git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 5 Mar 2020 10:15:36 +0000 (11:15 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Thu, 5 Mar 2020 11:56:33 +0000 (12:56 +0100)
commit	5850ccf28017283fc5955c95b62121d99d81a94d
tree	899e15b4adff7f2bcc0f5b5c541b6a1c8dfad03a	tree \| snapshot
parent	152339a2f8db7ce2ea08b5ddd193a5012cfed1b5	commit \| diff

netfilter: nf_tables: fix infinite loop when expr is not available

nft will loop forever if the kernel doesn't support an expression:

1. nft_expr_type_get() appends the family specific name to the module list.
2. -EAGAIN is returned to nfnetlink, nfnetlink calls abort path.
3. abort path sets ->done to true and calls request_module for the
   expression.
4. nfnetlink replays the batch, we end up in nft_expr_type_get() again.
5. nft_expr_type_get attempts to append family-specific name. This
   one already exists on the list, so we continue
6. nft_expr_type_get adds the generic expression name to the module
   list. -EAGAIN is returned, nfnetlink calls abort path.
7. abort path encounters the family-specific expression which
   has 'done' set, so it gets removed.
8. abort path requests the generic expression name, sets done to true.
9. batch is replayed.

If the expression could not be loaded, then we will end up back at 1),
because the family-specific name got removed and the cycle starts again.

Note that userspace can SIGKILL the nft process to stop the cycle, but
the desired behaviour is to return an error after the generic expr name
fails to load the expression.

Fixes: 32fe74758c077 ("netfilter: nf_tables: autoload modules from the abort path")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>