netfilter: invoke synchronize_rcu after set the _hook_ to NULL

Liping Zhang · ummakynes · commit 3b7dabf02947 · 2017-03-27T13:47:28.000+02:00
Otherwise, another CPU may access the invalid pointer. For example:
    CPU0                CPU1
     -              rcu_read_lock();
     -              pfunc = _hook_;
  _hook_ = NULL;          -
  mod unload              -
     -                 pfunc(); // invalid, panic
     -             rcu_read_unlock();

So we must call synchronize_rcu() to wait the rcu reader to finish.

Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
by later nf_conntrack_helper_unregister, but I'm inclined to add a
explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
on such obscure assumptions is not a good idea.

Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
remove it too.

Signed-off-by: Liping Zhang &lt;zlpnobody@gmail.com&gt;
Signed-off-by: Pablo Neira Ayuso &lt;pablo@netfilter.org&gt;
diff --git a/net/ipv4/netfilter/nf_nat_snmp_basic.c b/net/ipv4/netfilter/nf_nat_snmp_basic.c
@@ -1304,6 +1304,7 @@ static int __init nf_nat_snmp_basic_init(void)
 static void __exit nf_nat_snmp_basic_fini(void)
 {
 	RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);
+	synchronize_rcu();
 	nf_conntrack_helper_unregister(&snmp_trap_helper);
 }
 
diff --git a/net/netfilter/nf_conntrack_ecache.c b/net/netfilter/nf_conntrack_ecache.c
@@ -290,6 +290,7 @@ void nf_conntrack_unregister_notifier(struct net *net,
 	BUG_ON(notify != new);
 	RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);
 	mutex_unlock(&nf_ct_ecache_mutex);
+	/* synchronize_rcu() is called from ctnetlink_exit. */
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);
 
@@ -326,6 +327,7 @@ void nf_ct_expect_unregister_notifier(struct net *net,
 	BUG_ON(notify != new);
 	RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL);
 	mutex_unlock(&nf_ct_ecache_mutex);
+	/* synchronize_rcu() is called from ctnetlink_exit. */
 }
 EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier);
 
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c
@@ -3442,6 +3442,7 @@ static void __exit ctnetlink_exit(void)
 #ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT
 	RCU_INIT_POINTER(nfnl_ct_hook, NULL);
 #endif
+	synchronize_rcu();
 }
 
 module_init(ctnetlink_init);
diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
@@ -903,6 +903,8 @@ static void __exit nf_nat_cleanup(void)
 #ifdef CONFIG_XFRM
 	RCU_INIT_POINTER(nf_nat_decode_session_hook, NULL);
 #endif
+	synchronize_rcu();
+
 	for (i = 0; i < NFPROTO_NUMPROTO; i++)
 		kfree(nf_nat_l4protos[i]);
 
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c
@@ -646,8 +646,8 @@ static void __exit cttimeout_exit(void)
 #ifdef CONFIG_NF_CONNTRACK_TIMEOUT
 	RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);
 	RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);
+	synchronize_rcu();
 #endif /* CONFIG_NF_CONNTRACK_TIMEOUT */
-	rcu_barrier();
 }
 
 module_init(cttimeout_init);

Original file line number	Diff line number	Diff line change
`@@ -1304,6 +1304,7 @@ static int __init nf_nat_snmp_basic_init(void)`
`1304`	`1304`	`static void __exit nf_nat_snmp_basic_fini(void)`
`1305`	`1305`	`{`
`1306`	`1306`	`RCU_INIT_POINTER(nf_nat_snmp_hook, NULL);`
	`1307`	`+ synchronize_rcu();`
`1307`	`1308`	`nf_conntrack_helper_unregister(&snmp_trap_helper);`
`1308`	`1309`	`}`
`1309`	`1310`
Original file line number	Diff line number	Diff line change
`@@ -290,6 +290,7 @@ void nf_conntrack_unregister_notifier(struct net *net,`
`290`	`290`	`BUG_ON(notify != new);`
`291`	`291`	`RCU_INIT_POINTER(net->ct.nf_conntrack_event_cb, NULL);`
`292`	`292`	`mutex_unlock(&nf_ct_ecache_mutex);`
	`293`	`+ /* synchronize_rcu() is called from ctnetlink_exit. */`
`293`	`294`	`}`
`294`	`295`	`EXPORT_SYMBOL_GPL(nf_conntrack_unregister_notifier);`
`295`	`296`
`@@ -326,6 +327,7 @@ void nf_ct_expect_unregister_notifier(struct net *net,`
`326`	`327`	`BUG_ON(notify != new);`
`327`	`328`	`RCU_INIT_POINTER(net->ct.nf_expect_event_cb, NULL);`
`328`	`329`	`mutex_unlock(&nf_ct_ecache_mutex);`
	`330`	`+ /* synchronize_rcu() is called from ctnetlink_exit. */`
`329`	`331`	`}`
`330`	`332`	`EXPORT_SYMBOL_GPL(nf_ct_expect_unregister_notifier);`
`331`	`333`
Original file line number	Diff line number	Diff line change
`@@ -3442,6 +3442,7 @@ static void __exit ctnetlink_exit(void)`
`3442`	`3442`	`#ifdef CONFIG_NETFILTER_NETLINK_GLUE_CT`
`3443`	`3443`	`RCU_INIT_POINTER(nfnl_ct_hook, NULL);`
`3444`	`3444`	`#endif`
	`3445`	`+ synchronize_rcu();`
`3445`	`3446`	`}`
`3446`	`3447`
`3447`	`3448`	`module_init(ctnetlink_init);`
Original file line number	Diff line number	Diff line change
`@@ -646,8 +646,8 @@ static void __exit cttimeout_exit(void)`
`646`	`646`	`#ifdef CONFIG_NF_CONNTRACK_TIMEOUT`
`647`	`647`	`RCU_INIT_POINTER(nf_ct_timeout_find_get_hook, NULL);`
`648`	`648`	`RCU_INIT_POINTER(nf_ct_timeout_put_hook, NULL);`
	`649`	`+ synchronize_rcu();`
`649`	`650`	`#endif /* CONFIG_NF_CONNTRACK_TIMEOUT */`
`650`		`- rcu_barrier();`
`651`	`651`	`}`
`652`	`652`
`653`	`653`	`module_init(cttimeout_init);`