linux/net/netfilter
Jozsef Kadlecsik 4e7aaa6b82 netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type
Lion Ackermann reported that there is a race condition between namespace cleanup
in ipset and the garbage collection of the list:set type. The namespace
cleanup can destroy the list:set type of sets while the gc of the set type is
waiting to run in rcu cleanup. The latter uses data from the destroyed set which
thus leads use after free. The patch contains the following parts:

- When destroying all sets, first remove the garbage collectors, then wait
  if needed and then destroy the sets.
- Fix the badly ordered "wait then remove gc" for the destroy a single set
  case.
- Fix the missing rcu locking in the list:set type in the userspace test
  case.
- Use proper RCU list handlings in the list:set type.

The patch depends on c1193d9bbb (netfilter: ipset: Add list flush to cancel_gc).

Fixes: 97f7cf1cd8 (netfilter: ipset: fix performance regression in swap operation)
Reported-by: Lion Ackermann <nnamrec@gmail.com>
Tested-by: Lion Ackermann <nnamrec@gmail.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2024-06-11 18:46:04 +02:00
..
ipset netfilter: ipset: Fix race between namespace cleanup and gc in the list:set type 2024-06-11 18:46:04 +02:00
ipvs ipvs: allow some sysctls in non-init user namespaces 2024-05-08 12:22:18 +01:00
core.c netfilter: make nftables drops visible in net dropmonitor 2023-10-18 10:26:43 +02:00
Kconfig netfilter: xtables: allow xtables-nft only builds 2024-01-29 15:43:21 +01:00
Makefile x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE 2024-01-10 10:52:28 +01:00
nf_bpf_link.c bpf: Take into account BPF token when fetching helper protos 2024-01-24 16:21:01 -08:00
nf_conncount.c netfilter: nf_conncount: Use KMEM_CACHE instead of kmem_cache_create() 2024-01-29 15:43:20 +01:00
nf_conntrack_acct.c netfilter: conntrack: remove extension register api 2022-02-04 06:30:28 +01:00
nf_conntrack_amanda.c
nf_conntrack_bpf.c bpf: treewide: Annotate BPF kfuncs in BTF 2024-01-31 20:40:56 -08:00
nf_conntrack_broadcast.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
nf_conntrack_core.c netfilter: conntrack: remove flowtable early-drop test 2024-05-06 16:29:21 +02:00
nf_conntrack_ecache.c netfilter: ctnetlink: make event listener tracking global 2023-02-22 00:28:47 +01:00
nf_conntrack_expect.c netfilter: expect: Simplify the allocation of slab caches in nf_conntrack_expect_init 2024-02-21 11:57:11 +01:00
nf_conntrack_extend.c netfilter: conntrack: fix extension size table 2023-09-13 21:57:50 +02:00
nf_conntrack_ftp.c netfilter: nf_ct_ftp: fix deadlock when nat rewrite is needed 2022-09-20 23:50:03 +02:00
nf_conntrack_h323_asn1.c netfilter: nf_conntrack_h323: Add protection for bmp length out of range 2024-03-07 03:10:35 +01:00
nf_conntrack_h323_main.c netfilter: nf_ct_h323: cap packet size at 64k 2022-08-11 16:50:49 +02:00
nf_conntrack_h323_types.c
nf_conntrack_helper.c netfilter: conntrack: simplify nf_conntrack_alter_reply 2023-10-10 16:34:28 +02:00
nf_conntrack_irc.c netfilter: nf_conntrack_irc: Tighten matching on DCC message 2022-09-07 15:55:23 +02:00
nf_conntrack_labels.c netfilter: conntrack: switch connlabels to atomic_t 2023-10-24 13:16:30 +02:00
nf_conntrack_netbios_ns.c netfilter: nf_conntrack_netbios_ns: fix helper module alias 2022-01-11 10:41:44 +01:00
nf_conntrack_netlink.c netfilter: ctnetlink: fix filtering for zone 0 2024-02-08 12:10:18 +01:00
nf_conntrack_ovs.c netfilter: use nf_ip6_check_hbh_len in nf_ct_skb_network_trim 2023-03-08 14:25:41 +01:00
nf_conntrack_pptp.c netfilter: nf_conntrack: add missing __rcu annotations 2022-07-11 16:25:15 +02:00
nf_conntrack_proto_dccp.c netfilter: conntrack: dccp: try not to drop skb in conntrack 2024-05-06 11:13:56 +02:00
nf_conntrack_proto_generic.c
nf_conntrack_proto_gre.c netfilter: conntrack: gre: don't set assured flag for clash entries 2023-07-05 14:42:15 +02:00
nf_conntrack_proto_icmp.c netfilter: conntrack: pass hook state to log functions 2021-06-18 14:47:43 +02:00
nf_conntrack_proto_icmpv6.c netfilter: conntrack: fix ct-state for ICMPv6 Multicast Router Discovery 2024-05-06 11:13:56 +02:00
nf_conntrack_proto_sctp.c netfilter: conntrack: check SCTP_CID_SHUTDOWN_ACK for vtag setting in sctp_new 2024-01-31 23:13:57 +01:00
nf_conntrack_proto_tcp.c netfilter: conntrack: correct window scaling with retransmitted SYN 2024-01-31 23:07:04 +01:00
nf_conntrack_proto_udp.c netfilter: conntrack: udp: fix seen-reply test 2023-02-01 12:18:51 +01:00
nf_conntrack_proto.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
nf_conntrack_sane.c netfilter: nf_ct_sane: remove pseudo skb linearization 2022-08-11 16:50:25 +02:00
nf_conntrack_seqadj.c netfilter: conntrack: remove extension register api 2022-02-04 06:30:28 +01:00
nf_conntrack_sip.c netfilter: nf_conntrack_sip: fix the ct_sip_parse_numerical_param() return value. 2023-06-26 17:18:48 +02:00
nf_conntrack_snmp.c
nf_conntrack_standalone.c netfilter: Remove the now superfluous sentinel elements from ctl_table array 2024-05-03 13:29:42 +01:00
nf_conntrack_tftp.c
nf_conntrack_timeout.c netfilter: nf_conntrack: use rcu accessors where needed 2022-07-11 16:25:15 +02:00
nf_conntrack_timestamp.c netfilter: conntrack: remove extension register api 2022-02-04 06:30:28 +01:00
nf_dup_netdev.c netfilter: nf_dup_netdev: add and use recursion counter 2022-06-21 10:50:41 +02:00
nf_flow_table_core.c ipv6: introduce dst_rt6_info() helper 2024-04-29 13:32:01 +01:00
nf_flow_table_inet.c netfilter: flowtable: validate pppoe header 2024-04-11 12:13:11 +02:00
nf_flow_table_ip.c inet: introduce dst_rtable() helper 2024-04-30 18:32:38 -07:00
nf_flow_table_offload.c net: flow_dissector: Use 64bits for used_keys 2023-07-31 09:11:24 +01:00
nf_flow_table_procfs.c netfilter: nf_flow_table: count pending offload workqueue tasks 2022-07-11 16:25:14 +02:00
nf_hooks_lwtunnel.c netfilter: add netfilter hooks to SRv6 data plane 2021-08-30 01:51:36 +02:00
nf_internals.h
nf_log_syslog.c netfilter: propagate net to nf_bridge_get_physindev 2024-01-17 12:02:48 +01:00
nf_log.c netfilter: Remove the now superfluous sentinel elements from ctl_table array 2024-05-03 13:29:42 +01:00
nf_nat_amanda.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_bpf.c bpf: treewide: Annotate BPF kfuncs in BTF 2024-01-31 20:40:56 -08:00
nf_nat_core.c netfilter: nat: restore default DNAT behavior 2024-02-15 00:20:00 +01:00
nf_nat_ftp.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_helper.c treewide: use get_random_u32_below() instead of deprecated function 2022-11-18 02:15:15 +01:00
nf_nat_irc.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_masquerade.c netfilter: conntrack: add nf_ct_iter_data object for nf_ct_iterate_cleanup*() 2022-05-13 18:56:27 +02:00
nf_nat_ovs.c netfilter: nf_nat: fix action not being set for all ct states 2024-01-03 11:17:17 +01:00
nf_nat_proto.c ipsec-next-2023-10-28 2023-10-30 14:36:57 -07:00
nf_nat_redirect.c netfilter: nat: fix ipv6 nat redirect with mapped and scoped addresses 2023-11-08 16:40:30 +01:00
nf_nat_sip.c netfilter: nat: move repetitive nat port reserve loop to a helper 2022-09-07 16:46:04 +02:00
nf_nat_tftp.c
nf_queue.c netfilter: move nf_reinject into nfnetlink_queue modules 2024-02-21 12:03:22 +01:00
nf_sockopt.c
nf_synproxy_core.c ipv6: annotate data-races around cnf.hop_limit 2024-03-01 08:42:31 +00:00
nf_tables_api.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nf_tables_core.c x86/bugs: Rename CONFIG_RETPOLINE => CONFIG_MITIGATION_RETPOLINE 2024-01-10 10:52:28 +01:00
nf_tables_offload.c net: flow_dissector: Use 64bits for used_keys 2023-07-31 09:11:24 +01:00
nf_tables_trace.c netfilter: nf_tables: mask out non-verdict bits when checking return value 2023-10-18 10:26:43 +02:00
nfnetlink_acct.c netfilter: use nfnetlink_unicast() 2021-05-29 01:04:53 +02:00
nfnetlink_cthelper.c netfilter: nf_conntrack: use rcu accessors where needed 2022-07-11 16:25:15 +02:00
nfnetlink_cttimeout.c netfilter: cttimeout: fix slab-out-of-bounds read typo in cttimeout_net_exit 2022-06-17 23:31:20 +02:00
nfnetlink_hook.c netfilter: nfnetlink hook: dump bpf prog id 2023-04-21 11:34:14 -07:00
nfnetlink_log.c netfilter: nfnetlink_log: use proper helper for fetching physinif 2024-01-17 12:02:47 +01:00
nfnetlink_osf.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
nfnetlink_queue.c netfilter: nfnetlink_queue: acquire rcu_read_lock() in instance_destroy_rcu() 2024-05-20 11:38:42 +02:00
nfnetlink.c netfilter: nfnetlink: Handle ACK flags for batch messages 2024-04-22 17:20:42 -07:00
nft_bitwise.c netfilter pull request 23-06-26 2023-06-26 12:59:18 -07:00
nft_byteorder.c netfilter: nf_tables: fix pointer math issue in nft_byteorder_eval() 2023-11-14 16:16:21 +01:00
nft_chain_filter.c netfilter: nf_tables: remove NETDEV_CHANGENAME from netdev chain event handler 2024-05-06 11:13:55 +02:00
nft_chain_nat.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
nft_chain_route.c netfilter: nf_tables: remove unused arg in nft_set_pktinfo_unspec() 2021-05-29 01:04:54 +02:00
nft_cmp.c net: flow_dissector: Use 64bits for used_keys 2023-07-31 09:11:24 +01:00
nft_compat.c netfilter: nf_tables: allow NFPROTO_INET in nft_(match/target)_validate() 2024-02-28 23:52:55 +01:00
nft_connlimit.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_counter.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_ct_fast.c netfilter: nf_tables: fix ct untracked match breakage 2023-05-03 13:49:08 +02:00
nft_ct.c Core x86 changes for v6.9: 2024-03-11 19:53:15 -07:00
nft_dup_netdev.c netfilter: nf_tables: Extend nft_expr_ops::dump callback parameters 2022-11-15 10:46:34 +01:00
nft_dynset.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_exthdr.c netfilter: nf_tables: fix 'exist' matching on bigendian arches 2023-12-06 17:15:42 +01:00
nft_fib_inet.c netfilter: nft_fib: add reduce support 2022-03-20 00:29:47 +01:00
nft_fib_netdev.c netfilter: nft_fib: add reduce support 2022-03-20 00:29:47 +01:00
nft_fib.c netfilter: nft_fib: allow from forward/input without iif selector 2024-05-29 00:37:51 +02:00
nft_flow_offload.c netfilter: nf_tables: fix bidirectional offload regression 2024-02-15 00:20:00 +01:00
nft_fwd_netdev.c netfilter: add missing module descriptions 2023-11-08 13:52:32 +01:00
nft_hash.c netfilter: nf_tables: limit allowed range via nla_policy 2023-06-26 08:05:57 +02:00
nft_immediate.c netfilter: nft_immediate: drop chain reference counter on error 2024-01-03 11:17:17 +01:00
nft_inner.c nf_tables: fix NULL pointer dereference in nft_inner_init() 2023-10-12 10:28:45 +02:00
nft_last.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_limit.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_log.c netfilter: nf_tables: Extend nft_expr_ops::dump callback parameters 2022-11-15 10:46:34 +01:00
nft_lookup.c netfilter: nf_tables: missing iterator type in lookup walk 2024-04-17 17:43:01 +02:00
nft_masq.c netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options 2023-07-27 13:45:51 +02:00
nft_meta.c netfilter: nft_inner: validate mandatory meta and payload 2024-06-11 18:46:04 +02:00
nft_nat.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-24 20:02:40 +01:00
nft_numgen.c netfilter: nf_tables: Extend nft_expr_ops::dump callback parameters 2022-11-15 10:46:34 +01:00
nft_objref.c netfilter: nf_tables: report use refcount overflow 2023-07-05 14:42:15 +02:00
nft_osf.c netfilter: nft_osf: simplify init path 2024-02-21 11:57:11 +01:00
nft_payload.c netfilter: nft_inner: validate mandatory meta and payload 2024-06-11 18:46:04 +02:00
nft_queue.c netfilter: nf_tables: Extend nft_expr_ops::dump callback parameters 2022-11-15 10:46:34 +01:00
nft_quota.c netfilter: nf_tables: allow clone callbacks to sleep 2024-05-10 11:13:45 +02:00
nft_range.c netfilter: nf_tables: limit allowed range via nla_policy 2023-06-26 08:05:57 +02:00
nft_redir.c netfilter: nf_tables: use NLA_POLICY_MASK to test for valid flag options 2023-07-27 13:45:51 +02:00
nft_reject_inet.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_reject_netdev.c netfilter: nf_tables: do not reduce read-only expressions 2022-03-20 00:29:46 +01:00
nft_reject.c netfilter: nf_tables: limit allowed range via nla_policy 2023-06-26 08:05:57 +02:00
nft_rt.c inet: introduce dst_rtable() helper 2024-04-30 18:32:38 -07:00
nft_set_bitmap.c netfilter: nf_tables: restore set elements when delete set fails 2024-04-17 17:43:11 +02:00
nft_set_hash.c netfilter: nf_tables: restore set elements when delete set fails 2024-04-17 17:43:11 +02:00
nft_set_pipapo_avx2.c netfilter: nft_set_pipapo: constify lookup fn args where possible 2024-02-21 11:57:11 +01:00
nft_set_pipapo_avx2.h netfilter: nf_tables: prefer direct calls for set lookups 2021-05-29 01:04:27 +02:00
nft_set_pipapo.c netfilter: nft_set_pipapo: remove dirty flag 2024-05-10 11:13:45 +02:00
nft_set_pipapo.h netfilter: nft_set_pipapo: remove dirty flag 2024-05-10 11:13:45 +02:00
nft_set_rbtree.c netfilter: nf_tables: restore set elements when delete set fails 2024-04-17 17:43:11 +02:00
nft_socket.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-24 20:02:40 +01:00
nft_synproxy.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-24 20:02:40 +01:00
nft_tproxy.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-24 20:02:40 +01:00
nft_tunnel.c ip_tunnel: convert __be16 tunnel flags to bitmaps 2024-04-01 10:49:28 +01:00
nft_xfrm.c netfilter: nf_tables: validate NFPROTO_* family 2024-01-24 20:02:40 +01:00
utils.c netfilter: move nf_reinject into nfnetlink_queue modules 2024-02-21 12:03:22 +01:00
x_tables.c netfilter: x_tables: Use unsafe_memcpy() for 0-sized destination 2024-02-21 12:03:22 +01:00
xt_addrtype.c
xt_AUDIT.c netfilter: fix clang-12 fmt string warnings 2021-06-01 23:53:51 +02:00
xt_bpf.c bpf: Refactor BPF_PROG_RUN into a function 2021-08-17 00:45:07 +02:00
xt_cgroup.c
xt_CHECKSUM.c
xt_CLASSIFY.c
xt_cluster.c
xt_comment.c
xt_connbytes.c
xt_connlabel.c
xt_connlimit.c netfilter: x_tables: use correct integer types 2022-07-11 16:40:45 +02:00
xt_connmark.c netfilter: conntrack: Fix data-races around ct mark 2022-11-18 15:21:00 +01:00
xt_CONNSECMARK.c
xt_conntrack.c
xt_cpu.c
xt_CT.c netfilter: nf_conntrack: use rcu accessors where needed 2022-07-11 16:25:15 +02:00
xt_dccp.c
xt_devgroup.c
xt_dscp.c
xt_DSCP.c netfilter: x_tables: use correct integer types 2022-07-11 16:40:45 +02:00
xt_ecn.c
xt_esp.c
xt_hashlimit.c proc: remove PDE_DATA() completely 2022-01-22 08:33:37 +02:00
xt_helper.c
xt_hl.c
xt_HL.c
xt_HMARK.c
xt_IDLETIMER.c driver core: class: remove module * from class_create() 2023-03-17 15:16:33 +01:00
xt_ipcomp.c
xt_iprange.c
xt_ipvs.c
xt_l2tp.c
xt_LED.c leds: Change led_trigger_blink[_oneshot]() delay parameters to pass-by-value 2023-05-25 12:16:27 +01:00
xt_length.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf 2023-02-22 21:25:23 -08:00
xt_limit.c netfilter: x_tables: improve limit_mt scalability 2021-05-29 01:04:52 +02:00
xt_LOG.c netfilter: log: work around missing softdep backend module 2021-09-21 03:46:56 +02:00
xt_mac.c
xt_mark.c
xt_MASQUERADE.c
xt_multiport.c
xt_nat.c
xt_NETMAP.c
xt_nfacct.c
xt_NFLOG.c netfilter: log: work around missing softdep backend module 2021-09-21 03:46:56 +02:00
xt_NFQUEUE.c
xt_osf.c netfilter: nfnetlink_osf: fix module autoload 2023-06-20 22:43:42 +02:00
xt_owner.c netfilter: xt_owner: Fix for unsafe access of sk->sk_socket 2023-12-06 17:52:15 +01:00
xt_physdev.c netfilter: propagate net to nf_bridge_get_physindev 2024-01-17 12:02:48 +01:00
xt_pkttype.c
xt_policy.c
xt_quota.c
xt_rateest.c
xt_RATEEST.c netfilter: move from strlcpy with unused retval to strscpy 2022-09-07 16:46:03 +02:00
xt_realm.c
xt_recent.c netfilter: xt_recent: fix (increase) ipv6 literal buffer length 2023-11-08 13:53:36 +01:00
xt_REDIRECT.c netfilter: nft_redir: use struct nf_nat_range2 throughout and deduplicate eval call-backs 2023-03-22 21:48:59 +01:00
xt_repldata.h netfilter: xtables: refactor deprecated strncpy 2023-08-22 15:13:21 +02:00
xt_sctp.c netfilter: xt_sctp: validate the flag_info count 2023-08-30 17:34:01 +02:00
xt_SECMARK.c netfilter: xt_SECMARK: add new revision to fix structure layout 2021-05-03 23:02:44 +02:00
xt_set.c
xt_socket.c net: annotate data-races around sk->sk_mark 2023-07-29 18:13:41 +01:00
xt_state.c
xt_statistic.c treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
xt_string.c
xt_tcpmss.c
xt_TCPMSS.c netfilter: x_tables: use correct integer types 2022-07-11 16:40:45 +02:00
xt_TCPOPTSTRIP.c
xt_tcpudp.c xtables: move icmp/icmpv6 logic to xt_tcpudp 2023-03-22 21:48:59 +01:00
xt_TEE.c
xt_time.c
xt_TPROXY.c netfilter: xt_TPROXY: remove pr_debug invocations 2022-07-21 00:56:00 +02:00
xt_TRACE.c netfilter: nf_log: add module softdeps 2021-03-31 22:34:10 +02:00
xt_u32.c netfilter: xt_u32: validate user space input 2023-08-30 17:34:01 +02:00