git.fsl.cs.sunysb.edu Git - wrapfs-4.20.y.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Sat, 2 Feb 2019 09:49:13 +0000 (10:49 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Wed, 13 Mar 2019 21:04:17 +0000 (14:04 -0700)
commit	6f9518c5bc88e5206ed68df1f911e47095414476
tree	dc180bba6616c86b070b7347b68575d497bfc0ab	tree \| snapshot
parent	365e2f3a358a42c362177564d58433718cf58cda	commit \| diff

netfilter: nf_tables: unbind set in rule from commit path

[ Upstream commit f6ac8585897684374a19863fff21186a05805286 ]

Anonymous sets that are bound to rules from the same transaction trigger
a kernel splat from the abort path due to double set list removal and
double free.

This patch updates the logic to search for the transaction that is
responsible for creating the set and disable the set list removal and
release, given the rule is now responsible for this. Lookup is reverse
since the transaction that adds the set is likely to be at the tail of
the list.

Moreover, this patch adds the unbind step to deliver the event from the
commit path. This should not be done from the worker thread, since we
have no guarantees of in-order delivery to the listener.

This patch removes the assumption that both activate and deactivate
callbacks need to be provided.

Fixes: cd5125d8f518 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase")
Reported-by: Mikhail Morfikov <mmorfikov@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>

include/net/netfilter/nf_tables.h		diff \| blob \| history
net/netfilter/nf_tables_api.c		diff \| blob \| history
net/netfilter/nft_compat.c		diff \| blob \| history
net/netfilter/nft_dynset.c		diff \| blob \| history
net/netfilter/nft_immediate.c		diff \| blob \| history
net/netfilter/nft_lookup.c		diff \| blob \| history
net/netfilter/nft_objref.c		diff \| blob \| history