• Pablo Neira Ayuso's avatar
    netfilter: nf_tables: autoload modules from the abort path · eb014de4
    Pablo Neira Ayuso authored
    This patch introduces a list of pending module requests. This new module
    list is composed of nft_module_request objects that contain the module
    name and one status field that tells if the module has been already
    loaded (the 'done' field).
    
    In the first pass, from the preparation phase, the netlink command finds
    that a module is missing on this list. Then, a module request is
    allocated and added to this list and nft_request_module() returns
    -EAGAIN. This triggers the abort path with the autoload parameter set on
    from nfnetlink, request_module() is called and the module request enters
    the 'done' state. Since the mutex is released when loading modules from
    the abort phase, the module list is zapped so this is iteration occurs
    over a local list. Therefore, the request_module() calls happen when
    object lists are in consistent state (after fulling aborting the
    transaction) and the commit list is empty.
    
    On the second pass, the netlink command will find that it already tried
    to load the module, so it does not request it again and
    nft_request_module() returns 0. Then, there is a look up to find the
    object that the command was missing. If the module was successfully
    loaded, the command proceeds normally since it finds the missing object
    in place, otherwise -ENOENT is reported to userspace.
    
    This patch also updates nfnetlink to include the reason to enter the
    abort phase, which is required for this new autoload module rationale.
    
    Fixes: ec7470b8 ("netfilter: nf_tables: store transaction list locally while requesting module")
    Reported-by: syzbot+29125d208b3dae9a7019@syzkaller.appspotmail.com
    Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
    eb014de4
nfnetlink.c 15.3 KB