Re: data-race in nf_tables_newtable / nf_tables_newtable

From: Florian Westphal
Date: Fri Aug 19 2022 - 08:36:04 EST

Next message: Shreeya Patel: "[PATCH v2] spi: amd: Configure device speed"
Previous message: Vincent Guittot: "Re: [PATCH v2] sched/fair: Introduce priority load balance to reduce interference from IDLE tasks"
Next in thread: Gabriel Ryan: "Re: data-race in nf_tables_newtable / nf_tables_newtable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Abhishek Shah <abhishek.shah@xxxxxxxxxxxx> wrote:
> Hi all,
>
> We found a race involving the table->handle variable here
> <https://elixir.bootlin.com/linux/v5.18-rc5/source/net/netfilter/nf_tables_api.c#L1221>.
> This race advances the pointer, which can cause out-of-bounds memory
> accesses in the future. Please let us know what you think.
>
> Thanks!
>
>
> *---------------------Report-----------------*
> *read-write* to 0xffffffff883a01e8 of 8 bytes by task 6542 on cpu 0:
> nf_tables_newtable+0x6dc/0xc00 net/netfilter/nf_tables_api.c:1221
> nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]

[..]

> *read-write* to 0xffffffff883a01e8 of 8 bytes by task 6541 on cpu 1:
> nf_tables_newtable+0x6dc/0xc00 net/netfilter/nf_tables_api.c:1221
> nfnetlink_rcv_batch net/netfilter/nfnetlink.c:513 [inline]

[..]

I don't understand. Like all batch operations, nf_tables_newtable is
supposed to run with the transaction mutex held, i.e. parallel execution
is not expected.

There is a lockdep assertion at start of nf_tables_newtable(); I
don't see how its possible that two threads can run this concurrently.

Next message: Shreeya Patel: "[PATCH v2] spi: amd: Configure device speed"
Previous message: Vincent Guittot: "Re: [PATCH v2] sched/fair: Introduce priority load balance to reduce interference from IDLE tasks"
Next in thread: Gabriel Ryan: "Re: data-race in nf_tables_newtable / nf_tables_newtable"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]