Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp2549420pxb; Mon, 19 Apr 2021 08:12:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzw6EUnI1eyN1n/EJDqQ6/JeWBDzjhuGIZG/P7tqUP1F4C1JnR3cEn38EkEKkC8Xz9OB8EB X-Received: by 2002:a17:90b:1b07:: with SMTP id nu7mr14181020pjb.170.1618845167114; Mon, 19 Apr 2021 08:12:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618845167; cv=none; d=google.com; s=arc-20160816; b=t1c1dGbzRn68dNn5gaB/eqHMQjMrmK1+alNXIXpyLENoTvrc07ZPnGIoooB+Yoc4qE MAWpadHBkXYECAVuVvRgKR+RyYxNiBbuoE2pZznRsH7PaQKLp2vWOzUiCui+3lWTWt9B FT2J+RLPeQWCrV9WiSRJBHVJjvW9Ab3RlhOc8SGtIXADz1bHoE0bl6va6xu+A5YfD9Da c9JRXVlp0NDJkDcDTIcXz59HOuWOnl6YJZYAqCcOKsyhLpjiOd9NqqB+k6xpp5dWmbyt kSx/cf2NT/uXmNYBGcMoksnGP8gZMbzi4oyiuRHKElUgNMccJRqSdvbCAOCXnTVs46+V C18A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=4roX4WalnjCiSG4ToSiZfzx6nNImy9/UiG4pumO6fEg=; b=n/9SlG6Ms0wgnFfBwiFGuohoJLATW2S8nMpq4uQnaUmod8UiY0/0cFhVhK0z32BW/V tFvL3azrP2nYQd1OfLW5GyP7S4pPJ6ZtNbLwUpAKo+GK0atdtUFaEycT4IOh31+aAf/R WpeInWC18blwvzzTRwcb3ypiaCJfFenO7SnVpsvXGhSOQT+Y1TsRLe8jxxp6/F5pXv+b 9C1+P7Ma9PmXcQJeOCF1/MSD5RdsMa1f2eBLXJmYZvquL4KpwwyiUtVxdAGMgASg5bBw e/IbFYUq1ZcSSiHkFff16mG4mHwr/SlJxA/UqrR3CKE/jxshe12vCv8eYRTKHF9cjmjs UnLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ESFfDEjj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q24si16806898pll.88.2021.04.19.08.12.34; Mon, 19 Apr 2021 08:12:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=ESFfDEjj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239994AbhDSNNp (ORCPT + 99 others); Mon, 19 Apr 2021 09:13:45 -0400 Received: from mail.kernel.org ([198.145.29.99]:47554 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239884AbhDSNLg (ORCPT ); Mon, 19 Apr 2021 09:11:36 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D193A613B2; Mon, 19 Apr 2021 13:11:05 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1618837866; bh=Dlh+fJpvCB2lETx8QRoUQ0dTPzKtRMO242X/k+964kc=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=ESFfDEjj8qbEIcKZOM/uFfzTAZJCbmT9ewbdK1HvpUnIEPZ2YTII3c4KkqLOXNgRg c32VaHzcgyGfH2NYaoMG0UwcDxk41Pkistl0CHbfLXemJAocy5Qek2v50vbmEN/DQr QEuf/z6xpH7qDyrcYaCFJt71vIZRiweZXUknoGKk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Laura Garcia Liebana , Pablo Neira Ayuso Subject: [PATCH 5.11 082/122] netfilter: nftables: clone set element expression template Date: Mon, 19 Apr 2021 15:06:02 +0200 Message-Id: <20210419130532.947852656@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210419130530.166331793@linuxfoundation.org> References: <20210419130530.166331793@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pablo Neira Ayuso commit 4d8f9065830e526c83199186c5f56a6514f457d2 upstream. memcpy() breaks when using connlimit in set elements. Use nft_expr_clone() to initialize the connlimit expression list, otherwise connlimit garbage collector crashes when walking on the list head copy. [ 493.064656] Workqueue: events_power_efficient nft_rhash_gc [nf_tables] [ 493.064685] RIP: 0010:find_or_evict+0x5a/0x90 [nf_conncount] [ 493.064694] Code: 2b 43 40 83 f8 01 77 0d 48 c7 c0 f5 ff ff ff 44 39 63 3c 75 df 83 6d 18 01 48 8b 43 08 48 89 de 48 8b 13 48 8b 3d ee 2f 00 00 <48> 89 42 08 48 89 10 48 b8 00 01 00 00 00 00 ad de 48 89 03 48 83 [ 493.064699] RSP: 0018:ffffc90000417dc0 EFLAGS: 00010297 [ 493.064704] RAX: 0000000000000000 RBX: ffff888134f38410 RCX: 0000000000000000 [ 493.064708] RDX: 0000000000000000 RSI: ffff888134f38410 RDI: ffff888100060cc0 [ 493.064711] RBP: ffff88812ce594a8 R08: ffff888134f38438 R09: 00000000ebb9025c [ 493.064714] R10: ffffffff8219f838 R11: 0000000000000017 R12: 0000000000000001 [ 493.064718] R13: ffffffff82146740 R14: ffff888134f38410 R15: 0000000000000000 [ 493.064721] FS: 0000000000000000(0000) GS:ffff88840e440000(0000) knlGS:0000000000000000 [ 493.064725] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 493.064729] CR2: 0000000000000008 CR3: 00000001330aa002 CR4: 00000000001706e0 [ 493.064733] Call Trace: [ 493.064737] nf_conncount_gc_list+0x8f/0x150 [nf_conncount] [ 493.064746] nft_rhash_gc+0x106/0x390 [nf_tables] Reported-by: Laura Garcia Liebana Fixes: 409444522976 ("netfilter: nf_tables: add elements with stateful expressions") Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_tables_api.c | 46 +++++++++++++++++++++++++++++++----------- 1 file changed, 34 insertions(+), 12 deletions(-) --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -5263,16 +5263,35 @@ err_expr: return -ENOMEM; } -static void nft_set_elem_expr_setup(const struct nft_set_ext *ext, int i, - struct nft_expr *expr_array[]) +static int nft_set_elem_expr_setup(struct nft_ctx *ctx, + const struct nft_set_ext *ext, + struct nft_expr *expr_array[], + u32 num_exprs) { struct nft_set_elem_expr *elem_expr = nft_set_ext_expr(ext); - struct nft_expr *expr = nft_setelem_expr_at(elem_expr, elem_expr->size); + struct nft_expr *expr; + int i, err; - memcpy(expr, expr_array[i], expr_array[i]->ops->size); - elem_expr->size += expr_array[i]->ops->size; - kfree(expr_array[i]); - expr_array[i] = NULL; + for (i = 0; i < num_exprs; i++) { + expr = nft_setelem_expr_at(elem_expr, elem_expr->size); + err = nft_expr_clone(expr, expr_array[i]); + if (err < 0) + goto err_elem_expr_setup; + + elem_expr->size += expr_array[i]->ops->size; + nft_expr_destroy(ctx, expr_array[i]); + expr_array[i] = NULL; + } + + return 0; + +err_elem_expr_setup: + for (; i < num_exprs; i++) { + nft_expr_destroy(ctx, expr_array[i]); + expr_array[i] = NULL; + } + + return -ENOMEM; } static int nft_add_set_elem(struct nft_ctx *ctx, struct nft_set *set, @@ -5524,12 +5543,15 @@ static int nft_add_set_elem(struct nft_c *nft_set_ext_obj(ext) = obj; obj->use++; } - for (i = 0; i < num_exprs; i++) - nft_set_elem_expr_setup(ext, i, expr_array); + err = nft_set_elem_expr_setup(ctx, ext, expr_array, num_exprs); + if (err < 0) + goto err_elem_expr; trans = nft_trans_elem_alloc(ctx, NFT_MSG_NEWSETELEM, set); - if (trans == NULL) - goto err_trans; + if (trans == NULL) { + err = -ENOMEM; + goto err_elem_expr; + } ext->genmask = nft_genmask_cur(ctx->net) | NFT_SET_ELEM_BUSY_MASK; err = set->ops->insert(ctx->net, set, &elem, &ext2); @@ -5573,7 +5595,7 @@ err_set_full: set->ops->remove(ctx->net, set, &elem); err_element_clash: kfree(trans); -err_trans: +err_elem_expr: if (obj) obj->use--;