UbiquitousOS
/
OpenCloudOS-Kernel
mirror of https://gitee.com/OpenCloudOS/OpenCloudOS-Kernel.git
11
0
Fork 0
Code Issues Projects Releases Wiki Activity
OpenCloudOS-Kernel/include/net/netfilter
History
Pablo Neira Ayuso 179d9ba555 netfilter: nf_tables: fix table flag updates 
The dormant flag need to be updated from the preparation phase,
otherwise, two consecutive requests to dorm a table in the same batch
might try to remove the same hooks twice, resulting in the following
warning:

 hook not found, pf 3 num 0
 WARNING: CPU: 0 PID: 334 at net/netfilter/core.c:480 __nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480
 Modules linked in:
 CPU: 0 PID: 334 Comm: kworker/u4:5 Not tainted 5.12.0-syzkaller #0
 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
 Workqueue: netns cleanup_net
 RIP: 0010:__nf_unregister_net_hook+0x1eb/0x610 net/netfilter/core.c:480

This patch is a partial revert of 0ce7cf4127 ("netfilter: nftables:
update table flags from the commit phase") to restore the previous
behaviour.

However, there is still another problem: A batch containing a series of
dorm-wakeup-dorm table and vice-versa also trigger the warning above
since hook unregistration happens from the preparation phase, while hook
registration occurs from the commit phase.

To fix this problem, this patch adds two internal flags to annotate the
original dormant flag status which are __NFT_TABLE_F_WAS_DORMANT and
__NFT_TABLE_F_WAS_AWAKEN, to restore it from the abort path.

The __NFT_TABLE_F_UPDATE bitmask allows to handle the dormant flag update
with one single transaction.

Reported-by: syzbot+7ad5cd1615f2d89c6e7e@syzkaller.appspotmail.com
Fixes: 0ce7cf4127 ("netfilter: nftables: update table flags from the commit phase")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 		2021-05-24 17:49:57 +02:00
..
ipv4 netfilter: disable defrag once its no longer needed 2021-04-26 03:20:07 +02:00
ipv6 netfilter: disable defrag once its no longer needed 2021-04-26 03:20:07 +02:00
br_netfilter.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_conntrack.h netfilter: conntrack: move ct counter to net_generic data 2021-04-13 13:10:39 +02:00
nf_conntrack_acct.h netfilter: conntrack: add nf_ct_acct_add() 2020-03-30 02:05:39 +02:00
nf_conntrack_bridge.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_conntrack_core.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_conntrack_count.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
nf_conntrack_ecache.h netfilter: conntrack: move ecache dwork to net_generic infra 2021-04-06 00:34:53 +02:00
nf_conntrack_expect.h netfilter: fix coding-style errors. 2019-09-13 11:39:38 +02:00
nf_conntrack_extend.h netfilter: Replace zero-length array with flexible-array member 2020-03-15 15:20:16 +01:00
nf_conntrack_helper.h treewide: Use sizeof_field() macro 2019-12-09 10:36:44 -08:00
nf_conntrack_l4proto.h netfilter: ctnetlink: add timeout and protoinfo to destroy events 2020-12-12 11:44:42 +01:00
nf_conntrack_labels.h netfilter: fix include guards. 2019-09-13 11:39:38 +02:00
nf_conntrack_seqadj.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
nf_conntrack_synproxy.h netfilter: conntrack: wrap two inline functions in config checks. 2019-09-13 12:47:10 +02:00
nf_conntrack_timeout.h netfilter: Replace zero-length array with flexible-array member 2020-03-15 15:20:16 +01:00
nf_conntrack_timestamp.h netfilter: conntrack: remove two unused functions from nf_conntrack_timestamp.h. 2019-09-13 12:48:09 +02:00
nf_conntrack_tuple.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_conntrack_zones.h netfilter: conntrack: remove CONFIG_NF_CONNTRACK checks from nf_conntrack_zones.h. 2019-09-13 12:47:41 +02:00
nf_dup_netdev.h netfilter: nft_{fwd,dup}_netdev: add offload support 2019-09-10 22:44:29 +02:00
nf_flow_table.h netfilter: flowtable: Remove redundant hw refresh bit 2021-05-14 01:34:26 +02:00
nf_log.h netfilter: nf_log_common: merge with nf_log_syslog 2021-03-31 22:34:10 +02:00
nf_nat.h netfilter: nat: move nf_xfrm_me_harder to where it is used 2021-04-26 03:20:07 +02:00
nf_nat_helper.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
nf_nat_masquerade.h netfilter: update include directives. 2019-09-13 12:33:06 +02:00
nf_nat_redirect.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
nf_queue.h netfilter: nf_queue: place bridge physports into queue_entry struct 2020-03-29 16:28:29 +02:00
nf_reject.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
nf_socket.h netfilter: Decrease code duplication regarding transparent socket option 2018-06-03 00:02:01 +02:00
nf_synproxy.h netfilter: remove CONFIG_NETFILTER checks from headers. 2019-09-13 12:47:36 +02:00
nf_tables.h netfilter: nf_tables: fix table flag updates 2021-05-24 17:49:57 +02:00
nf_tables_core.h netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nf_tables_ipv4.h netfilter: nf_tables: add inet ingress support 2020-10-12 01:57:34 +02:00
nf_tables_ipv6.h netfilter: nf_tables: add inet ingress support 2020-10-12 01:57:34 +02:00
nf_tables_offload.h netfilter: nftables: counter hardware offload support 2021-04-18 22:04:49 +02:00
nf_tproxy.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2018-07-20 22:28:28 -07:00
nft_fib.h netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_meta.h netfilter: nftables: add nft_parse_register_store() and use it 2021-01-27 23:16:02 +01:00
nft_reject.h netfilter: add missing includes to a number of header-files. 2019-08-13 12:14:39 +02:00
xt_rateest.h netfilter: make xt_rateest hash table per net 2018-03-05 23:15:44 +01:00