diff mbox series

netfilter: nf_flow_table: add missing locking

Message ID 20221121182615.90843-1-nbd@nbd.name (mailing list archive)
State Awaiting Upstream
Delegated to: Netdev Maintainers
Headers show
Series netfilter: nf_flow_table: add missing locking | expand

Checks

Context Check Description
netdev/tree_selection success Guessed tree name to be net-next
netdev/fixes_present success Fixes tag not required for -next series
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cover_letter success Single patches do not need cover letters
netdev/patch_count success Link
netdev/header_inline success No static functions without inline keyword in header files
netdev/build_32bit success Errors and warnings before: 38 this patch: 38
netdev/cc_maintainers success CCed 10 of 10 maintainers
netdev/build_clang success Errors and warnings before: 0 this patch: 0
netdev/module_param success Was 0 now: 0
netdev/verify_signedoff success Signed-off-by tag matches author and committer
netdev/check_selftest success No net selftest shell script
netdev/verify_fixes success No Fixes tag
netdev/build_allmodconfig_warn success Errors and warnings before: 38 this patch: 38
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 23 lines checked
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/source_inline success Was 0 now: 0

Commit Message

Felix Fietkau Nov. 21, 2022, 6:26 p.m. UTC 
nf_flow_table_block_setup and the driver TC_SETUP_FT call can modify the flow
block cb list while they are being traversed elsewhere, causing a crash.
Add a write lock around the calls to protect readers

Signed-off-by: Felix Fietkau <nbd@nbd.name>
---
 net/netfilter/nf_flow_table_offload.c | 4 ++++
 1 file changed, 4 insertions(+)

Comments

Felix Fietkau Nov. 21, 2022, 7:45 p.m. UTC | #1 
On 21.11.22 19:26, Felix Fietkau wrote:
> nf_flow_table_block_setup and the driver TC_SETUP_FT call can modify the flow
> block cb list while they are being traversed elsewhere, causing a crash.
> Add a write lock around the calls to protect readers
> 
> Signed-off-by: Felix Fietkau <nbd@nbd.name>
Sorry, I forgot to add this:

Reported-by: Chad Monroe <chad.monroe@smartrg.com>

- Felix
Eric Dumazet Nov. 21, 2022, 7:47 p.m. UTC | #2 
On Mon, Nov 21, 2022 at 11:45 AM Felix Fietkau <nbd@nbd.name> wrote:
>
> On 21.11.22 19:26, Felix Fietkau wrote:
> > nf_flow_table_block_setup and the driver TC_SETUP_FT call can modify the flow
> > block cb list while they are being traversed elsewhere, causing a crash.
> > Add a write lock around the calls to protect readers
> >
> > Signed-off-by: Felix Fietkau <nbd@nbd.name>
> Sorry, I forgot to add this:
>
> Reported-by: Chad Monroe <chad.monroe@smartrg.com>
>
> - Felix

Hi Felix

Could you also add a Fixes: tag ?

Thanks.
Felix Fietkau Nov. 21, 2022, 8:08 p.m. UTC | #3 
On 21.11.22 20:47, Eric Dumazet wrote:
> On Mon, Nov 21, 2022 at 11:45 AM Felix Fietkau <nbd@nbd.name> wrote:
>>
>> On 21.11.22 19:26, Felix Fietkau wrote:
>> > nf_flow_table_block_setup and the driver TC_SETUP_FT call can modify the flow
>> > block cb list while they are being traversed elsewhere, causing a crash.
>> > Add a write lock around the calls to protect readers
>> >
>> > Signed-off-by: Felix Fietkau <nbd@nbd.name>
>> Sorry, I forgot to add this:
>>
>> Reported-by: Chad Monroe <chad.monroe@smartrg.com>
>>
>> - Felix
> 
> Hi Felix
> 
> Could you also add a Fixes: tag ?
I don't know which commit to use for that tag.

- Felix
Jakub Kicinski Nov. 21, 2022, 8:35 p.m. UTC | #4 
On Mon, 21 Nov 2022 21:08:12 +0100 Felix Fietkau wrote:
> > Could you also add a Fixes: tag ?  
> 
> I don't know which commit to use for that tag.

The oldest upstream commit where the problem you're solving 
can trigger?
Felix Fietkau Nov. 21, 2022, 10:30 p.m. UTC | #5 
On 21.11.22 21:35, Jakub Kicinski wrote:
> On Mon, 21 Nov 2022 21:08:12 +0100 Felix Fietkau wrote:
>> > Could you also add a Fixes: tag ?  
>> 
>> I don't know which commit to use for that tag.
> 
> The oldest upstream commit where the problem you're solving
> can trigger?
I know, but I'm having a hard time figuring that out. The initial
version of that file came without locking. Later on some locking was
added for supporting an extra API for registering to flow table events,
but it didn't cover the cases that I'm fixing.

My guess is that the locking should have been present from the start, so:

Fixes: c29f74e0df7a ("netfilter: nf_flow_table: hardware offload support")

- Felix
Pablo Neira Ayuso Nov. 22, 2022, 9:15 p.m. UTC | #6 
On Mon, Nov 21, 2022 at 07:26:15PM +0100, Felix Fietkau wrote:
> nf_flow_table_block_setup and the driver TC_SETUP_FT call can modify the flow
> block cb list while they are being traversed elsewhere, causing a crash.
> Add a write lock around the calls to protect readers

Applied, thanks
diff mbox series

Patch

diff --git a/net/netfilter/nf_flow_table_offload.c b/net/netfilter/nf_flow_table_offload.c
index b04645ced89b..00b522890d77 100644
--- a/net/netfilter/nf_flow_table_offload.c
+++ b/net/netfilter/nf_flow_table_offload.c
@@ -1098,6 +1098,7 @@  static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
 	struct flow_block_cb *block_cb, *next;
 	int err = 0;
 
+	down_write(&flowtable->flow_block_lock);
 	switch (cmd) {
 	case FLOW_BLOCK_BIND:
 		list_splice(&bo->cb_list, &flowtable->flow_block.cb_list);
@@ -1112,6 +1113,7 @@  static int nf_flow_table_block_setup(struct nf_flowtable *flowtable,
 		WARN_ON_ONCE(1);
 		err = -EOPNOTSUPP;
 	}
+	up_write(&flowtable->flow_block_lock);
 
 	return err;
 }
@@ -1168,7 +1170,9 @@  static int nf_flow_table_offload_cmd(struct flow_block_offload *bo,
 
 	nf_flow_table_block_offload_init(bo, dev_net(dev), cmd, flowtable,
 					 extack);
+	down_write(&flowtable->flow_block_lock);
 	err = dev->netdev_ops->ndo_setup_tc(dev, TC_SETUP_FT, bo);
+	up_write(&flowtable->flow_block_lock);
 	if (err < 0)
 		return err;