Patch "netfilter: nf_tables: unconditionally flush pending work before notifier" has been added to the 6.9-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: unconditionally flush pending work before notifier

to the 6.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-unconditionally-flush-pending-wo.patch
and it can be found in the queue-6.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 8f85f608dfda467e344ea21c65844b34e849c9b4
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Tue Jul 2 16:08:14 2024 +0200

    netfilter: nf_tables: unconditionally flush pending work before notifier
    
    [ Upstream commit 9f6958ba2e902f9820c594869bd710ba74b7c4c0 ]
    
    syzbot reports:
    
    KASAN: slab-uaf in nft_ctx_update include/net/netfilter/nf_tables.h:1831
    KASAN: slab-uaf in nft_commit_release net/netfilter/nf_tables_api.c:9530
    KASAN: slab-uaf int nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597
    Read of size 2 at addr ffff88802b0051c4 by task kworker/1:1/45
    [..]
    Workqueue: events nf_tables_trans_destroy_work
    Call Trace:
     nft_ctx_update include/net/netfilter/nf_tables.h:1831 [inline]
     nft_commit_release net/netfilter/nf_tables_api.c:9530 [inline]
     nf_tables_trans_destroy_work+0x152b/0x1750 net/netfilter/nf_tables_api.c:9597
    
    Problem is that the notifier does a conditional flush, but its possible
    that the table-to-be-removed is still referenced by transactions being
    processed by the worker, so we need to flush unconditionally.
    
    We could make the flush_work depend on whether we found a table to delete
    in nf-next to avoid the flush for most cases.
    
    AFAICS this problem is only exposed in nf-next, with
    commit e169285f8c56 ("netfilter: nf_tables: do not store nft_ctx in transaction objects"),
    with this commit applied there is an unconditional fetch of
    table->family which is whats triggering the above splat.
    
    Fixes: 2c9f0293280e ("netfilter: nf_tables: flush pending destroy work before netlink notifier")
    Reported-and-tested-by: syzbot+4fd66a69358fc15ae2ad@xxxxxxxxxxxxxxxxxxxxxxxxx
    Closes: https://syzkaller.appspot.com/bug?extid=4fd66a69358fc15ae2ad
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index faa77b031d1f3..0f77ba3306c23 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -11479,8 +11479,7 @@ static int nft_rcv_nl_event(struct notifier_block *this, unsigned long event,
 
 	gc_seq = nft_gc_seq_begin(nft_net);
 
-	if (!list_empty(&nf_tables_destroy_list))
-		nf_tables_trans_destroy_flush_work();
+	nf_tables_trans_destroy_flush_work();
 again:
 	list_for_each_entry(table, &nft_net->tables, list) {
 		if (nft_table_has_owner(table) &&




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux