]> git.baikalelectronics.ru Git - kernel.git/commitdiff
netfilter: nf_tables: fix flowtable list del corruption
authorFlorian Westphal <fw@strlen.de>
Thu, 16 Jan 2020 11:03:01 +0000 (12:03 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Thu, 16 Jan 2020 13:22:33 +0000 (14:22 +0100)
syzbot reported following crash:

  list_del corruption, ffff88808c9bb000->prev is LIST_POISON2 (dead000000000122)
  [..]
  Call Trace:
   __list_del_entry include/linux/list.h:131 [inline]
   list_del_rcu include/linux/rculist.h:148 [inline]
   nf_tables_commit+0x1068/0x3b30 net/netfilter/nf_tables_api.c:7183
   [..]

The commit transaction list has:

NFT_MSG_NEWTABLE
NFT_MSG_NEWFLOWTABLE
NFT_MSG_DELFLOWTABLE
NFT_MSG_DELTABLE

A missing generation check during DELTABLE processing causes it to queue
the DELFLOWTABLE operation a second time, so we corrupt the list here:

  case NFT_MSG_DELFLOWTABLE:
     list_del_rcu(&nft_trans_flowtable(trans)->list);
     nf_tables_flowtable_notify(&trans->ctx,

because we have two different DELFLOWTABLE transactions for the same
flowtable.  We then call list_del_rcu() twice for the same flowtable->list.

The object handling seems to suffer from the same bug so add a generation
check too and only queue delete transactions for flowtables/objects that
are still active in the next generation.

Reported-by: syzbot+37a6804945a3a13b1572@syzkaller.appspotmail.com
Fixes: f034159f12a9f ("netfilter: nf_tables: add flow table netlink frontend")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nf_tables_api.c

index 896a6e8aff9146d39e43233d0cd16508f05a5726..65f51a2e9c2a7343b2d0677526932f984eba0684 100644 (file)
@@ -1048,12 +1048,18 @@ static int nft_flush_table(struct nft_ctx *ctx)
        }
 
        list_for_each_entry_safe(flowtable, nft, &ctx->table->flowtables, list) {
+               if (!nft_is_active_next(ctx->net, flowtable))
+                       continue;
+
                err = nft_delflowtable(ctx, flowtable);
                if (err < 0)
                        goto out;
        }
 
        list_for_each_entry_safe(obj, ne, &ctx->table->objects, list) {
+               if (!nft_is_active_next(ctx->net, obj))
+                       continue;
+
                err = nft_delobj(ctx, obj);
                if (err < 0)
                        goto out;