tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

netfilter: nf_tables: merge nft_rules_old structure and end of ruleblob marker

In order to free the rules in a chain via call_rcu, the rule array used
to stash a rcu_head and space for a pointer at the end of the rule array.

When the current nft_rule_dp blob format got added in
2c865a8a28a1 ("netfilter: nf_tables: add rule blob layout"), this results
in a double-trailer:

size (unsigned long)
struct nft_rule_dp
struct nft_expr
...
struct nft_rule_dp
struct nft_expr
...
struct nft_rule_dp (is_last=1) // Trailer

The trailer, struct nft_rule_dp (is_last=1), is not accounted for in size,
so it can be located via start_addr + size.

Because the rcu_head is stored after 'start+size' as well this means the
is_last trailer is *aliased* to the rcu_head (struct nft_rules_old).

This is harmless, because at this time the nft_do_chain function never
evaluates/accesses the trailer, it only checks the address boundary:

for (; rule < last_rule; rule = nft_rule_next(rule)) {
...

But this way the last_rule address has to be stashed in the jump
structure to restore it after returning from a chain.

nft_do_chain stack usage has become way too big, so put it on a diet.

Without this patch is impossible to use
for (; !rule->is_last; rule = nft_rule_next(rule)) {

... because on free, the needed update of the rcu_head will clobber the
nft_rule_dp is_last bit.

Furthermore, also stash the chain pointer in the trailer, this allows
to recover the original chain structure from nf_tables_trace infra
without a need to place them in the jump struct.

After this patch it is trivial to diet the jump stack structure,
done in the next two patches.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by
Pablo Neira Ayuso e38fbfa9 ca288965

+27 -28
+27 -28
net/netfilter/nf_tables_api.c
··· 2110 2110 module_put(hook->type->owner); 2111 2111 } 2112 2112 2113 - struct nft_rules_old { 2113 + struct nft_rule_dp_last { 2114 + struct nft_rule_dp end; /* end of nft_rule_blob marker */ 2114 2115 struct rcu_head h; 2115 2116 struct nft_rule_blob *blob; 2117 + const struct nft_chain *chain; /* for tracing */ 2116 2118 }; 2117 2119 2118 - static void nft_last_rule(struct nft_rule_blob *blob, const void *ptr) 2120 + static void nft_last_rule(const struct nft_chain *chain, const void *ptr) 2119 2121 { 2120 - struct nft_rule_dp *prule; 2122 + struct nft_rule_dp_last *lrule; 2121 2123 2122 - prule = (struct nft_rule_dp *)ptr; 2123 - prule->is_last = 1; 2124 + BUILD_BUG_ON(offsetof(struct nft_rule_dp_last, end) != 0); 2125 + 2126 + lrule = (struct nft_rule_dp_last *)ptr; 2127 + lrule->end.is_last = 1; 2128 + lrule->chain = chain; 2124 2129 /* blob size does not include the trailer rule */ 2125 2130 } 2126 2131 2127 - static struct nft_rule_blob *nf_tables_chain_alloc_rules(unsigned int size) 2132 + static struct nft_rule_blob *nf_tables_chain_alloc_rules(const struct nft_chain *chain, 2133 + unsigned int size) 2128 2134 { 2129 2135 struct nft_rule_blob *blob; 2130 2136 2131 - /* size must include room for the last rule */ 2132 - if (size < offsetof(struct nft_rule_dp, data)) 2133 - return NULL; 2134 - 2135 - size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rules_old); 2136 2137 if (size > INT_MAX) 2137 2138 return NULL; 2139 + 2140 + size += sizeof(struct nft_rule_blob) + sizeof(struct nft_rule_dp_last); 2138 2141 2139 2142 blob = kvmalloc(size, GFP_KERNEL_ACCOUNT); 2140 2143 if (!blob) 2141 2144 return NULL; 2142 2145 2143 2146 blob->size = 0; 2144 - nft_last_rule(blob, blob->data); 2147 + nft_last_rule(chain, blob->data); 2145 2148 2146 2149 return blob; 2147 2150 } ··· 2223 2220 struct nft_rule_blob *blob; 2224 2221 struct nft_trans *trans; 2225 2222 struct nft_chain *chain; 2226 - unsigned int data_size; 2227 2223 int err; 2228 2224 2229 2225 if (table->use == UINT_MAX) ··· 2310 2308 chain->udlen = nla_len(nla[NFTA_CHAIN_USERDATA]); 2311 2309 } 2312 2310 2313 - data_size = offsetof(struct nft_rule_dp, data); /* last rule */ 2314 - blob = nf_tables_chain_alloc_rules(data_size); 2311 + blob = nf_tables_chain_alloc_rules(chain, 0); 2315 2312 if (!blob) { 2316 2313 err = -ENOMEM; 2317 2314 goto err_destroy_chain; ··· 8818 8817 return -ENOMEM; 8819 8818 } 8820 8819 } 8821 - data_size += offsetof(struct nft_rule_dp, data); /* last rule */ 8822 8820 8823 - chain->blob_next = nf_tables_chain_alloc_rules(data_size); 8821 + chain->blob_next = nf_tables_chain_alloc_rules(chain, data_size); 8824 8822 if (!chain->blob_next) 8825 8823 return -ENOMEM; 8826 8824 ··· 8864 8864 chain->blob_next->size += (unsigned long)(data - (void *)prule); 8865 8865 } 8866 8866 8867 - prule = (struct nft_rule_dp *)data; 8868 - data += offsetof(struct nft_rule_dp, data); 8869 8867 if (WARN_ON_ONCE(data > data_boundary)) 8870 8868 return -ENOMEM; 8871 8869 8872 - nft_last_rule(chain->blob_next, prule); 8870 + prule = (struct nft_rule_dp *)data; 8871 + nft_last_rule(chain, prule); 8873 8872 8874 8873 return 0; 8875 8874 } ··· 8889 8890 } 8890 8891 } 8891 8892 8892 - static void __nf_tables_commit_chain_free_rules_old(struct rcu_head *h) 8893 + static void __nf_tables_commit_chain_free_rules(struct rcu_head *h) 8893 8894 { 8894 - struct nft_rules_old *o = container_of(h, struct nft_rules_old, h); 8895 + struct nft_rule_dp_last *l = container_of(h, struct nft_rule_dp_last, h); 8895 8896 8896 - kvfree(o->blob); 8897 + kvfree(l->blob); 8897 8898 } 8898 8899 8899 8900 static void nf_tables_commit_chain_free_rules_old(struct nft_rule_blob *blob) 8900 8901 { 8901 - struct nft_rules_old *old; 8902 + struct nft_rule_dp_last *last; 8902 8903 8903 - /* rcu_head is after end marker */ 8904 - old = (void *)blob + sizeof(*blob) + blob->size; 8905 - old->blob = blob; 8904 + /* last rule trailer is after end marker */ 8905 + last = (void *)blob + sizeof(*blob) + blob->size; 8906 + last->blob = blob; 8906 8907 8907 - call_rcu(&old->h, __nf_tables_commit_chain_free_rules_old); 8908 + call_rcu(&last->h, __nf_tables_commit_chain_free_rules); 8908 8909 } 8909 8910 8910 8911 static void nf_tables_commit_chain(struct net *net, struct nft_chain *chain)