Patch "netfilter: nf_tables: must hold rcu read lock while iterating expression type list" has been added to the 6.6-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 1 Dec 2024 08:14:05 -0500

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: must hold rcu read lock while iterating expression type list

to the 6.6-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-must-hold-rcu-read-lock-while-it.patch
and it can be found in the queue-6.6 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit a9862fdd020110fbd8adfa7717eb628a7139cf06
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Mon Nov 4 10:41:18 2024 +0100

    netfilter: nf_tables: must hold rcu read lock while iterating expression type list
    
    [ Upstream commit ee666a541ed957937454d50afa4757924508cd74 ]
    
    nft shell tests trigger:
     WARNING: suspicious RCU usage
     net/netfilter/nf_tables_api.c:3125 RCU-list traversed in non-reader section!!
     1 lock held by nft/2068:
      #0: ffff888106c6f8c8 (&nft_net->commit_mutex){+.+.}-{4:4}, at: nf_tables_valid_genid+0x3c/0xf0
    
    But the transaction mutex doesn't protect this list, the nfnl subsystem
    mutex would, but we can't acquire it here without risk of ABBA
    deadlocks.
    
    Acquire the rcu read lock to avoid this issue.
    
    v3: add a comment that explains the ->inner_ops check implies
    expression is builtin and lack of a module owner reference is ok.
    
    Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 11fe424d9c93a..5c4cd9646e71c 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3231,25 +3231,37 @@ int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
 	if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
 		return -EINVAL;
 
+	rcu_read_lock();
+
 	type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
-	if (!type)
-		return -ENOENT;
+	if (!type) {
+		err = -ENOENT;
+		goto out_unlock;
+	}
 
-	if (!type->inner_ops)
-		return -EOPNOTSUPP;
+	if (!type->inner_ops) {
+		err = -EOPNOTSUPP;
+		goto out_unlock;
+	}
 
 	err = nla_parse_nested_deprecated(info->tb, type->maxattr,
 					  tb[NFTA_EXPR_DATA],
 					  type->policy, NULL);
 	if (err < 0)
-		goto err_nla_parse;
+		goto out_unlock;
 
 	info->attr = nla;
 	info->ops = type->inner_ops;
 
+	/* No module reference will be taken on type->owner.
+	 * Presence of type->inner_ops implies that the expression
+	 * is builtin, so it cannot go away.
+	 */
+	rcu_read_unlock();
 	return 0;
 
-err_nla_parse:
+out_unlock:
+	rcu_read_unlock();
 	return err;
 }
 







