git.ipfire.org Git - thirdparty/linux.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 6 Mar 2025 03:05:26 +0000 (04:05 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 6 Mar 2025 12:35:54 +0000 (13:35 +0100)
commit	fb8286562ecfb585e26b033c5e32e6fb85efb0b3
tree	1da5bd98aa3a39080648a86132374cfde8dbe156	tree
parent	df08c94baafb001de6cf44bb7098bb557f36c335	commit \| diff

netfilter: nf_tables: make destruction work queue pernet

The call to flush_work before tearing down a table from the netlink
notifier was supposed to make sure that all earlier updates (e.g. rule
add) that might reference that table have been processed.

Unfortunately, flush_work() waits for the last queued instance.
This could be an instance that is different from the one that we must
wait for.

This is because transactions are protected with a pernet mutex, but the
work item is global, so holding the transaction mutex doesn't prevent
another netns from queueing more work.

Make the work item pernet so that flush_work() will wait for all
transactions queued from this netns.

A welcome side effect is that we no longer need to wait for transaction
objects from foreign netns.

The gc work queue is still global. This seems to be ok because nft_set
structures are reference counted and each container structure owns a
reference on the net namespace.

The destroy_list is still protected by a global spinlock rather than
pernet one but the hold time is very short anyway.

v2: call cancel_work_sync before reaping the remaining tables (Pablo).

Fixes: 9f6958ba2e90 ("netfilter: nf_tables: unconditionally flush pending work before notifier")
Reported-by: syzbot+5d8c5789c8cb076b2c25@syzkaller.appspotmail.com
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_tables.h		diff \| blob \| blame \| history
net/netfilter/nf_tables_api.c		diff \| blob \| blame \| history
net/netfilter/nft_compat.c		diff \| blob \| blame \| history