netfilter: nf_tables: use rcu chain hook list iterator from netlink dump path

Lockless iteration over hook list is possible from netlink dump path, use rcu variant to iterate over the hook list as is done with flowtable hooks. Fixes: b9703ed4 ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: nf_tables: use rcu chain hook list iterator from netlink dump path
Lockless iteration over hook list is possible from netlink dump path, use rcu variant to iterate over the hook list as is done with flowtable hooks. Fixes: b9703ed4 ("netfilter: nf_tables: support for adding new devices to an existing netdev chain") Reported-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
4ffcf5ca · Pablo Neira Ayuso · e1f1ee0e · 4ffcf5ca
Commit 4ffcf5ca authored Sep 17, 2024 by Pablo Neira Ayuso
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 1 deletion

net/netfilter/nf_tables_api.c net/netfilter/nf_tables_api.c +1 -1

No files found.
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -1849,7 +1849,7 @@ static int nft_dump_basechain_hook(struct sk_buff *skb, int family,
 		if (!hook_list)
 			hook_list = &basechain->hook_list;

-		list_for_each_entry(hook, hook_list, list) {
+		list_for_each_entry_rcu(hook, hook_list, list) {
 			if (!first)
 				first = hook;