From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>,
Pablo Neira Ayuso <pablo@netfilter.org>,
Sasha Levin <alexander.levin@microsoft.com>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.14 81/95] netfilter: nf_tables: warn when expr implements only one of activate/deactivate
Date: Tue, 7 May 2019 01:38:10 -0400 [thread overview]
Message-ID: <20190507053826.31622-81-sashal@kernel.org> (raw)
In-Reply-To: <20190507053826.31622-1-sashal@kernel.org>
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 0ef235c71755c5f36c50282fcf2d7d08709be344 ]
->destroy is only allowed to free data, or do other cleanups that do not
have side effects on other state, such as visibility to other netlink
requests.
Such things need to be done in ->deactivate.
As a transaction can fail, we need to make sure we can undo such
operations, therefore ->activate() has to be provided too.
So print a warning and refuse registration if expr->ops provides
only one of the two operations.
v2: fix nft_expr_check_ops to not repeat same check twice (Jones Desougi)
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
---
net/netfilter/nf_tables_api.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index c445d57e3a5b..b149a7219084 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -220,6 +220,18 @@ static int nft_delchain(struct nft_ctx *ctx)
return err;
}
+/* either expr ops provide both activate/deactivate, or neither */
+static bool nft_expr_check_ops(const struct nft_expr_ops *ops)
+{
+ if (!ops)
+ return true;
+
+ if (WARN_ON_ONCE((!ops->activate ^ !ops->deactivate)))
+ return false;
+
+ return true;
+}
+
static void nft_rule_expr_activate(const struct nft_ctx *ctx,
struct nft_rule *rule)
{
@@ -1724,6 +1736,9 @@ static int nf_tables_delchain(struct net *net, struct sock *nlsk,
*/
int nft_register_expr(struct nft_expr_type *type)
{
+ if (!nft_expr_check_ops(type->ops))
+ return -EINVAL;
+
nfnl_lock(NFNL_SUBSYS_NFTABLES);
if (type->family == NFPROTO_UNSPEC)
list_add_tail_rcu(&type->list, &nf_tables_expressions);
@@ -1873,6 +1888,10 @@ static int nf_tables_expr_parse(const struct nft_ctx *ctx,
err = PTR_ERR(ops);
goto err1;
}
+ if (!nft_expr_check_ops(ops)) {
+ err = -EINVAL;
+ goto err1;
+ }
} else
ops = type->ops;
--
2.20.1
next prev parent reply other threads:[~2019-05-07 5:48 UTC|newest]
Thread overview: 122+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-07 5:36 [PATCH AUTOSEL 4.14 01/95] iio: adc: xilinx: fix potential use-after-free on remove Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 02/95] libnvdimm/namespace: Fix a potential NULL pointer dereference Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 03/95] HID: input: add mapping for Expose/Overview key Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 04/95] HID: input: add mapping for keyboard Brightness Up/Down/Toggle keys Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 05/95] HID: input: add mapping for "Toggle Display" key Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 06/95] libnvdimm/btt: Fix a kmemdup failure check Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 07/95] s390/dasd: Fix capacity calculation for large volumes Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 08/95] mac80211: fix unaligned access in mesh table hash function Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 09/95] mac80211: Increase MAX_MSG_LEN Sasha Levin
2019-05-07 5:36 ` [PATCH AUTOSEL 4.14 10/95] mac80211: fix memory accounting with A-MSDU aggregation Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 11/95] nl80211: Add NL80211_FLAG_CLEAR_SKB flag for other NL commands Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 12/95] Input: snvs_pwrkey - initialize necessary driver data before enabling IRQ Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 13/95] s390/3270: fix lockdep false positive on view->lock Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 14/95] clocksource/drivers/oxnas: Fix OX820 compatible Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 15/95] mISDN: Check address length before reading address family Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 16/95] s390/pkey: add one more argument space for debug feature entry Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 17/95] x86/reboot, efi: Use EFI reboot for Acer TravelMate X514-51T Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 18/95] KVM: fix spectrev1 gadgets Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 19/95] KVM: x86: avoid misreporting level-triggered irqs as edge-triggered in tracing Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 20/95] tools lib traceevent: Fix missing equality check for strcmp Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 21/95] mm: fix inactive list balancing between NUMA nodes and cgroups Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 22/95] init: initialize jump labels before command line option parsing Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 23/95] selftests: netfilter: check icmp pkttoobig errors are set as related Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 24/95] ipvs: do not schedule icmp errors from tunnels Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 25/95] netfilter: ctnetlink: don't use conntrack/expect object addresses as id Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 26/95] MIPS: perf: ath79: Fix perfcount IRQ assignment Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 27/95] s390: ctcm: fix ctcm_new_device error return code Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 28/95] drm/sun4i: Set device driver data at bind time for use in unbind Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 29/95] selftests/net: correct the return value for run_netsocktests Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 30/95] gpu: ipu-v3: dp: fix CSC handling Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 31/95] drm/imx: don't skip DP channel disable for background plane Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 32/95] spi: Micrel eth switch: declare missing of table Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 33/95] spi: ST ST95HF NFC: " Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 34/95] Input: synaptics-rmi4 - fix possible double free Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 35/95] sparc64: Export __node_distance Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 36/95] sparc64: Make corrupted user stacks more debuggable Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 37/95] MIPS: VDSO: Reduce VDSO_RANDOMIZE_SIZE to 64MB for 64bit Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 38/95] bcache: correct dirty data statistics Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 39/95] ACPICA: AML interpreter: add region addresses in global list during initialization Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 40/95] IB/rxe: Revise the ib_wr_opcode enum Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 41/95] ima: open a new file instance if no read permissions Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 42/95] KVM: arm/arm64: Ensure only THP is candidate for adjustment Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 43/95] media: cec: make cec_get_edid_spa_location() an inline function Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 44/95] media: cec: integrate cec_validate_phys_addr() in cec-api.c Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 45/95] media: adv7604: when the EDID is cleared, unconfigure CEC as well Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 46/95] media: adv7842: " Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 47/95] fuse: fix possibly missed wake-up after abort Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 48/95] i2c: omap: Enable for ARCH_K3 Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 49/95] drm/i915: Disable LP3 watermarks on all SNB machines Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 50/95] fsnotify: generalize handling of extra event flags Sasha Levin
2019-05-07 13:23 ` Jan Kara
2019-05-07 16:29 ` Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 51/95] media: ov5640: fix wrong binning value in exposure calculation Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 52/95] media: ov5640: fix auto controls values when switching to manual mode Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 53/95] net: don't keep lonely packets forever in the gro hash Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 54/95] tracing/fgraph: Fix set_graph_function from showing interrupts Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 55/95] drm/i915: Downgrade Gen9 Plane WM latency error Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 56/95] scsi: raid_attrs: fix unused variable warning Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 57/95] staging: olpc_dcon: add a missing dependency Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 58/95] net: stmmac: Move debugfs init/exit to ->probe()/->remove() Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 59/95] Btrfs: fix missing delayed iputs on unmount Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 60/95] x86/vdso: Pass --eh-frame-hdr to the linker Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 61/95] mm: introduce mm_[p4d|pud|pmd]_folded Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 62/95] mm, memory_hotplug: initialize struct pages for the full memory section Sasha Levin
2019-05-07 16:31 ` Alexander Duyck
2019-05-07 16:50 ` Linus Torvalds
2019-05-07 17:02 ` Sasha Levin
2019-05-07 17:13 ` Gerald Schaefer
2019-05-07 17:15 ` Linus Torvalds
2019-05-07 17:18 ` Sasha Levin
2019-05-07 17:32 ` Michal Hocko
2019-05-07 17:36 ` Matthew Wilcox
2019-05-07 17:43 ` Linus Torvalds
2019-05-07 17:51 ` Michal Hocko
2019-05-07 17:43 ` Michal Hocko
2019-05-07 17:45 ` Sasha Levin
2019-05-07 17:54 ` Michal Hocko
2019-05-08 11:04 ` Gerald Schaefer
2019-05-07 17:31 ` Michal Hocko
2019-05-07 16:58 ` Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 63/95] arm64: KVM: Make VHE Stage-2 TLB invalidation operations non-interruptible Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 64/95] crypto: testmgr - add AES-CFB tests Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 65/95] powerpc: remove old GCC version checks Sasha Levin
2019-05-07 7:52 ` Christophe Leroy
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 66/95] leds: pwm: silently error out on EPROBE_DEFER Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 67/95] drm/rockchip: psr: do not dereference encoder before it is null checked Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 68/95] RDMA/vmw_pvrdma: Return the correct opcode when creating WR Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 69/95] arm64: dts: marvell: armada-ap806: reserve PSCI area Sasha Levin
2019-05-07 5:37 ` [PATCH AUTOSEL 4.14 70/95] vt: always call notifier with the console lock held Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 71/95] Revert "mm, memory_hotplug: initialize struct pages for the full memory section" Sasha Levin
2019-05-07 17:25 ` Alexander Duyck
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 72/95] devres: Align data[] to ARCH_KMALLOC_MINALIGN Sasha Levin
2019-05-07 5:52 ` Greg Kroah-Hartman
2019-05-07 7:04 ` Alexey Brodkin
2019-05-07 7:49 ` Greg Kroah-Hartman
2019-05-07 14:15 ` Alexey Brodkin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 73/95] xtensa: xtfpga.dtsi: fix dtc warnings about SPI Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 74/95] btrfs: harden agaist duplicate fsid on scanned devices Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 75/95] net_sched: fix two more memory leaks in cls_tcindex Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 76/95] ext4: cleanup pagecache before swap i_data Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 77/95] gtp: change NET_UDP_TUNNEL dependency to select Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 78/95] ACPICA: Namespace: remove address node from global list after method termination Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 79/95] x86/asm: Remove dead __GNUC__ conditionals Sasha Levin
2019-05-07 5:57 ` Rasmus Villemoes
2019-05-07 6:15 ` Greg KH
2019-05-13 14:36 ` Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 80/95] Input: elan_i2c - add hardware ID for multiple Lenovo laptops Sasha Levin
2019-05-07 5:38 ` Sasha Levin [this message]
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 82/95] drm/rockchip: fix for mailbox read validation Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 83/95] cifs: fix memory leak in SMB2_read Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 84/95] x86/fpu: Don't export __kernel_fpu_{begin,end}() Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 85/95] net: hns: Fix WARNING when hns modules installed Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 86/95] mm/memory.c: fix modifying of page protection by insert_pfn() Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 87/95] f2fs: fix to data block override node segment by mistake Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 88/95] net: fec: manage ahb clock in runtime pm Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 89/95] mlxsw: spectrum_switchdev: Add MDB entries in prepare phase Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 90/95] mlxsw: core: Do not use WQ_MEM_RECLAIM for EMAD workqueue Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 91/95] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw ordered workqueue Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 92/95] mlxsw: core: Do not use WQ_MEM_RECLAIM for mlxsw workqueue Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 93/95] NFC: nci: Add some bounds checking in nci_hci_cmd_received() Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 94/95] nfc: nci: Potential off by one in ->pipes[] array Sasha Levin
2019-05-07 5:38 ` [PATCH AUTOSEL 4.14 95/95] x86/kprobes: Avoid kretprobe recursion bug Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190507053826.31622-81-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=alexander.levin@microsoft.com \
--cc=coreteam@netfilter.org \
--cc=fw@strlen.de \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).