| From ce00bf07cc95a57cd20b208e02b3c2604e532ae8 Mon Sep 17 00:00:00 2001 |
| From: Jann Horn <jannh@google.com> |
| Date: Mon, 25 Jun 2018 17:22:00 +0200 |
| Subject: netfilter: nf_log: don't hold nf_log_mutex during user access |
| |
| From: Jann Horn <jannh@google.com> |
| |
| commit ce00bf07cc95a57cd20b208e02b3c2604e532ae8 upstream. |
| |
| The old code would indefinitely block other users of nf_log_mutex if |
| a userspace access in proc_dostring() blocked e.g. due to a userfaultfd |
| region. Fix it by moving proc_dostring() out of the locked region. |
| |
| This is a followup to commit 266d07cb1c9a ("netfilter: nf_log: fix |
| sleeping function called from invalid context"), which changed this code |
| from using rcu_read_lock() to taking nf_log_mutex. |
| |
| Fixes: 266d07cb1c9a ("netfilter: nf_log: fix sleeping function calle[...]") |
| Signed-off-by: Jann Horn <jannh@google.com> |
| Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/netfilter/nf_log.c | 9 ++++++--- |
| 1 file changed, 6 insertions(+), 3 deletions(-) |
| |
| --- a/net/netfilter/nf_log.c |
| +++ b/net/netfilter/nf_log.c |
| @@ -422,14 +422,17 @@ static int nf_log_proc_dostring(struct c |
| rcu_assign_pointer(net->nf.nf_loggers[tindex], logger); |
| mutex_unlock(&nf_log_mutex); |
| } else { |
| + struct ctl_table tmp = *table; |
| + |
| + tmp.data = buf; |
| mutex_lock(&nf_log_mutex); |
| logger = nft_log_dereference(net->nf.nf_loggers[tindex]); |
| if (!logger) |
| - table->data = "NONE"; |
| + strlcpy(buf, "NONE", sizeof(buf)); |
| else |
| - table->data = logger->name; |
| - r = proc_dostring(table, write, buffer, lenp, ppos); |
| + strlcpy(buf, logger->name, sizeof(buf)); |
| mutex_unlock(&nf_log_mutex); |
| + r = proc_dostring(&tmp, write, buffer, lenp, ppos); |
| } |
| |
| return r; |