From patchwork Mon Jun 25 15:22:00 2018
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Jann Horn <jannh@google.com>
X-Patchwork-Id: 934401
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=pass (p=reject dis=none)
	header.from=google.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=google.com header.i=@google.com
	header.b="MNSUkjrK"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 41DtFj127fz9s2t
	for <patchwork-incoming-netdev@ozlabs.org>;
	Tue, 26 Jun 2018 01:22:17 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1755671AbeFYPWI (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Mon, 25 Jun 2018 11:22:08 -0400
Received: from mail-qk0-f201.google.com ([209.85.220.201]:35726 "EHLO
	mail-qk0-f201.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1755619AbeFYPWG (ORCPT
	<rfc822;netdev@vger.kernel.org>); Mon, 25 Jun 2018 11:22:06 -0400
Received: by mail-qk0-f201.google.com with SMTP id c3-v6so13953961qkb.2
	for <netdev@vger.kernel.org>; Mon, 25 Jun 2018 08:22:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=google.com; s=20161025;
	h=mime-version:date:message-id:subject:from:to:cc;
	bh=O1Fezu9CqPlSNth+F+Z5QgItPWD//dFu45UefS0Ip0U=;
	b=MNSUkjrKTvoBT9WvJC+sAVKgRhNVF0W49Oe3CFl8nygMV4knSd9Qwhaye2ypG9m+7Z
	VfIqQAlF5eDch+dbxVjThkRaWLISsUEn45YXBq4C7evXchCN4yvVYBjbSjeeYep68i0Y
	UN8NyKB3a8cLBaHFAgLMVTQCkuIDE9lFdBIZR5K0/ylyHcZybicJv+duApBH3IGylYBl
	3Qv1bHqA9d2I8dYLLeXkrmcHZQSwTkOUecAFCd3CHm5TPWjmsrrsixJNr1AqexBflRVW
	k/jxPYnIG2r9cbCznZ4eiDXAxdJKzOLU32auxaiYamVVb5Yu/Uq3LHGUHnAVPKfkyHtv
	o6AA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:mime-version:date:message-id:subject:from:to:cc;
	bh=O1Fezu9CqPlSNth+F+Z5QgItPWD//dFu45UefS0Ip0U=;
	b=boeG4LwXlxGtwxxhIs4o/M8G5plTABDY76Vs/BupnIwNkREqup0HrL8ZVCwNnc7hzG
	orJu48/Fi9Xm7PsJeJboyrqcA/Q1F17eNLUZh8ovcwoYh2Cl0occxWRfTJvH6ggsk2DW
	OpfOByZJqL7UlCvjZFA+Vpk10EMfLxX+w4VT1uEWqkBr88KFuJcy2zNKPBf7tInLfa6v
	dZINwLjXWFCks/ueH+elGb8SzTvKAQb7Hd3r0pq3tU3sfwtRgqNzdWfiidddJVCrBsH+
	j25VCW6092pgobRBtytaSeu5R7xEK0LFEGk3k1IumMihWUeCCpVl0phyeoPX/60iwnn9
	GQSQ==
X-Gm-Message-State: APt69E2g2vFQonY4xiBmDoTO83QeIY/xZibY9Ai9ZrJsTI0+Qs27GvrL
	PnwC0iIwPQQHXEbmVStsovcG3ytf/Q==
X-Google-Smtp-Source: 
 AAOMgpf1YV5qYdTbrCw5ldOjL6YU2RorW1PseeXs95UxNzAiVzUi3ymq97GBBUdUWMLhBXAdHFgK5xvjyQ==
MIME-Version: 1.0
X-Received: by 2002:a0c:e5d1:: with SMTP id
	u17-v6mr7286521qvm.0.1529940125595;
	Mon, 25 Jun 2018 08:22:05 -0700 (PDT)
Date: Mon, 25 Jun 2018 17:22:00 +0200
Message-Id: <20180625152200.200145-1-jannh@google.com>
X-Mailer: git-send-email 2.18.0.rc2.346.g013aa6912e-goog
Subject: [PATCH net] netfilter: nf_log: don't hold nf_log_mutex during user
	access
From: Jann Horn <jannh@google.com>
To: Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
	Florian Westphal <fw@strlen.de>, "David S. Miller" <davem@davemloft.net>,
	netfilter-devel@vger.kernel.org, coreteam@netfilter.org, jannh@google.com
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org, security@kernel.org
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The old code would indefinitely block other users of nf_log_mutex if
a userspace access in proc_dostring() blocked e.g. due to a userfaultfd
region. Fix it by moving proc_dostring() out of the locked region.

This is a followup to commit 266d07cb1c9a ("netfilter: nf_log: fix
sleeping function called from invalid context"), which changed this code
from using rcu_read_lock() to taking nf_log_mutex.

Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]")
Signed-off-by: Jann Horn <jannh@google.com>
---
 net/netfilter/nf_log.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index 426457047578..95b92954b896 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -442,14 +442,17 @@ static int nf_log_proc_dostring(struct ctl_table *table, int write,
 		rcu_assign_pointer(net->nf.nf_loggers[tindex], logger);
 		mutex_unlock(&nf_log_mutex);
 	} else {
+		struct ctl_table tmp = *table;
+
+		tmp.data = buf;
 		mutex_lock(&nf_log_mutex);
 		logger = nft_log_dereference(net->nf.nf_loggers[tindex]);
 		if (!logger)
-			table->data = "NONE";
+			strlcpy(buf, "NONE", sizeof(buf));
 		else
-			table->data = logger->name;
-		r = proc_dostring(table, write, buffer, lenp, ppos);
+			strlcpy(buf, logger->name, sizeof(buf));
 		mutex_unlock(&nf_log_mutex);
+		r = proc_dostring(&tmp, write, buffer, lenp, ppos);
 	}
 
 	return r;