www.infradead.org Git - users/dwmw2/linux.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 30 May 2022 16:24:06 +0000 (18:24 +0200)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 6 Jun 2022 06:48:54 +0000 (08:48 +0200)
commit	86c0154f4c3a56c5db8b9dd09e3ce885382c2c19
tree	0c7b8982807fb6da1d1e87071c89744d0559ecc3	tree
parent	cc7c6e0a8e1d45955b976943dbd4ba98448ceb46	commit \| diff

netfilter: nf_tables: double hook unregistration in netns path

commit f9a43007d3f7ba76d5e7f9421094f00f2ef202f8 upstream.

__nft_release_hooks() is called from pre_netns exit path which
unregisters the hooks, then the NETDEV_UNREGISTER event is triggered
which unregisters the hooks again.

[  565.221461] WARNING: CPU: 18 PID: 193 at net/netfilter/core.c:495 __nf_unregister_net_hook+0x247/0x270
[...]
[  565.246890] CPU: 18 PID: 193 Comm: kworker/u64:1 Tainted: G            E     5.18.0-rc7+ #27
[  565.253682] Workqueue: netns cleanup_net
[  565.257059] RIP: 0010:__nf_unregister_net_hook+0x247/0x270
[...]
[  565.297120] Call Trace:
[  565.300900]  <TASK>
[  565.304683]  nf_tables_flowtable_event+0x16a/0x220 [nf_tables]
[  565.308518]  raw_notifier_call_chain+0x63/0x80
[  565.312386]  unregister_netdevice_many+0x54f/0xb50

Unregister and destroy netdev hook from netns pre_exit via kfree_rcu
so the NETDEV_UNREGISTER path see unregistered hooks.

Fixes: 767d1216bff8 ("netfilter: nftables: fix possible UAF over chains from packet path in netns")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>