git.samba.org - sfrench/cifs-2.6.git/commit

author	Florian Westphal <fw@strlen.de>
	Mon, 14 Jan 2019 13:28:48 +0000 (14:28 +0100)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Fri, 18 Jan 2019 01:29:41 +0000 (02:29 +0100)
commit	12c44aba6618b7f6c437076e5722237190f6cd5f
tree	a23503ee9662241f43904219c08db82c09784c75	tree
parent	88a8121dc1d3d0dbddd411b79ed236b6b6ea415c	commit \| diff

netfilter: nft_compat: use refcnt_t type for nft_xt reference count

Using standard integer type was fine while all operations on it were
guarded by the nftnl subsys mutex.

This isn't true anymore:
1. transactions are guarded only by a pernet mutex, so concurrent
   rule manipulation in different netns is racy
2. the ->destroy hook runs from a work queue after the transaction
   mutex has been released already.

cpu0                           cpu1 (net 1)        cpu2 (net 2)
kworker
    nft_compat->destroy        nft_compat->init    nft_compat->init
      if (--nft_xt->ref == 0)   nft_xt->ref++        nft_xt->ref++

Switch to refcount_t.  Doing this however only fixes a minor aspect,
nft_compat also performs linked-list operations in an unsafe way.

This is addressed in the next two patches.

Fixes: f102d66b335a ("netfilter: nf_tables: use dedicated mutex to guard transactions")
Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release")
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>