From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org, kuba@kernel.org,
pabeni@redhat.com, edumazet@google.com
Subject: [PATCH net 2/7] netfilter: nf_tables: release flow rule object from commit path
Date: Wed, 2 Nov 2022 19:46:54 +0100 [thread overview]
Message-ID: <20221102184659.2502-3-pablo@netfilter.org> (raw)
In-Reply-To: <20221102184659.2502-1-pablo@netfilter.org>
No need to postpone this to the commit release path, since no packets
are walking over this object, this is accessed from control plane only.
This helped uncovered UAF triggered by races with the netlink notifier.
Fixes: 9dd732e0bdf5 ("netfilter: nf_tables: memleak flow rule from commit path")
Reported-by: syzbot+8f747f62763bc6c32916@syzkaller.appspotmail.com
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
net/netfilter/nf_tables_api.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index 2197118aa7b0..76bd4d03dbda 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -8465,9 +8465,6 @@ static void nft_commit_release(struct nft_trans *trans)
nf_tables_chain_destroy(&trans->ctx);
break;
case NFT_MSG_DELRULE:
- if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
- nft_flow_rule_destroy(nft_trans_flow_rule(trans));
-
nf_tables_rule_destroy(&trans->ctx, nft_trans_rule(trans));
break;
case NFT_MSG_DELSET:
@@ -8973,6 +8970,9 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb)
nft_rule_expr_deactivate(&trans->ctx,
nft_trans_rule(trans),
NFT_TRANS_COMMIT);
+
+ if (trans->ctx.chain->flags & NFT_CHAIN_HW_OFFLOAD)
+ nft_flow_rule_destroy(nft_trans_flow_rule(trans));
break;
case NFT_MSG_NEWSET:
nft_clear(net, nft_trans_set(trans));
--
2.30.2
next prev parent reply other threads:[~2022-11-02 18:47 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-11-02 18:46 [PATCH net 0/7] Netfilter/IPVS fixes for net Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 1/7] netfilter: nf_tables: netlink notifier might race to release objects Pablo Neira Ayuso
2022-11-03 3:00 ` patchwork-bot+netdevbpf
2022-11-02 18:46 ` Pablo Neira Ayuso [this message]
2022-11-02 18:46 ` [PATCH net 3/7] ipvs: use explicitly signed chars Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 4/7] ipvs: fix WARNING in __ip_vs_cleanup_batch() Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 5/7] ipvs: fix WARNING in ip_vs_app_net_cleanup() Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 6/7] netfilter: nf_nat: Fix possible memory leak in nf_nat_init() Pablo Neira Ayuso
2022-11-02 18:46 ` [PATCH net 7/7] netfilter: ipset: enforce documented limit to prevent allocating huge memory Pablo Neira Ayuso
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221102184659.2502-3-pablo@netfilter.org \
--to=pablo@netfilter.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.