diff mbox series

[nf-next,v3,01/16] netfilter: nf_tables: Keep deleted flowtable hooks until after RCU

Message ID 20240912122148.12159-2-phil@nwl.cc
State Accepted
Headers show
Series Dynamic hook interface binding | expand

Commit Message

Phil Sutter Sept. 12, 2024, 12:21 p.m. UTC 
Documentation of list_del_rcu() warns callers to not immediately free
the deleted list item. While it seems not necessary to use the
RCU-variant of list_del() here in the first place, doing so seems to
require calling kfree_rcu() on the deleted item as well.

Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
Signed-off-by: Phil Sutter <phil@nwl.cc>
---
 net/netfilter/nf_tables_api.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Florian Westphal Sept. 12, 2024, 1:32 p.m. UTC | #1 
Phil Sutter <phil@nwl.cc> wrote:
> Documentation of list_del_rcu() warns callers to not immediately free
> the deleted list item. While it seems not necessary to use the
> RCU-variant of list_del() here in the first place, doing so seems to
> require calling kfree_rcu() on the deleted item as well.
> 
> Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
>  net/netfilter/nf_tables_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index b6547fe22bd8..2982f49b6d55 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -9180,7 +9180,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
>  		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
>  					    FLOW_BLOCK_UNBIND);
>  		list_del_rcu(&hook->list);
> -		kfree(hook);
> +		kfree_rcu(hook, rcu);
>  	}
>  	kfree(flowtable->name);
>  	module_put(flowtable->data.type->owner);

AFAICS its safe to use list_del() everywhere, I can't find a single
instance where the hooks are iterated without mutex serialization.

nf_tables_flowtable_destroy() is called after the hook has been
unregisted (detached from nf_hook list) and rcu grace period elapsed.
Phil Sutter Sept. 12, 2024, 1:48 p.m. UTC | #2 
On Thu, Sep 12, 2024 at 03:32:55PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Documentation of list_del_rcu() warns callers to not immediately free
> > the deleted list item. While it seems not necessary to use the
> > RCU-variant of list_del() here in the first place, doing so seems to
> > require calling kfree_rcu() on the deleted item as well.
> > 
> > Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> >  net/netfilter/nf_tables_api.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index b6547fe22bd8..2982f49b6d55 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -9180,7 +9180,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
> >  		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
> >  					    FLOW_BLOCK_UNBIND);
> >  		list_del_rcu(&hook->list);
> > -		kfree(hook);
> > +		kfree_rcu(hook, rcu);
> >  	}
> >  	kfree(flowtable->name);
> >  	module_put(flowtable->data.type->owner);
> 
> AFAICS its safe to use list_del() everywhere, I can't find a single
> instance where the hooks are iterated without mutex serialization.
> 
> nf_tables_flowtable_destroy() is called after the hook has been
> unregisted (detached from nf_hook list) and rcu grace period elapsed.

Yes, I didn't find a caller which didn't synchronize_rcu() before
calling it. Same applies to chain hooks, right? I'd drop all the _rcu()
calls and give it a try, but the resulting race conditions may be hard
to trigger.

Cheers, Phil
Florian Westphal Sept. 12, 2024, 2:27 p.m. UTC | #3 
Phil Sutter <phil@nwl.cc> wrote:
> > nf_tables_flowtable_destroy() is called after the hook has been
> > unregisted (detached from nf_hook list) and rcu grace period elapsed.
> 
> Yes, I didn't find a caller which didn't synchronize_rcu() before
> calling it. Same applies to chain hooks, right?

Sigh, there is nft_flowtable_find_dev() which iterates the nft_hook
list from packet path.

So the syncrhonize_rcu is irrelevant as long as the entry
is linked up and this patch is correct as-is.

 list_del_rcu(&hook->list);
 kfree(hook);

is illegal, and I think this should add a helper that unlinks
and then frees the entry via kfree_rcu and converts all instances
of this pattern.
Pablo Neira Ayuso Sept. 16, 2024, midnight UTC | #4 
On Thu, Sep 12, 2024 at 03:32:55PM +0200, Florian Westphal wrote:
> Phil Sutter <phil@nwl.cc> wrote:
> > Documentation of list_del_rcu() warns callers to not immediately free
> > the deleted list item. While it seems not necessary to use the
> > RCU-variant of list_del() here in the first place, doing so seems to
> > require calling kfree_rcu() on the deleted item as well.
> > 
> > Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
> > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > ---
> >  net/netfilter/nf_tables_api.c | 2 +-
> >  1 file changed, 1 insertion(+), 1 deletion(-)
> > 
> > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > index b6547fe22bd8..2982f49b6d55 100644
> > --- a/net/netfilter/nf_tables_api.c
> > +++ b/net/netfilter/nf_tables_api.c
> > @@ -9180,7 +9180,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
> >  		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
> >  					    FLOW_BLOCK_UNBIND);
> >  		list_del_rcu(&hook->list);
> > -		kfree(hook);
> > +		kfree_rcu(hook, rcu);

This looks correct to me.

> >  	}
> >  	kfree(flowtable->name);
> >  	module_put(flowtable->data.type->owner);
> 
> AFAICS its safe to use list_del() everywhere, I can't find a single
> instance where the hooks are iterated without mutex serialization.

Netlink dump path is lockless.

nft_dump_basechain_hook() is missing list_for_each_entry_rcu() for
list iteration, that needs a fix.

nf_tables_fill_flowtable_info() does use list_for_each_entry_rcu().

> nf_tables_flowtable_destroy() is called after the hook has been
> unregisted (detached from nf_hook list) and rcu grace period elapsed.
Pablo Neira Ayuso Sept. 16, 2024, 9:42 p.m. UTC | #5 
On Mon, Sep 16, 2024 at 02:00:59AM +0200, Pablo Neira Ayuso wrote:
> On Thu, Sep 12, 2024 at 03:32:55PM +0200, Florian Westphal wrote:
> > Phil Sutter <phil@nwl.cc> wrote:
> > > Documentation of list_del_rcu() warns callers to not immediately free
> > > the deleted list item. While it seems not necessary to use the
> > > RCU-variant of list_del() here in the first place, doing so seems to
> > > require calling kfree_rcu() on the deleted item as well.
> > > 
> > > Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
> > > Signed-off-by: Phil Sutter <phil@nwl.cc>
> > > ---
> > >  net/netfilter/nf_tables_api.c | 2 +-
> > >  1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> > > index b6547fe22bd8..2982f49b6d55 100644
> > > --- a/net/netfilter/nf_tables_api.c
> > > +++ b/net/netfilter/nf_tables_api.c
> > > @@ -9180,7 +9180,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
> > >  		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
> > >  					    FLOW_BLOCK_UNBIND);
> > >  		list_del_rcu(&hook->list);
> > > -		kfree(hook);
> > > +		kfree_rcu(hook, rcu);
> 
> This looks correct to me.
> 
> > >  	}
> > >  	kfree(flowtable->name);
> > >  	module_put(flowtable->data.type->owner);
> > 
> > AFAICS its safe to use list_del() everywhere, I can't find a single
> > instance where the hooks are iterated without mutex serialization.
> 
> Netlink dump path is lockless.
> 
> nft_dump_basechain_hook() is missing list_for_each_entry_rcu() for
> list iteration, that needs a fix.
> 
> nf_tables_fill_flowtable_info() does use list_for_each_entry_rcu().

I'd suggest to start by sending fixes for nf.git to address these two
issues.

> > nf_tables_flowtable_destroy() is called after the hook has been
> > unregisted (detached from nf_hook list) and rcu grace period elapsed.
Pablo Neira Ayuso Sept. 17, 2024, 9:14 p.m. UTC | #6 
On Thu, Sep 12, 2024 at 02:21:33PM +0200, Phil Sutter wrote:
> Documentation of list_del_rcu() warns callers to not immediately free
> the deleted list item. While it seems not necessary to use the
> RCU-variant of list_del() here in the first place, doing so seems to
> require calling kfree_rcu() on the deleted item as well.

LGTM, I plan to take this into nf.git

Thanks.

> Fixes: 3f0465a9ef02 ("netfilter: nf_tables: dynamically allocate hooks per net_device in flowtables")
> Signed-off-by: Phil Sutter <phil@nwl.cc>
> ---
>  net/netfilter/nf_tables_api.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
> index b6547fe22bd8..2982f49b6d55 100644
> --- a/net/netfilter/nf_tables_api.c
> +++ b/net/netfilter/nf_tables_api.c
> @@ -9180,7 +9180,7 @@ static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
>  		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
>  					    FLOW_BLOCK_UNBIND);
>  		list_del_rcu(&hook->list);
> -		kfree(hook);
> +		kfree_rcu(hook, rcu);
>  	}
>  	kfree(flowtable->name);
>  	module_put(flowtable->data.type->owner);
> -- 
> 2.43.0
>
diff mbox series

Patch

diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index b6547fe22bd8..2982f49b6d55 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -9180,7 +9180,7 @@  static void nf_tables_flowtable_destroy(struct nft_flowtable *flowtable)
 		flowtable->data.type->setup(&flowtable->data, hook->ops.dev,
 					    FLOW_BLOCK_UNBIND);
 		list_del_rcu(&hook->list);
-		kfree(hook);
+		kfree_rcu(hook, rcu);
 	}
 	kfree(flowtable->name);
 	module_put(flowtable->data.type->owner);