Patch "netfilter: nf_tables: must hold rcu read lock while iterating object type list" has been added to the 6.1-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 1 Dec 2024 08:31:01 -0500

This is a note to let you know that I've just added the patch titled

    netfilter: nf_tables: must hold rcu read lock while iterating object type list

to the 6.1-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     netfilter-nf_tables-must-hold-rcu-read-lock-while-it.patch
and it can be found in the queue-6.1 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 6b4ea35750fd809e661bf4b719d78846f1f89f1b
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Mon Nov 4 10:41:19 2024 +0100

    netfilter: nf_tables: must hold rcu read lock while iterating object type list
    
    [ Upstream commit cddc04275f95ca3b18da5c0fb111705ac173af89 ]
    
    Update of stateful object triggers:
    WARNING: suspicious RCU usage
    net/netfilter/nf_tables_api.c:7759 RCU-list traversed in non-reader section!!
    
    other info that might help us debug this:
    rcu_scheduler_active = 2, debug_locks = 1
    1 lock held by nft/3060:
     #0: ffff88810f0578c8 (&nft_net->commit_mutex){+.+.}-{4:4}, [..]
    
    ... but this list is not protected by the transaction mutex but the
    nfnl nftables subsystem mutex.
    
    Switch to nft_obj_type_get which will acquire rcu read lock,
    bump refcount, and returns the result.
    
    v3: Dan Carpenter points out nft_obj_type_get returns error pointer, not
    NULL, on error.
    
    Fixes: dad3bdeef45f ("netfilter: nf_tables: fix memory leak during stateful obj update").
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index d7a628e2c2493..07bcf9b7d779b 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7239,9 +7239,7 @@ static int nf_tables_updobj(const struct nft_ctx *ctx,
 	struct nft_trans *trans;
 	int err = -ENOMEM;
 
-	if (!try_module_get(type->owner))
-		return -ENOENT;
-
+	/* caller must have obtained type->owner reference. */
 	trans = nft_trans_alloc(ctx, NFT_MSG_NEWOBJ,
 				sizeof(struct nft_trans_obj));
 	if (!trans)
@@ -7309,15 +7307,16 @@ static int nf_tables_newobj(struct sk_buff *skb, const struct nfnl_info *info,
 		if (info->nlh->nlmsg_flags & NLM_F_REPLACE)
 			return -EOPNOTSUPP;
 
-		type = __nft_obj_type_get(objtype, family);
-		if (WARN_ON_ONCE(!type))
-			return -ENOENT;
-
 		if (!obj->ops->update)
 			return 0;
 
+		type = nft_obj_type_get(net, objtype, family);
+		if (WARN_ON_ONCE(IS_ERR(type)))
+			return PTR_ERR(type);
+
 		nft_ctx_init(&ctx, net, skb, info->nlh, family, table, NULL, nla);
 
+		/* type->owner reference is put when transaction object is released. */
 		return nf_tables_updobj(&ctx, type, nla[NFTA_OBJ_DATA], obj);
 	}
 







