git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Florian Westphal <fw@strlen.de>
	Wed, 31 Oct 2018 17:26:20 +0000 (18:26 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 17 Dec 2018 08:24:31 +0000 (09:24 +0100)
commit	8fe8940ffcf6984dcf69e5c869aaf244f6d1742b
tree	a2981f0796aa069c8f72e872db6e3290a3f65fc5	tree \| snapshot
parent	4a3b49f0ced5b86999b9e9ae8f06dbdf3b0ea400	commit \| diff

netfilter: nf_tables: don't skip inactive chains during update

[ Upstream commit 0fb39bbe43d4481fcf300d2b5822de60942fd189 ]

There is no synchronization between packet path and the configuration plane.

The packet path uses two arrays with rules, one contains the current (active)
generation.  The other either contains the last (obsolete) generation or
the future one.

Consider:
cpu1               cpu2
                   nft_do_chain(c);
delete c
net->gen++;
                   genbit = !!net->gen;
                   rules = c->rg[genbit];

cpu1 ignores c when updating if c is not active anymore in the new
generation.

On cpu2, we now use rules from wrong generation, as c->rg[old]
contains the rules matching 'c' whereas c->rg[new] was not updated and
can even point to rules that have been free'd already, causing a crash.

To fix this, make sure that 'current' to the 'next' generation are
identical for chains that are going away so that c->rg[new] will just
use the matching rules even if genbit was incremented already.

Fixes: 0cbc06b3faba7 ("netfilter: nf_tables: remove synchronize_rcu in commit phase")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>