netfilter: nf_tables: hold mutex on netns pre_exit path

ummakynes · gregkh · commit f2a489faa5c6 · 2022-06-06T08:47:51.000+02:00
commit 3923b1e upstream. clean_net() runs in workqueue while walking over the lists, grab mutex. Fixes: 767d121 ("netfilter: nftables: fix possible UAF over chains from packet path in netns") Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
@@ -9813,7 +9813,11 @@ static int __net_init nf_tables_init_net(struct net *net)
 
 static void __net_exit nf_tables_pre_exit_net(struct net *net)
 {
+	struct nftables_pernet *nft_net = nft_pernet(net);
+
+	mutex_lock(&nft_net->commit_mutex);
 	__nft_release_hooks(net);
+	mutex_unlock(&nft_net->commit_mutex);
 }
 
 static void __net_exit nf_tables_exit_net(struct net *net)

Original file line number	Diff line number	Diff line change
`@@ -9813,7 +9813,11 @@ static int __net_init nf_tables_init_net(struct net *net)`
`9813`	`9813`
`9814`	`9814`	`static void __net_exit nf_tables_pre_exit_net(struct net *net)`
`9815`	`9815`	`{`
	`9816`	`+ struct nftables_pernet *nft_net = nft_pernet(net);`
	`9817`	`+`
	`9818`	`+ mutex_lock(&nft_net->commit_mutex);`
`9816`	`9819`	`__nft_release_hooks(net);`
	`9820`	`+ mutex_unlock(&nft_net->commit_mutex);`
`9817`	`9821`	`}`
`9818`	`9822`
`9819`	`9823`	`static void __net_exit nf_tables_exit_net(struct net *net)`