github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
d079263b2e
linux/net
History
Subash Abhinov Kasiviswanathan 98ab3ff5e7 netfilter: x_tables: Switch synchronization to RCU 
[ Upstream commit cc00bcaa58 ]

When running concurrent iptables rules replacement with data, the per CPU
sequence count is checked after the assignment of the new information.
The sequence count is used to synchronize with the packet path without the
use of any explicit locking. If there are any packets in the packet path using
the table information, the sequence count is incremented to an odd value and
is incremented to an even after the packet process completion.

The new table value assignment is followed by a write memory barrier so every
CPU should see the latest value. If the packet path has started with the old
table information, the sequence counter will be odd and the iptables
replacement will wait till the sequence count is even prior to freeing the
old table info.

However, this assumes that the new table information assignment and the memory
barrier is actually executed prior to the counter check in the replacement
thread. If CPU decides to execute the assignment later as there is no user of
the table information prior to the sequence check, the packet path in another
CPU may use the old table information. The replacement thread would then free
the table information under it leading to a use after free in the packet
processing context-

Unable to handle kernel NULL pointer dereference at virtual
address 000000000000008e
pc : ip6t_do_table+0x5d0/0x89c
lr : ip6t_do_table+0x5b8/0x89c
ip6t_do_table+0x5d0/0x89c
ip6table_filter_hook+0x24/0x30
nf_hook_slow+0x84/0x120
ip6_input+0x74/0xe0
ip6_rcv_finish+0x7c/0x128
ipv6_rcv+0xac/0xe4
__netif_receive_skb+0x84/0x17c
process_backlog+0x15c/0x1b8
napi_poll+0x88/0x284
net_rx_action+0xbc/0x23c
__do_softirq+0x20c/0x48c

This could be fixed by forcing instruction order after the new table
information assignment or by switching to RCU for the synchronization.

Fixes: 80055dab5d ("netfilter: x_tables: make xt_replace_table wait until old rules are not used anymore")
Reported-by: Sean Tranchetti <stranche@codeaurora.org>
Reported-by: kernel test robot <lkp@intel.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Subash Abhinov Kasiviswanathan <subashab@codeaurora.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-12-30 11:25:45 +01:00
..
6lowpan 6lowpan: Off by one handling ->nexthdr 2020-01-27 14:50:41 +01:00
9p net: 9p: initialize sun_server.sun_path to have addr's value only when addr is valid 2020-11-05 11:08:44 +01:00
802
8021q vlan: vlan_changelink() should propagate errors 2020-01-12 12:17:28 +01:00
appletalk appletalk: Set error code if register_snap_client failed 2019-12-13 08:52:59 +01:00
atm atm: fix a memory leak of vcc->user_back 2020-10-01 13:14:43 +02:00
ax25 AX.25: Prevent integer overflows in connect and sendmsg 2020-07-31 18:37:48 +02:00
batman-adv batman-adv: set .owner to THIS_MODULE 2020-12-02 08:48:10 +01:00
bluetooth Bluetooth: Only mark socket zapped after unlocking 2020-10-30 10:38:30 +01:00
bpf
bpfilter signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig 2020-01-27 14:50:51 +01:00
bridge net: bridge: vlan: fix error return code in __vlan_add() 2020-12-30 11:25:41 +01:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
can can: af_can: prevent potential access of uninitialized member in canfd_rcv() 2020-11-24 13:27:22 +01:00
ceph libceph: clear con->out_msg on Policy::stateful_server faults 2020-11-05 11:08:53 +01:00
core sock: set sk_err to ee_errno on dequeue from errq 2020-12-08 10:18:52 +01:00
dcb net: DCB: Validate DCB_ATTR_DCB_BUFFER argument 2020-09-26 18:01:29 +02:00
dccp net: ipv6: add net argument to ip6_dst_lookup_flow 2020-04-29 16:31:16 +02:00
decnet net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:13:37 +01:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:30:24 +02:00
dsa net: dsa: read mac address from DT for slave device 2020-11-10 12:36:02 +01:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:19:09 +01:00
hsr hsr: check protocol version in hsr_newlink() 2020-04-21 09:03:03 +02:00
ieee802154 nl802154: add missing attribute validation for dev_type 2020-03-18 07:14:15 +01:00
ife
ipv4 netfilter: x_tables: Switch synchronization to RCU 2020-12-30 11:25:45 +01:00
ipv6 netfilter: x_tables: Switch synchronization to RCU 2020-12-30 11:25:45 +01:00
iucv net/af_iucv: set correct sk_protocol for child sockets 2020-12-08 10:18:52 +01:00
kcm kcm: switch order of device registration to fix a crash 2019-04-17 08:38:40 +02:00
key af_key: pfkey_dump needs parameter validation 2020-09-26 18:01:28 +02:00
l2tp l2tp: remove skb_dst_set() from l2tp_xmit_skb() 2020-07-22 09:31:59 +02:00
l3mdev
lapb lapb: fixed leak of control-blocks. 2019-06-22 08:15:13 +02:00
llc net: silence data-races on sk_backlog.tail 2020-10-01 13:14:26 +02:00
mac80211 mac80211: mesh: fix mesh_pathtbl_init() error path 2020-12-30 11:25:40 +01:00
mac802154 mac802154: tx: fix use-after-free 2020-10-01 13:14:51 +02:00
mpls net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2020-04-29 16:31:17 +02:00
ncsi net/ncsi: Fix netlink registration 2020-11-24 13:27:19 +01:00
netfilter netfilter: x_tables: Switch synchronization to RCU 2020-12-30 11:25:45 +01:00
netlabel netlabel: fix an uninitialized warning in netlbl_unlabel_staticlist() 2020-11-24 13:27:17 +01:00
netlink genetlink: remove genl_bind 2020-07-22 09:31:58 +02:00
netrom net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node 2020-04-29 16:31:21 +02:00
nfc nfc: Ensure presence of NFC_ATTR_FIRMWARE_NAME attribute in nfc_genl_fw_download() 2020-10-29 09:54:58 +01:00
nsh
openvswitch openvswitch: handle DNAT tuple collision 2020-10-14 10:31:24 +02:00
packet net/packet: fix overflow in tpacket_rcv 2020-10-07 08:00:08 +02:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
psample net: psample: fix skb_over_panic 2019-12-05 09:21:30 +01:00
qrtr net: qrtr: check skb_put_padto() return value 2020-09-26 18:01:30 +02:00
rds rds: Prevent kernel-infoleak in rds_notify_queue_get() 2020-08-05 10:06:01 +02:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:17:17 +01:00
rose rose: Fix Null pointer dereference in rose_send_frame() 2020-12-08 10:18:52 +01:00
rxrpc rxrpc: Fix server keyring leak 2020-10-14 10:31:26 +02:00
sched net: sch_generic: fix the missing new qdisc assignment bug 2020-11-18 19:18:53 +01:00
sctp sctp: change to hold/put transport for proto_unreach_timer 2020-11-24 13:27:18 +01:00
smc net/smc: fix valid DMBE buffer sizes 2020-10-29 09:54:55 +01:00
strparser net: strparser: partially revert "strparser: Call skb_unclone conditionally" 2019-05-16 19:41:27 +02:00
sunrpc SUNRPC: fix copying of multiple pages in gss_read_proxy_verf() 2020-10-30 10:38:23 +01:00
switchdev
tipc tipc: fix memory leak in tipc_topsrv_start() 2020-11-18 19:18:51 +01:00
tls net/tls: Protect from calling tls_dev_del for TLS RX twice 2020-12-08 10:18:52 +01:00
unix skbuff: fix a data race in skb_queue_len() 2020-10-01 13:14:32 +02:00
vmw_vsock vsock: use ns_capable_noaudit() on socket create 2020-11-10 12:35:59 +01:00
wimax
wireless cfg80211: regulatory: Fix inconsistent format argument 2020-11-18 19:18:45 +01:00
x25 net/x25: prevent a couple of overflows 2020-12-08 10:18:54 +01:00
xdp xsk: Fix xsk_poll()'s return type 2020-12-30 11:25:44 +01:00
xfrm net: xfrm: fix a race condition during allocing spi 2020-11-18 19:18:41 +01:00
compat.c net/compat: Add missing sock updates for SCM_RIGHTS 2020-08-21 11:05:32 +02:00
Kconfig
Makefile
socket.c net: Set fput_needed iff FDPUT_FPUT is set 2020-08-19 08:15:03 +02:00
sysctl_net.c