From: Greg Kroah-Hartman Date: Fri, 5 Apr 2024 10:06:44 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.15.154~98 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b30efd7d6a93b735de02caaaa2d59728b975dbe4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch --- diff --git a/queue-4.19/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch b/queue-4.19/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch new file mode 100644 index 00000000000..02e49d19938 --- /dev/null +++ b/queue-4.19/netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch @@ -0,0 +1,58 @@ +From 24225011d81b471acc0e1e315b7d9905459a6304 Mon Sep 17 00:00:00 2001 +From: Ziyang Xuan +Date: Wed, 3 Apr 2024 15:22:04 +0800 +Subject: netfilter: nf_tables: Fix potential data-race in __nft_flowtable_type_get() + +From: Ziyang Xuan + +commit 24225011d81b471acc0e1e315b7d9905459a6304 upstream. + +nft_unregister_flowtable_type() within nf_flow_inet_module_exit() can +concurrent with __nft_flowtable_type_get() within nf_tables_newflowtable(). +And thhere is not any protection when iterate over nf_tables_flowtables +list in __nft_flowtable_type_get(). Therefore, there is pertential +data-race of nf_tables_flowtables list entry. + +Use list_for_each_entry_rcu() to iterate over nf_tables_flowtables list +in __nft_flowtable_type_get(), and use rcu_read_lock() in the caller +nft_flowtable_type_get() to protect the entire type query process. + +Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend") +Signed-off-by: Ziyang Xuan +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman +--- + net/netfilter/nf_tables_api.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -5721,11 +5721,12 @@ static int nf_tables_flowtable_parse_hoo + return err; + } + ++/* call under rcu_read_lock */ + static const struct nf_flowtable_type *__nft_flowtable_type_get(u8 family) + { + const struct nf_flowtable_type *type; + +- list_for_each_entry(type, &nf_tables_flowtables, list) { ++ list_for_each_entry_rcu(type, &nf_tables_flowtables, list) { + if (family == type->family) + return type; + } +@@ -5737,9 +5738,13 @@ nft_flowtable_type_get(struct net *net, + { + const struct nf_flowtable_type *type; + ++ rcu_read_lock(); + type = __nft_flowtable_type_get(family); +- if (type != NULL && try_module_get(type->owner)) ++ if (type != NULL && try_module_get(type->owner)) { ++ rcu_read_unlock(); + return type; ++ } ++ rcu_read_unlock(); + + lockdep_nfnl_nft_mutex_not_held(); + #ifdef CONFIG_MODULES diff --git a/queue-4.19/series b/queue-4.19/series index 219b644b9bc..89e2013465c 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -124,3 +124,4 @@ netfilter-nf_tables-disallow-timeout-for-anonymous-sets.patch net-rds-fix-possible-cp-null-dereference.patch revert-x86-mm-ident_map-use-gbpages-only-where-full-gb-page-should-be-mapped.patch mm-vmscan-prevent-infinite-loop-for-costly-gfp_noio-__gfp_retry_mayfail-allocations.patch +netfilter-nf_tables-fix-potential-data-race-in-__nft_flowtable_type_get.patch