Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2027055imu; Fri, 14 Dec 2018 04:44:03 -0800 (PST) X-Google-Smtp-Source: AFSGD/XYbZvdRnouL4Xr+QNFW7QlYxlx2xZ8RknJ757Vwf+lkCXKUqGMUC5An6bIKy+UIDxhjJdX X-Received: by 2002:a63:f658:: with SMTP id u24mr2583098pgj.267.1544791443844; Fri, 14 Dec 2018 04:44:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1544791443; cv=none; d=google.com; s=arc-20160816; b=AJAnQefJWxQcjMnqHwvB9+A9J30rbf/DkaqBSXP8nXQthJfL6tjTIcAzOqkgG2jR/F LnB1x120t6VcySysPxx3UNy+b70YFzPmF74FxpfLsDWFnY9+Pzisnn6Jo88ZjtwNdI80 VQTwfz9PUPT28mRoWVKs2V2GNV3+NCF9p3paER/6fiw4YiT4JUvMFcLtU99n2jfrAQcz Dr6bF42qOYqKDtTejRIjMIDG3fVw2JrW+kRoHC1GVlqwDGjFhn6pvO8EHhwYC5k6MJDV vRXYeRBl+JSuVimB9Ezw145b7DhYnT9RNR6JTOalok4+oOzGo9j3GZDV65A9QmNVfHrr njEA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=sf1LPuK0tl5LLDT4eDZNy6hhjWI6mE8J3jclN134GOo=; b=ziTVu8Mxzbmd5UXw/8+Lm8F7fDr6jqFUObpzV45+4Gjp81luHnbZLu7oZP68LaVBD6 Sh5VnEwltLhL67l5s2TLtfcacW0A/2rTzlAYsq8XXuaIUOouc5LzxDj9aBWd8h59PYbg jCKmyeaSJu758UUL2tljgMgwaXIeYmy8jjkwmLVn21ZrdwQP6Tr6ZeJi4yj2sRhWbByl NLxFKpWA01Xo29LxgTWIXN/ciopUfAbeFahtpDOMTOYpWt2UOxUd1PSRpia8O+8JsnaD WGfHeoSrlmApbbLrNnHrDlXilb4CZNJyvUDQow33p8C5//OqTcNvOFJNX8AX4XAjp3hH 67xw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LCrMh5Jb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w7si4005284ply.421.2018.12.14.04.43.49; Fri, 14 Dec 2018 04:44:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LCrMh5Jb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730132AbeLNMCo (ORCPT + 99 others); Fri, 14 Dec 2018 07:02:44 -0500 Received: from mail.kernel.org ([198.145.29.99]:45704 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730102AbeLNMCl (ORCPT ); Fri, 14 Dec 2018 07:02:41 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7F1942145D; Fri, 14 Dec 2018 12:02:40 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1544788961; bh=XrauvEOa53ikCGFVJHyx06BItSS9t0SpFyB/1npC0B0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LCrMh5JbR25Sh4o4lWoH+pNHs9qXXye9FMHldRmoziIOOPP6/mSerzAJsieZnroxL cTHkpSmD+M+GutzzCqZjrBhYJ2qe5mmN7F25HSIUMwGzoxa63T3g6aS/NY0HbXWL1d JLu4Qrv0J849Qr1FAHn2tHAhDww9wqo3Uu5xcsNk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Florian Westphal , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.19 039/142] netfilter: nf_tables: dont skip inactive chains during update Date: Fri, 14 Dec 2018 12:58:44 +0100 Message-Id: <20181214115748.612121736@linuxfoundation.org> X-Mailer: git-send-email 2.20.0 In-Reply-To: <20181214115747.053633987@linuxfoundation.org> References: <20181214115747.053633987@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 0fb39bbe43d4481fcf300d2b5822de60942fd189 ] There is no synchronization between packet path and the configuration plane. The packet path uses two arrays with rules, one contains the current (active) generation. The other either contains the last (obsolete) generation or the future one. Consider: cpu1 cpu2 nft_do_chain(c); delete c net->gen++; genbit = !!net->gen; rules = c->rg[genbit]; cpu1 ignores c when updating if c is not active anymore in the new generation. On cpu2, we now use rules from wrong generation, as c->rg[old] contains the rules matching 'c' whereas c->rg[new] was not updated and can even point to rules that have been free'd already, causing a crash. To fix this, make sure that 'current' to the 'next' generation are identical for chains that are going away so that c->rg[new] will just use the matching rules even if genbit was incremented already. Fixes: 0cbc06b3faba7 ("netfilter: nf_tables: remove synchronize_rcu in commit phase") Signed-off-by: Florian Westphal Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/netfilter/nf_tables_api.c | 9 +++------ 1 file changed, 3 insertions(+), 6 deletions(-) diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 2cfb173cd0b2..4c016b49fe2b 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -6277,7 +6277,7 @@ static void nf_tables_commit_chain_free_rules_old(struct nft_rule **rules) call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); } -static void nf_tables_commit_chain_active(struct net *net, struct nft_chain *chain) +static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain) { struct nft_rule **g0, **g1; bool next_genbit; @@ -6363,11 +6363,8 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) /* step 2. Make rules_gen_X visible to packet path */ list_for_each_entry(table, &net->nft.tables, list) { - list_for_each_entry(chain, &table->chains, list) { - if (!nft_is_active_next(net, chain)) - continue; - nf_tables_commit_chain_active(net, chain); - } + list_for_each_entry(chain, &table->chains, list) + nf_tables_commit_chain(net, chain); } /* -- 2.19.1