netfilter: nf_tables: unbind set in rule from commit path
[ backport for 4.14 of f6ac8585 ] Anonymous sets that are bound to rules from the same transaction trigger a kernel splat from the abort path due to double set list removal and double free. This patch updates the logic to search for the transaction that is responsible for creating the set and disable the set list removal and release, given the rule is now responsible for this. Lookup is reverse since the transaction that adds the set is likely to be at the tail of the list. Moreover, this patch adds the unbind step to deliver the event from the commit path. This should not be done from the worker thread, since we have no guarantees of in-order delivery to the listener. This patch removes the assumption that both activate and deactivate callbacks need to be provided. Fixes: cd5125d8 ("netfilter: nf_tables: split set destruction in deactivate and destroy phase") Reported-by:Mikhail Morfikov <mmorfikov@gmail.com> Signed-off-by:
Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by:
Sasha Levin <sashal@kernel.org>
Showing
- include/net/netfilter/nf_tables.h 13 additions, 4 deletionsinclude/net/netfilter/nf_tables.h
- net/netfilter/nf_tables_api.c 41 additions, 44 deletionsnet/netfilter/nf_tables_api.c
- net/netfilter/nft_dynset.c 7 additions, 11 deletionsnet/netfilter/nft_dynset.c
- net/netfilter/nft_immediate.c 5 additions, 1 deletionnet/netfilter/nft_immediate.c
- net/netfilter/nft_lookup.c 7 additions, 11 deletionsnet/netfilter/nft_lookup.c
- net/netfilter/nft_objref.c 7 additions, 11 deletionsnet/netfilter/nft_objref.c
Loading
Please register or sign in to comment