Commit 1689f259 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso

netfilter: nf_tables: report use refcount overflow

Overflow use refcount checks are not complete.

Add helper function to deal with object reference counter tracking.
Report -EMFILE in case UINT_MAX is reached.

nft_use_dec() splats in case that reference counter underflows,
which should not ever happen.

Add nft_use_inc_restore() and nft_use_dec_restore() which are used
to restore reference counter from error and abort paths.

Use u32 in nft_flowtable and nft_object since helper functions cannot
work on bitfields.

Remove the few early incomplete checks now that the helper functions
are in place and used to check for refcount overflow.

Fixes: 96518518 ("netfilter: add nftables")
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent c451410c
...@@ -1211,6 +1211,29 @@ int __nft_release_basechain(struct nft_ctx *ctx); ...@@ -1211,6 +1211,29 @@ int __nft_release_basechain(struct nft_ctx *ctx);
unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv); unsigned int nft_do_chain(struct nft_pktinfo *pkt, void *priv);
static inline bool nft_use_inc(u32 *use)
{
if (*use == UINT_MAX)
return false;
(*use)++;
return true;
}
static inline void nft_use_dec(u32 *use)
{
WARN_ON_ONCE((*use)-- == 0);
}
/* For error and abort path: restore use counter to previous state. */
static inline void nft_use_inc_restore(u32 *use)
{
WARN_ON_ONCE(!nft_use_inc(use));
}
#define nft_use_dec_restore nft_use_dec
/** /**
* struct nft_table - nf_tables table * struct nft_table - nf_tables table
* *
...@@ -1296,8 +1319,8 @@ struct nft_object { ...@@ -1296,8 +1319,8 @@ struct nft_object {
struct list_head list; struct list_head list;
struct rhlist_head rhlhead; struct rhlist_head rhlhead;
struct nft_object_hash_key key; struct nft_object_hash_key key;
u32 genmask:2, u32 genmask:2;
use:30; u32 use;
u64 handle; u64 handle;
u16 udlen; u16 udlen;
u8 *udata; u8 *udata;
...@@ -1399,8 +1422,8 @@ struct nft_flowtable { ...@@ -1399,8 +1422,8 @@ struct nft_flowtable {
char *name; char *name;
int hooknum; int hooknum;
int ops_len; int ops_len;
u32 genmask:2, u32 genmask:2;
use:30; u32 use;
u64 handle; u64 handle;
/* runtime data below here */ /* runtime data below here */
struct list_head hook_list ____cacheline_aligned; struct list_head hook_list ____cacheline_aligned;
......
This diff is collapsed.
...@@ -408,8 +408,10 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx, ...@@ -408,8 +408,10 @@ static int nft_flow_offload_init(const struct nft_ctx *ctx,
if (IS_ERR(flowtable)) if (IS_ERR(flowtable))
return PTR_ERR(flowtable); return PTR_ERR(flowtable);
if (!nft_use_inc(&flowtable->use))
return -EMFILE;
priv->flowtable = flowtable; priv->flowtable = flowtable;
flowtable->use++;
return nf_ct_netns_get(ctx->net, ctx->family); return nf_ct_netns_get(ctx->net, ctx->family);
} }
...@@ -428,7 +430,7 @@ static void nft_flow_offload_activate(const struct nft_ctx *ctx, ...@@ -428,7 +430,7 @@ static void nft_flow_offload_activate(const struct nft_ctx *ctx,
{ {
struct nft_flow_offload *priv = nft_expr_priv(expr); struct nft_flow_offload *priv = nft_expr_priv(expr);
priv->flowtable->use++; nft_use_inc_restore(&priv->flowtable->use);
} }
static void nft_flow_offload_destroy(const struct nft_ctx *ctx, static void nft_flow_offload_destroy(const struct nft_ctx *ctx,
......
...@@ -159,7 +159,7 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx, ...@@ -159,7 +159,7 @@ static void nft_immediate_deactivate(const struct nft_ctx *ctx,
default: default:
nft_chain_del(chain); nft_chain_del(chain);
chain->bound = false; chain->bound = false;
chain->table->use--; nft_use_dec(&chain->table->use);
break; break;
} }
break; break;
...@@ -198,7 +198,7 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx, ...@@ -198,7 +198,7 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx,
* let the transaction records release this chain and its rules. * let the transaction records release this chain and its rules.
*/ */
if (chain->bound) { if (chain->bound) {
chain->use--; nft_use_dec(&chain->use);
break; break;
} }
...@@ -206,9 +206,9 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx, ...@@ -206,9 +206,9 @@ static void nft_immediate_destroy(const struct nft_ctx *ctx,
chain_ctx = *ctx; chain_ctx = *ctx;
chain_ctx.chain = chain; chain_ctx.chain = chain;
chain->use--; nft_use_dec(&chain->use);
list_for_each_entry_safe(rule, n, &chain->rules, list) { list_for_each_entry_safe(rule, n, &chain->rules, list) {
chain->use--; nft_use_dec(&chain->use);
list_del(&rule->list); list_del(&rule->list);
nf_tables_rule_destroy(&chain_ctx, rule); nf_tables_rule_destroy(&chain_ctx, rule);
} }
......
...@@ -41,8 +41,10 @@ static int nft_objref_init(const struct nft_ctx *ctx, ...@@ -41,8 +41,10 @@ static int nft_objref_init(const struct nft_ctx *ctx,
if (IS_ERR(obj)) if (IS_ERR(obj))
return -ENOENT; return -ENOENT;
if (!nft_use_inc(&obj->use))
return -EMFILE;
nft_objref_priv(expr) = obj; nft_objref_priv(expr) = obj;
obj->use++;
return 0; return 0;
} }
...@@ -72,7 +74,7 @@ static void nft_objref_deactivate(const struct nft_ctx *ctx, ...@@ -72,7 +74,7 @@ static void nft_objref_deactivate(const struct nft_ctx *ctx,
if (phase == NFT_TRANS_COMMIT) if (phase == NFT_TRANS_COMMIT)
return; return;
obj->use--; nft_use_dec(&obj->use);
} }
static void nft_objref_activate(const struct nft_ctx *ctx, static void nft_objref_activate(const struct nft_ctx *ctx,
...@@ -80,7 +82,7 @@ static void nft_objref_activate(const struct nft_ctx *ctx, ...@@ -80,7 +82,7 @@ static void nft_objref_activate(const struct nft_ctx *ctx,
{ {
struct nft_object *obj = nft_objref_priv(expr); struct nft_object *obj = nft_objref_priv(expr);
obj->use++; nft_use_inc_restore(&obj->use);
} }
static const struct nft_expr_ops nft_objref_ops = { static const struct nft_expr_ops nft_objref_ops = {
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment