| Message ID | 20220817140015.25843-2-fw@strlen.de (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | 3400278328285a8c2f121904496aff5e7b610a01 |
| Delegated to: | Netdev Maintainers |
| Headers | show |
| Series | [net,01/17] netfilter: nf_tables: use READ_ONCE and WRITE_ONCE for shared generation id access | expand |
Hello: This series was applied to netdev/net.git (master) by Florian Westphal <fw@strlen.de>: On Wed, 17 Aug 2022 15:59:59 +0200 you wrote: > From: Pablo Neira Ayuso <pablo@netfilter.org> > > The generation ID is bumped from the commit path while holding the > mutex, however, netlink dump operations rely on RCU. > > This patch also adds missing cb->base_eq initialization in > nf_tables_dump_set(). > > [...] Here is the summary with links: - [net,01/17] netfilter: nf_tables: use READ_ONCE and WRITE_ONCE for shared generation id access https://git.kernel.org/netdev/net/c/340027832828 - [net,02/17] netfilter: nf_tables: disallow NFTA_SET_ELEM_KEY_END with NFT_SET_ELEM_INTERVAL_END flag https://git.kernel.org/netdev/net/c/4963674c2e71 - [net,03/17] netfilter: nf_tables: possible module reference underflow in error path https://git.kernel.org/netdev/net/c/c485c35ff678 - [net,04/17] netfilter: nf_ct_sane: remove pseudo skb linearization https://git.kernel.org/netdev/net/c/a664375da76c - [net,05/17] netfilter: nf_ct_h323: cap packet size at 64k https://git.kernel.org/netdev/net/c/f3e124c36f70 - [net,06/17] netfilter: nf_ct_ftp: prefer skb_linearize https://git.kernel.org/netdev/net/c/c783a29c7e59 - [net,07/17] netfilter: nf_ct_irc: cap packet search space to 4k https://git.kernel.org/netdev/net/c/976bf59c69cd - [net,08/17] netfilter: nf_tables: fix scheduling-while-atomic splat https://git.kernel.org/netdev/net/c/2024439bd5ce - [net,09/17] netfilter: nfnetlink: re-enable conntrack expectation events https://git.kernel.org/netdev/net/c/0b2f3212b551 - [net,10/17] netfilter: nf_tables: really skip inactive sets when allocating name https://git.kernel.org/netdev/net/c/271c5ca826e0 - [net,11/17] netfilter: nf_tables: validate NFTA_SET_ELEM_OBJREF based on NFT_SET_OBJECT flag https://git.kernel.org/netdev/net/c/5a2f3dc31811 - [net,12/17] netfilter: nf_tables: NFTA_SET_ELEM_KEY_END requires concat and interval flags https://git.kernel.org/netdev/net/c/88cccd908d51 - [net,13/17] netfilter: nf_tables: disallow NFT_SET_ELEM_CATCHALL and NFT_SET_ELEM_INTERVAL_END https://git.kernel.org/netdev/net/c/fc0ae524b5fd - [net,14/17] netfilter: nf_tables: check NFT_SET_CONCAT flag if field_count is specified https://git.kernel.org/netdev/net/c/1b6345d4160e - [net,15/17] netfilter: conntrack: NF_CONNTRACK_PROCFS should no longer default to y https://git.kernel.org/netdev/net/c/aa5762c34213 - [net,16/17] testing: selftests: nft_flowtable.sh: use random netns names https://git.kernel.org/netdev/net/c/b71b7bfeac38 - [net,17/17] testing: selftests: nft_flowtable.sh: rework test to detect offload failure https://git.kernel.org/netdev/net/c/c8550b9077d2 You are awesome, thank you!
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 3cc88998b879..8b084cd669ab 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -889,7 +889,7 @@ static int nf_tables_dump_tables(struct sk_buff *skb, rcu_read_lock(); nft_net = nft_pernet(net); - cb->seq = nft_net->base_seq; + cb->seq = READ_ONCE(nft_net->base_seq); list_for_each_entry_rcu(table, &nft_net->tables, list) { if (family != NFPROTO_UNSPEC && family != table->family) @@ -1705,7 +1705,7 @@ static int nf_tables_dump_chains(struct sk_buff *skb, rcu_read_lock(); nft_net = nft_pernet(net); - cb->seq = nft_net->base_seq; + cb->seq = READ_ONCE(nft_net->base_seq); list_for_each_entry_rcu(table, &nft_net->tables, list) { if (family != NFPROTO_UNSPEC && family != table->family) @@ -3149,7 +3149,7 @@ static int nf_tables_dump_rules(struct sk_buff *skb, rcu_read_lock(); nft_net = nft_pernet(net); - cb->seq = nft_net->base_seq; + cb->seq = READ_ONCE(nft_net->base_seq); list_for_each_entry_rcu(table, &nft_net->tables, list) { if (family != NFPROTO_UNSPEC && family != table->family) @@ -4133,7 +4133,7 @@ static int nf_tables_dump_sets(struct sk_buff *skb, struct netlink_callback *cb) rcu_read_lock(); nft_net = nft_pernet(net); - cb->seq = nft_net->base_seq; + cb->seq = READ_ONCE(nft_net->base_seq); list_for_each_entry_rcu(table, &nft_net->tables, list) { if (ctx->family != NFPROTO_UNSPEC && @@ -5061,6 +5061,8 @@ static int nf_tables_dump_set(struct sk_buff *skb, struct netlink_callback *cb) rcu_read_lock(); nft_net = nft_pernet(net); + cb->seq = READ_ONCE(nft_net->base_seq); + list_for_each_entry_rcu(table, &nft_net->tables, list) { if (dump_ctx->ctx.family != NFPROTO_UNSPEC && dump_ctx->ctx.family != table->family) @@ -6941,7 +6943,7 @@ static int nf_tables_dump_obj(struct sk_buff *skb, struct netlink_callback *cb) rcu_read_lock(); nft_net = nft_pernet(net); - cb->seq = nft_net->base_seq; + cb->seq = READ_ONCE(nft_net->base_seq); list_for_each_entry_rcu(table, &nft_net->tables, list) { if (family != NFPROTO_UNSPEC && family != table->family) @@ -7873,7 +7875,7 @@ static int nf_tables_dump_flowtable(struct sk_buff *skb, rcu_read_lock(); nft_net = nft_pernet(net); - cb->seq = nft_net->base_seq; + cb->seq = READ_ONCE(nft_net->base_seq); list_for_each_entry_rcu(table, &nft_net->tables, list) { if (family != NFPROTO_UNSPEC && family != table->family) @@ -8806,6 +8808,7 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) struct nft_trans_elem *te; struct nft_chain *chain; struct nft_table *table; + unsigned int base_seq; LIST_HEAD(adl); int err; @@ -8855,9 +8858,12 @@ static int nf_tables_commit(struct net *net, struct sk_buff *skb) * Bump generation counter, invalidate any dump in progress. * Cannot fail after this point. */ - while (++nft_net->base_seq == 0) + base_seq = READ_ONCE(nft_net->base_seq); + while (++base_seq == 0) ; + WRITE_ONCE(nft_net->base_seq, base_seq); + /* step 3. Start new generation, rules_gen_X now in use. */ net->nft.gencursor = nft_gencursor_next(net);