From: Sasha Levin <sashal@kernel.org>
To: stable@vger.kernel.org, linux-kernel@vger.kernel.org
Cc: Stefano Brivio <sbrivio@redhat.com>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH AUTOSEL 4.19 10/73] netfilter: ipset: list:set: Decrease refcount synchronously on deletion and replace
Date: Wed, 14 Nov 2018 17:21:04 -0500 [thread overview]
Message-ID: <20181114222207.98701-10-sashal@kernel.org> (raw)
In-Reply-To: <20181114222207.98701-1-sashal@kernel.org>
From: Stefano Brivio <sbrivio@redhat.com>
[ Upstream commit 439cd39ea136d2c026805264d58a91f36b6b64ca ]
Commit 45040978c899 ("netfilter: ipset: Fix set:list type crash
when flush/dump set in parallel") postponed decreasing set
reference counters to the RCU callback.
An 'ipset del' command can terminate before the RCU grace period
is elapsed, and if sets are listed before then, the reference
counter shown in userspace will be wrong:
# ipset create h hash:ip; ipset create l list:set; ipset add l
# ipset del l h; ipset list h
Name: h
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 1
Number of entries: 0
Members:
# sleep 1; ipset list h
Name: h
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 88
References: 0
Number of entries: 0
Members:
Fix this by making the reference count update synchronous again.
As a result, when sets are listed, ip_set_name_byindex() might
now fetch a set whose reference count is already zero. Instead
of relying on the reference count to protect against concurrent
set renaming, grab ip_set_ref_lock as reader and copy the name,
while holding the same lock in ip_set_rename() as writer
instead.
Reported-by: Li Shuang <shuali@redhat.com>
Fixes: 45040978c899 ("netfilter: ipset: Fix set:list type crash when flush/dump set in parallel")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netfilter/ipset/ip_set.h | 2 +-
net/netfilter/ipset/ip_set_core.c | 23 +++++++++++------------
net/netfilter/ipset/ip_set_list_set.c | 17 +++++++++++------
3 files changed, 23 insertions(+), 19 deletions(-)
diff --git a/include/linux/netfilter/ipset/ip_set.h b/include/linux/netfilter/ipset/ip_set.h
index 34fc80f3eb90..1d100efe74ec 100644
--- a/include/linux/netfilter/ipset/ip_set.h
+++ b/include/linux/netfilter/ipset/ip_set.h
@@ -314,7 +314,7 @@ enum {
extern ip_set_id_t ip_set_get_byname(struct net *net,
const char *name, struct ip_set **set);
extern void ip_set_put_byindex(struct net *net, ip_set_id_t index);
-extern const char *ip_set_name_byindex(struct net *net, ip_set_id_t index);
+extern void ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name);
extern ip_set_id_t ip_set_nfnl_get_byindex(struct net *net, ip_set_id_t index);
extern void ip_set_nfnl_put(struct net *net, ip_set_id_t index);
diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
index bc4bd247bb7d..fa15a831aeee 100644
--- a/net/netfilter/ipset/ip_set_core.c
+++ b/net/netfilter/ipset/ip_set_core.c
@@ -693,21 +693,20 @@ ip_set_put_byindex(struct net *net, ip_set_id_t index)
EXPORT_SYMBOL_GPL(ip_set_put_byindex);
/* Get the name of a set behind a set index.
- * We assume the set is referenced, so it does exist and
- * can't be destroyed. The set cannot be renamed due to
- * the referencing either.
- *
+ * Set itself is protected by RCU, but its name isn't: to protect against
+ * renaming, grab ip_set_ref_lock as reader (see ip_set_rename()) and copy the
+ * name.
*/
-const char *
-ip_set_name_byindex(struct net *net, ip_set_id_t index)
+void
+ip_set_name_byindex(struct net *net, ip_set_id_t index, char *name)
{
- const struct ip_set *set = ip_set_rcu_get(net, index);
+ struct ip_set *set = ip_set_rcu_get(net, index);
BUG_ON(!set);
- BUG_ON(set->ref == 0);
- /* Referenced, so it's safe */
- return set->name;
+ read_lock_bh(&ip_set_ref_lock);
+ strncpy(name, set->name, IPSET_MAXNAMELEN);
+ read_unlock_bh(&ip_set_ref_lock);
}
EXPORT_SYMBOL_GPL(ip_set_name_byindex);
@@ -1153,7 +1152,7 @@ static int ip_set_rename(struct net *net, struct sock *ctnl,
if (!set)
return -ENOENT;
- read_lock_bh(&ip_set_ref_lock);
+ write_lock_bh(&ip_set_ref_lock);
if (set->ref != 0) {
ret = -IPSET_ERR_REFERENCED;
goto out;
@@ -1170,7 +1169,7 @@ static int ip_set_rename(struct net *net, struct sock *ctnl,
strncpy(set->name, name2, IPSET_MAXNAMELEN);
out:
- read_unlock_bh(&ip_set_ref_lock);
+ write_unlock_bh(&ip_set_ref_lock);
return ret;
}
diff --git a/net/netfilter/ipset/ip_set_list_set.c b/net/netfilter/ipset/ip_set_list_set.c
index 072a658fde04..4eef55da0878 100644
--- a/net/netfilter/ipset/ip_set_list_set.c
+++ b/net/netfilter/ipset/ip_set_list_set.c
@@ -148,9 +148,7 @@ __list_set_del_rcu(struct rcu_head * rcu)
{
struct set_elem *e = container_of(rcu, struct set_elem, rcu);
struct ip_set *set = e->set;
- struct list_set *map = set->data;
- ip_set_put_byindex(map->net, e->id);
ip_set_ext_destroy(set, e);
kfree(e);
}
@@ -158,15 +156,21 @@ __list_set_del_rcu(struct rcu_head * rcu)
static inline void
list_set_del(struct ip_set *set, struct set_elem *e)
{
+ struct list_set *map = set->data;
+
set->elements--;
list_del_rcu(&e->list);
+ ip_set_put_byindex(map->net, e->id);
call_rcu(&e->rcu, __list_set_del_rcu);
}
static inline void
-list_set_replace(struct set_elem *e, struct set_elem *old)
+list_set_replace(struct ip_set *set, struct set_elem *e, struct set_elem *old)
{
+ struct list_set *map = set->data;
+
list_replace_rcu(&old->list, &e->list);
+ ip_set_put_byindex(map->net, old->id);
call_rcu(&old->rcu, __list_set_del_rcu);
}
@@ -298,7 +302,7 @@ list_set_uadd(struct ip_set *set, void *value, const struct ip_set_ext *ext,
INIT_LIST_HEAD(&e->list);
list_set_init_extensions(set, ext, e);
if (n)
- list_set_replace(e, n);
+ list_set_replace(set, e, n);
else if (next)
list_add_tail_rcu(&e->list, &next->list);
else if (prev)
@@ -486,6 +490,7 @@ list_set_list(const struct ip_set *set,
const struct list_set *map = set->data;
struct nlattr *atd, *nested;
u32 i = 0, first = cb->args[IPSET_CB_ARG0];
+ char name[IPSET_MAXNAMELEN];
struct set_elem *e;
int ret = 0;
@@ -504,8 +509,8 @@ list_set_list(const struct ip_set *set,
nested = ipset_nest_start(skb, IPSET_ATTR_DATA);
if (!nested)
goto nla_put_failure;
- if (nla_put_string(skb, IPSET_ATTR_NAME,
- ip_set_name_byindex(map->net, e->id)))
+ ip_set_name_byindex(map->net, e->id, name);
+ if (nla_put_string(skb, IPSET_ATTR_NAME, name))
goto nla_put_failure;
if (ip_set_put_extensions(skb, set, e, true))
goto nla_put_failure;
--
2.17.1
next prev parent reply other threads:[~2018-11-14 22:46 UTC|newest]
Thread overview: 76+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-14 22:20 [PATCH AUTOSEL 4.19 01/73] serial: sh-sci: Fix receive on SCIFA/SCIFB variants with DMA Sasha Levin
2018-11-14 22:20 ` [PATCH AUTOSEL 4.19 02/73] netfilter: ipv6: fix oops when defragmenting locally generated fragments Sasha Levin
2018-11-14 22:20 ` [PATCH AUTOSEL 4.19 03/73] netfilter: bridge: define INT_MIN & INT_MAX in userspace Sasha Levin
2018-11-14 22:20 ` [PATCH AUTOSEL 4.19 04/73] s390/decompressor: add missing FORCE to build targets Sasha Levin
2018-11-14 22:20 ` [PATCH AUTOSEL 4.19 05/73] s390/vdso: " Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 06/73] HID: i2c-hid: Add a small delay after sleep command for Raydium touchpanel Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 07/73] Revert "HID: add NOGET quirk for Eaton Ellipse MAX UPS" Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 08/73] HID: alps: allow incoming reports when only the trackstick is opened Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 09/73] Revert "netfilter: nft_numgen: add map lookups for numgen random operations" Sasha Levin
2018-11-14 22:21 ` Sasha Levin [this message]
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 11/73] netfilter: ipset: actually allow allowable CIDR 0 in hash:net,port,net Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 12/73] netfilter: ipset: fix ip_set_list allocation failure Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 13/73] s390/mm: fix mis-accounting of pgtable_bytes Sasha Levin
2018-11-30 15:11 ` Martin Schwidefsky
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 14/73] s390/mm: Fix ERROR: "__node_distance" undefined! Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 15/73] bpf: fix bpf_prog_get_info_by_fd to return 0 func_lens for unpriv Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 16/73] usbnet: smsc95xx: disable carrier check while suspending Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 17/73] net: dsa: microchip: initialize mutex before use Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 18/73] net: bcmgenet: protect stop from timeout Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 19/73] net: systemport: Protect " Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 20/73] netfilter: ipset: Correct rcu_dereference() call in ip_set_put_comment() Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 21/73] netfilter: xt_IDLETIMER: add sysfs filename checking routine Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 22/73] netfilter: ipset: Fix calling ip_set() macro at dumping Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 23/73] netfilter: nft_compat: ebtables 'nat' table is normal chain type Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 24/73] s390/qeth: fix HiperSockets sniffer Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 25/73] s390/qeth: unregister netdevice only when registered Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 26/73] net: hns3: Fix for out-of-bounds access when setting pfc back pressure Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 27/73] mlxsw: spectrum: Fix IP2ME CPU policer configuration Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 28/73] hwmon: (ibmpowernv) Remove bogus __init annotations Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 29/73] net: phy: realtek: fix RTL8201F sysfs name Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 30/73] ARM: dts: imx6sll: fix typo for fsl,imx6sll-i2c node Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 31/73] ARM: dts: fsl: Fix improperly quoted stdout-path values Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 32/73] ARM: dts: imx6sx-sdb: Fix enet phy regulator Sasha Levin
2018-11-15 10:39 ` Leonard Crestez
2018-11-22 19:34 ` Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 33/73] Revert "drm/exynos/decon5433: implement frame counter" Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 34/73] arm64: dts: renesas: r8a7795: add missing dma-names on hscif2 Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 35/73] arm64: dts: renesas: condor: switch from EtherAVB to GEther Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 36/73] xen/grant-table: Fix incorrect gnttab_dma_free_pages() pr_debug message Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 37/73] clk: fixed-factor: fix of_node_get-put imbalance Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 38/73] mtd: nand: Fix nanddev_pos_next_page() kernel-doc header Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 39/73] lib/raid6: Fix arm64 test build Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 40/73] drm/amd/display: Stop leaking planes Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 41/73] block: Clear kernel memory before copying to user Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 42/73] drm/amd/display: Drop reusing drm connector for MST Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 43/73] drm/amd/amdgpu/dm: Fix dm_dp_create_fake_mst_encoder() Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 44/73] s390/perf: Change CPUM_CF return code in event init function Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 45/73] ceph: quota: fix null pointer dereference in quota check Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 46/73] clk: meson-gxbb: set fclk_div3 as CLK_IS_CRITICAL Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 47/73] clk: meson: axg: mark fdiv2 and fdiv3 as critical Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 48/73] of/device: Really only set bus DMA mask when appropriate Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 49/73] nvme: make sure ns head inherits underlying device limits Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 50/73] i2c: omap: Enable for ARCH_K3 Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 51/73] i2c: qcom-geni: Fix runtime PM mismatch with child devices Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 52/73] sched/core: Take the hotplug lock in sched_init_smp() Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 53/73] perf tools: Fix undefined symbol scnprintf in libperf-jvmti.so Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 54/73] perf tools: Do not zero sample_id_all for group members Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 55/73] ice: Fix dead device link issue with flow control Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 56/73] ice: Fix the bytecount sent to netdev_tx_sent_queue Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 57/73] ice: Change req_speeds to be u16 Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 58/73] i40e: restore NETIF_F_GSO_IPXIP[46] to netdev features Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 59/73] ibmvnic: fix accelerated VLAN handling Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 60/73] qed: Fix memory/entry leak in qed_init_sp_request() Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 61/73] qed: Fix blocking/unlimited SPQ entries leak Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 62/73] qed: Fix SPQ entries not returned to pool in error flows Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 63/73] qed: Fix potential memory corruption Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 64/73] net: stmmac: Fix RX packet size > 8191 Sasha Levin
2018-11-14 22:21 ` [PATCH AUTOSEL 4.19 65/73] net: smsc95xx: Fix MTU range Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.19 66/73] ext4: missing !bh check in ext4_xattr_inode_write() Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.19 67/73] net: aquantia: fix potential IOMMU fault after driver unbind Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.19 68/73] net: aquantia: fixed enable unicast on 32 macvlan Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.19 69/73] net: aquantia: invalid checksumm offload implementation Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.19 70/73] net: qualcomm: rmnet: Fix incorrect assignment of real_dev Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.19 71/73] kbuild: deb-pkg: fix too low build version number Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.19 72/73] Revert "scripts/setlocalversion: git: Make -dirty check more robust" Sasha Levin
2018-11-14 22:22 ` [PATCH AUTOSEL 4.19 73/73] net: dsa: mv88e6xxx: Fix clearing of stats counters Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181114222207.98701-10-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=kadlec@blackhole.kfki.hu \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=sbrivio@redhat.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).