netfilter: invoke synchronize_rcu after set the _hook_ to NULL

Liping Zhang · gregkh · commit f7f46b3ba20d · 2017-10-08T10:14:19.000+02:00
[ Upstream commit 3b7dabf029478bb80507a6c4500ca94132a2bc0b ]

Otherwise, another CPU may access the invalid pointer. For example:
    CPU0                CPU1
     -              rcu_read_lock();
     -              pfunc = _hook_;
  _hook_ = NULL;          -
  mod unload              -
     -                 pfunc(); // invalid, panic
     -             rcu_read_unlock();

So we must call synchronize_rcu() to wait the rcu reader to finish.

Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
by later nf_conntrack_helper_unregister, but I'm inclined to add a
explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
on such obscure assumptions is not a good idea.

Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
remove it too.

Signed-off-by: Liping Zhang &lt;zlpnobody@gmail.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -1304,6 +1304,7 @@ static int __init nf_nat_snmp_basic_init(void)
 static void __exit nf_nat_snmp_basic_fini(void)
 {
 	RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
+	synchronize_rcu();
 	nf_conntrack_helper_unregister(&snmp_trap_helper);
 }
 
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
@@ -200,6 +200,7 @@ void nf_conntrack_unregister_notifier(struct net *net,
 	BUG_ON(notify != new);
 	RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);
 	mutex_unlock(&nf_ct_ecache_mutex);
+	/* synchronize_rcu() is called from ctnetlink_exit. */
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);
 
@@ -236,6 +237,7 @@ void nf_ct_expect_unregister_notifier(struct net *net,
 	BUG_ON(notify != new);
 	RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL);
 	mutex_unlock(&nf_ct_ecache_mutex);
+	/* synchronize_rcu() is called from ctnetlink_exit. */
 }
 EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier);
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
@@ -3415,6 +3415,7 @@ static void __exit ctnetlink_exit(void)
 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
 	RCU_INIT_POINTER(nfnl_ct_hook, NULL);
 #endif
+	synchronize_rcu();
 }
 
 module_init(ctnetlink_init);
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
@@ -892,6 +892,8 @@ static void __exit nf_nat_cleanup(void)
 #ifdef CONFIG_XFRM
 	RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL);
 #endif
+	synchronize_rcu();
+
 	for (i = 0; i < NFPROTO_NUMPROTO; i++)
 		kfree(nf_nat_l4protos[i]);
 	synchronize_net();
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
@@ -611,8 +611,8 @@ static void __exit cttimeout_exit(void)
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 	RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);
 	RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);
+	synchronize_rcu();
 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
-	rcu_barrier();
 }
 
 module_init(cttimeout_init);

Original file line number	Diff line number	Diff line change
`@@ -1304,6 +1304,7 @@ static int __init nf_nat_snmp_basic_init(void)`
`1304`	`1304`	`static void __exit nf_nat_snmp_basic_fini(void)`
`1305`	`1305`	`{`
`1306`	`1306`	`RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);`
	`1307`	`+ synchronize_rcu();`
`1307`	`1308`	`nf_conntrack_helper_unregister(&snmp_trap_helper);`
`1308`	`1309`	`}`
`1309`	`1310`
Original file line number	Diff line number	Diff line change
`@@ -200,6 +200,7 @@ void nf_conntrack_unregister_notifier(struct net *net,`
`200`	`200`	`BUG_ON(notify != new);`
`201`	`201`	`RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);`
`202`	`202`	`mutex_unlock(&nf_ct_ecache_mutex);`
	`203`	`+ /* synchronize_rcu() is called from ctnetlink_exit. */`
`203`	`204`	`}`
`204`	`205`	`EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);`
`205`	`206`
`@@ -236,6 +237,7 @@ void nf_ct_expect_unregister_notifier(struct net *net,`
`236`	`237`	`BUG_ON(notify != new);`
`237`	`238`	`RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL);`
`238`	`239`	`mutex_unlock(&nf_ct_ecache_mutex);`
	`240`	`+ /* synchronize_rcu() is called from ctnetlink_exit. */`
`239`	`241`	`}`
`240`	`242`	`EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier);`
`241`	`243`
Original file line number	Diff line number	Diff line change
`@@ -3415,6 +3415,7 @@ static void __exit ctnetlink_exit(void)`
`3415`	`3415`	`#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT`
`3416`	`3416`	`RCU_INIT_POINTER(nfnl_ct_hook, NULL);`
`3417`	`3417`	`#endif`
	`3418`	`+ synchronize_rcu();`
`3418`	`3419`	`}`
`3419`	`3420`
`3420`	`3421`	`module_init(ctnetlink_init);`
Original file line number	Diff line number	Diff line change
`@@ -611,8 +611,8 @@ static void __exit cttimeout_exit(void)`
`611`	`611`	`#ifdef CONFIG_NF_CONNTRACK_TIMEOUT`
`612`	`612`	`RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);`
`613`	`613`	`RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);`
	`614`	`+ synchronize_rcu();`
`614`	`615`	`#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */`
`615`		`- rcu_barrier();`
`616`	`616`	`}`
`617`	`617`
`618`	`618`	`module_init(cttimeout_init);`