[RHEL7,COMMIT] ms/netfilter: nft_compat: fix crash when related match/target module is removed

Submitted by Konstantin Khorenko on Nov. 25, 2019, 8:02 a.m.

Details

Message ID 201911250802.xAP820La001292@finist-ce7.sw.ru
State New
Series "Series without cover letter"
Headers show

Commit Message

Konstantin Khorenko Nov. 25, 2019, 8:02 a.m.
The commit is pushed to "branch-rh7-3.10.0-1062.4.2.vz7.116.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-1062.4.2.vz7.116.4
------>
commit f452a4969c59268843b5258dfaee593e75bc0024
Author: Liping Zhang <liping.zhang@spreadtrum.com>
Date:   Sat Jul 23 16:00:32 2016 +0800

    ms/netfilter: nft_compat: fix crash when related match/target module is removed
    
    We "cache" the loaded match/target modules and reuse them, but when the
    modules are removed, we still point to them. Then we may end up with
    invalid memory references when using iptables-compat to add rules later.
    
    Input the following commands will reproduce the kernel crash:
      # iptables-compat -A INPUT -j LOG
      # iptables-compat -D INPUT -j LOG
      # rmmod xt_LOG
      # iptables-compat -A INPUT -j LOG
      BUG: unable to handle kernel paging request at ffffffffa05a9010
      IP: [<ffffffff813f783e>] strcmp+0xe/0x30
      Call Trace:
      [<ffffffffa05acc43>] nft_target_select_ops+0x83/0x1f0 [nft_compat]
      [<ffffffffa058a177>] nf_tables_expr_parse+0x147/0x1f0 [nf_tables]
      [<ffffffffa058e541>] nf_tables_newrule+0x301/0x810 [nf_tables]
      [<ffffffff8141ca00>] ? nla_parse+0x20/0x100
      [<ffffffffa057fa8f>] nfnetlink_rcv+0x33f/0x53d [nfnetlink]
      [<ffffffffa057f94b>] ? nfnetlink_rcv+0x1fb/0x53d [nfnetlink]
      [<ffffffff817116b8>] netlink_unicast+0x178/0x220
      [<ffffffff81711a5b>] netlink_sendmsg+0x2fb/0x3a0
      [<ffffffff816b7fc8>] sock_sendmsg+0x38/0x50
      [<ffffffff816b8a7e>] ___sys_sendmsg+0x28e/0x2a0
      [<ffffffff816bcb7e>] ? release_sock+0x1e/0xb0
      [<ffffffff81804ac5>] ? _raw_spin_unlock_bh+0x35/0x40
      [<ffffffff816bcbe2>] ? release_sock+0x82/0xb0
      [<ffffffff816b93d4>] __sys_sendmsg+0x54/0x90
      [<ffffffff816b9422>] SyS_sendmsg+0x12/0x20
      [<ffffffff81805172>] entry_SYSCALL_64_fastpath+0x1a/0xa9
    
    So when nobody use the related match/target module, there's no need to
    "cache" it. And nft_[match|target]_release are useless anymore, remove
    them.
    
    Signed-off-by: Liping Zhang <liping.zhang@spreadtrum.com>
    Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
    
    https://jira.sw.ru/browse/PSBM-99656
    
    (cherry picked from commit 4b512e1c1f8de6b9ceb796ecef8658e0a083cab7)
    Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 net/netfilter/nft_compat.c | 43 ++++++++++++++++++++-----------------------
 1 file changed, 20 insertions(+), 23 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nft_compat.c b/net/netfilter/nft_compat.c
index 424d1b9a8293..2efc6a925dc2 100644
--- a/net/netfilter/nft_compat.c
+++ b/net/netfilter/nft_compat.c
@@ -23,6 +23,20 @@ 
 #include <linux/netfilter_arp/arp_tables.h>
 #include <net/netfilter/nf_tables.h>
 
+struct nft_xt {
+	struct list_head	head;
+	struct nft_expr_ops	ops;
+	unsigned int		refcnt;
+};
+
+static void nft_xt_put(struct nft_xt *xt)
+{
+	if (--xt->refcnt == 0) {
+		list_del(&xt->head);
+		kfree(xt);
+	}
+}
+
 static int nft_compat_chain_validate_dependency(const char *tablename,
 						const struct nft_chain *chain)
 {
@@ -260,6 +274,7 @@  nft_target_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 	if (par.target->destroy != NULL)
 		par.target->destroy(&par);
 
+	nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
 	module_put(target->me);
 }
 
@@ -442,6 +457,7 @@  nft_match_destroy(const struct nft_ctx *ctx, const struct nft_expr *expr)
 	if (par.match->destroy != NULL)
 		par.match->destroy(&par);
 
+	nft_xt_put(container_of(expr->ops, struct nft_xt, ops));
 	module_put(match->me);
 }
 
@@ -612,11 +628,6 @@  static const struct nfnetlink_subsystem nfnl_compat_subsys = {
 
 static LIST_HEAD(nft_match_list);
 
-struct nft_xt {
-	struct list_head	head;
-	struct nft_expr_ops	ops;
-};
-
 static struct nft_expr_type nft_match_type;
 
 static bool nft_match_cmp(const struct xt_match *match,
@@ -652,6 +663,7 @@  nft_match_select_ops(const struct nft_ctx *ctx,
 			if (!try_module_get(match->me))
 				return ERR_PTR(-ENOENT);
 
+			nft_match->refcnt++;
 			return &nft_match->ops;
 		}
 	}
@@ -668,6 +680,7 @@  nft_match_select_ops(const struct nft_ctx *ctx,
 	if (nft_match == NULL)
 		return ERR_PTR(-ENOMEM);
 
+	nft_match->refcnt = 1;
 	nft_match->ops.type = &nft_match_type;
 	nft_match->ops.size = NFT_EXPR_SIZE(XT_ALIGN(match->matchsize));
 	nft_match->ops.eval = nft_match_eval;
@@ -682,14 +695,6 @@  nft_match_select_ops(const struct nft_ctx *ctx,
 	return &nft_match->ops;
 }
 
-static void nft_match_release(void)
-{
-	struct nft_xt *nft_match, *tmp;
-
-	list_for_each_entry_safe(nft_match, tmp, &nft_match_list, head)
-		kfree(nft_match);
-}
-
 static struct nft_expr_type nft_match_type __read_mostly = {
 	.name		= "match",
 	.select_ops	= nft_match_select_ops,
@@ -735,6 +740,7 @@  nft_target_select_ops(const struct nft_ctx *ctx,
 			if (!try_module_get(target->me))
 				return ERR_PTR(-ENOENT);
 
+			nft_target->refcnt++;
 			return &nft_target->ops;
 		}
 	}
@@ -751,6 +757,7 @@  nft_target_select_ops(const struct nft_ctx *ctx,
 	if (nft_target == NULL)
 		return ERR_PTR(-ENOMEM);
 
+	nft_target->refcnt = 1;
 	nft_target->ops.type = &nft_target_type;
 	nft_target->ops.size = NFT_EXPR_SIZE(XT_ALIGN(target->targetsize));
 	nft_target->ops.init = nft_target_init;
@@ -769,14 +776,6 @@  nft_target_select_ops(const struct nft_ctx *ctx,
 	return &nft_target->ops;
 }
 
-static void nft_target_release(void)
-{
-	struct nft_xt *nft_target, *tmp;
-
-	list_for_each_entry_safe(nft_target, tmp, &nft_target_list, head)
-		kfree(nft_target);
-}
-
 static struct nft_expr_type nft_target_type __read_mostly = {
 	.name		= "target",
 	.select_ops	= nft_target_select_ops,
@@ -819,8 +818,6 @@  static void __exit nft_compat_module_exit(void)
 	nfnetlink_subsys_unregister(&nfnl_compat_subsys);
 	nft_unregister_expr(&nft_target_type);
 	nft_unregister_expr(&nft_match_type);
-	nft_match_release();
-	nft_target_release();
 }
 
 MODULE_ALIAS_NFNL_SUBSYS(NFNL_SUBSYS_NFT_COMPAT);