netfilter: nft_compat: destroy function must not have side effects
authorFlorian Westphal <fw@strlen.de>
Mon, 14 Jan 2019 13:28:50 +0000 (14:28 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Fri, 18 Jan 2019 01:29:42 +0000 (02:29 +0100)
commitb2e3d68d1251a051a620f9086e18f7ffa6833b5b
tree760de639d95d4ecfe13a661b50598dcb670b7a23
parentcf52572ebbd7189a1966c2b5fc34b97078cd1dce
netfilter: nft_compat: destroy function must not have side effects

The nft_compat destroy function deletes the nft_xt object from a list.
This isn't allowed anymore. Destroy functions are called asynchronously,
i.e. next batch can find the object that has a pending ->destroy()
invocation:

cpu0                       cpu1
 worker
   ->destroy               for_each_entry()
                     if (x == ...
        return x->ops;
     list_del(x)
     kfree_rcu(x)
                           expr->ops->... // ops was free'd

To resolve this, the list_del needs to occur before the transaction
mutex gets released.  nf_tables has a 'deactivate' hook for this
purpose, so use that to unlink the object from the list.

Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release")
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_compat.c