex should not be released during the critical section
between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
worker could collect expired objects and get the released commit lock
within the same GC sequence.

nf_tables_module_autoload() temporarily releases the mutex to load
module dependencies, then it goes back to replay the transaction again.
Move it at the end of the abort phase after nft_gc_seq_end() is called.

Cc: stable@vger.kernel.org
Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path")
Reported-by: Kuan-Ting Chen <hexrabbit@devco.re>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/netfilter/nf_tables_api.c |   13 ++++++++-----
 1 file changed, 8 insertions(+), 5 deletions(-)

--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10518,11 +10518,6 @@ static int __nf_tables_abort(struct net
 		nf_tables_abort_release(trans);
 	}
 
-	if (action == NFNL_ABORT_AUTOLOAD)
-		nf_tables_module_autoload(net);
-	else
-		nf_tables_module_autoload_cleanup(net);
-
 	return err;
 }
 
@@ -10539,6 +10534,14 @@ static int nf_tables_abort(struct net *n
 
 	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
 
+	/* module autoload needs to happen after GC sequence update because it
+	 * temporarily releases and grabs mutex again.
+	 */
+	if (action == NFNL_ABORT_AUTOLOAD)
+		nf_tables_module_autoload(net);
+	else
+		nf_tables_module_autoload_cleanup(net);
+
 	mutex_unlock(&nft_net->commit_mutex);
 
 	return ret;
Commit	Line	Data
f70185e4 GKH	1	From 0d459e2ffb541841714839e8228b845458ed3b27 Mon Sep 17 00:00:00 2001
	2	From: Pablo Neira Ayuso <pablo@netfilter.org>
	3	Date: Thu, 28 Mar 2024 14:23:55 +0100
	4	Subject: netfilter: nf_tables: release mutex after nft_gc_seq_end from abort path
	5
	6	From: Pablo Neira Ayuso <pablo@netfilter.org>
	7
	8	commit 0d459e2ffb541841714839e8228b845458ed3b27 upstream.
	9
	10	The commit mutex should not be released during the critical section
	11	between nft_gc_seq_begin() and nft_gc_seq_end(), otherwise, async GC
	12	worker could collect expired objects and get the released commit lock
	13	within the same GC sequence.
	14
	15	nf_tables_module_autoload() temporarily releases the mutex to load
	16	module dependencies, then it goes back to replay the transaction again.
	17	Move it at the end of the abort phase after nft_gc_seq_end() is called.
	18
	19	Cc: stable@vger.kernel.org
	20	Fixes: 720344340fb9 ("netfilter: nf_tables: GC transaction race with abort path")
	21	Reported-by: Kuan-Ting Chen <hexrabbit@devco.re>
	22	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	23	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	24	---
	25	net/netfilter/nf_tables_api.c \| 13 ++++++++-----
	26	1 file changed, 8 insertions(+), 5 deletions(-)
	27
	28	--- a/net/netfilter/nf_tables_api.c
	29	+++ b/net/netfilter/nf_tables_api.c
	30	@@ -10518,11 +10518,6 @@ static int __nf_tables_abort(struct net
	31	nf_tables_abort_release(trans);
	32	}
	33
	34	- if (action == NFNL_ABORT_AUTOLOAD)
	35	- nf_tables_module_autoload(net);
	36	- else
	37	- nf_tables_module_autoload_cleanup(net);
	38	-
	39	return err;
	40	}
	41
	42	@@ -10539,6 +10534,14 @@ static int nf_tables_abort(struct net *n
	43
	44	WARN_ON_ONCE(!list_empty(&nft_net->commit_list));
	45
	46	+ /* module autoload needs to happen after GC sequence update because it
	47	+ * temporarily releases and grabs mutex again.
	48	+ */
	49	+ if (action == NFNL_ABORT_AUTOLOAD)
	50	+ nf_tables_module_autoload(net);
	51	+ else
	52	+ nf_tables_module_autoload_cleanup(net);
	53	+
	54	mutex_unlock(&nft_net->commit_mutex);
	55
	56	return ret;