]> git.ipfire.org Git - thirdparty/kernel/linux.git/commitdiff
projects / thirdparty / kernel / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: ee666a5)
netfilter: nf_tables: must hold rcu read lock while iterating object type list
authorFlorian Westphal <fw@strlen.de>
Mon, 4 Nov 2024 09:41:19 +0000 (10:41 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 5 Nov 2024 21:07:12 +0000 (22:07 +0100)
Update of stateful object triggers:
WARNING: suspicious RCU usage
net/netfilter/nf_tables_api.c:7759 RCU-list traversed in non-reader section!!

other info that might help us debug this:
rcu_scheduler_active = 2, debug_locks = 1
1 lock held by nft/3060:
 #0: ffff88810f0578c8 (&nft_net->commit_mutex){+.+.}-{4:4}, [..]

... but this list is not protected by the transaction mutex but the
nfnl nftables subsystem mutex.

Switch to nft_obj_type_get which will acquire rcu read lock,
bump refcount, and returns the result.

v3: Dan Carpenter points out nft_obj_type_get returns error pointer, not
NULL, on error.

Fixes: dad3bdeef45f ("netfilter: nf_tables: fix memory leak during stateful obj update").
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_tables_api.c patch | blob | blame | history

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index de8e48a5c62d88707a9ae01c9dce8abe70e9fd4d..b7a817e483aa1ea0eb8b13c4b7d061632f9bccbd 100644 (file)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7809,9 +7809,7 @@ static int nf_tables_updobj(const struct nft_ctx *ctx,
        struct nft_trans *trans;
        int err = -ENOMEM;
 
-       if (!try_module_get(type->owner))
-               return -ENOENT;
-
+       /* caller must have obtained type->owner reference. */
        trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
                                sizeof(struct nft_trans_obj));
        if (!trans)
@@ -7879,15 +7877,16 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
                if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
                        return -EOPNOTSUPP;
 
-               type = __nft_obj_type_get(objtype, family);
-               if (WARN_ON_ONCE(!type))
-                       return -ENOENT;
-
                if (!obj->ops->update)
                        return 0;
 
+               type = nft_obj_type_get(net, objtype, family);
+               if (WARN_ON_ONCE(IS_ERR(type)))
+                       return PTR_ERR(type);
+
                nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
 
+               /* type->owner reference is put when transaction object is released. */
                return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
        }
 
A mirror of Linus' kernel repository