[Devel] [PATCH RH7] netfilter: drop/reaquire nfnl_lock on request_module() in nft_log module

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jul 16 15:37:31 MSK 2020


There could be a deadlock:

1. "nft" process calls request_module() with
nfnl_lock(NFNL_SUBSYS_NFTABLES) taken and waits for its completion:

[UN]  PID: 7391   TASK: ffff939e154bc000  COMMAND: "nft"
wait_for_completion_killable
 __call_usermodehelper_exec
  __request_module
   nf_logger_find_get
    nft_log_init		// ops->init()
     nf_tables_newexpr
      nf_tables_newrule		// called with nfnl_lock taken
       nfnetlink_rcv_batch	// takes nfnl_lock
        nfnetlink_rcv
         netlink_unicast
          netlink_sendmsg

2. request_module() tries to load the module, but waits on "net_mutex":

[UN]  PID: 8913   TASK: ffff939e140ec000  COMMAND: "modprobe"
__mutex_lock_slowpath
 mutex_lock			// mutex_lock(&net_mutex);
 (owner = 0xffff939e315f2000 == PID: 158  COMMAND: "kworker/u64:1")
   register_pernet_subsys
    init_module
     do_one_initcall
      load_module
       sys_init_module

3. "kworker" holds net_mutex, but itself waits for nfnl_lock:

[UN]  PID: 158    TASK: ffff939e315f2000  COMMAND: "kworker/u64:1"
__mutex_lock_slowpath
 mutex_lock			// nfnl_lock(NFNL_SUBSYS_NFTABLES)
 (owner = 0xffff939e154bc000  PID: 7391  COMMAND: "nft")
  nfnl_lock
   nft_unregister_afinfo
    nf_tables_inet_exit_net
     ops_exit_list
      cleanup_net
       process_one_work

Reproducer:
===========
[console 1]: export i=0; while true; do
	nft add table filter; \
	nft add chain filter input; \
	nft add rule filter input tcp dport 23 ct state new \
		log prefix \"Connection to port 23:\" accept; \
	nft flush ruleset; \
	rmmod nft_log; rmmod nf_log_ipv4; rmmod nf_log_common; \
	i=$(($i+1)); echo $i; \
done

[console 2]: modprobe nf_tables; \
	export j=0; while true; do \
		ip net add n1; \
		ip net del n1; \
		j=$(($j + 1)); echo $j; \
	done

In mainstream this sutiation is impossible, it's fixed as a side effect
by: f102d66b335a4 ("netfilter: nf_tables: use dedicated mutex to guard
transactions"), but backporting it is quite heavy,

so let's just drop/reacquire nfnl lock around request_module() like it's
done in similar places.

https://jira.sw.ru/browse/PSBM-105534

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 include/net/netfilter/nf_log.h |  2 +-
 net/netfilter/nf_log.c         |  8 ++++---
 net/netfilter/nft_log.c        | 49 +++++++++++++++++++++++++++++++++++++++---
 net/netfilter/xt_LOG.c         |  2 +-
 net/netfilter/xt_TRACE.c       |  2 +-
 5 files changed, 54 insertions(+), 9 deletions(-)

diff --git a/include/net/netfilter/nf_log.h b/include/net/netfilter/nf_log.h
index 4b1b4c44e537b..2686caac8080e 100644
--- a/include/net/netfilter/nf_log.h
+++ b/include/net/netfilter/nf_log.h
@@ -64,7 +64,7 @@ int nf_log_bind_pf(struct net *net, u_int8_t pf,
 		   const struct nf_logger *logger);
 void nf_log_unbind_pf(struct net *net, u_int8_t pf);
 
-int nf_logger_find_get(int pf, enum nf_log_type type);
+int nf_logger_find_get_nolock(int pf, enum nf_log_type type);
 void nf_logger_put(int pf, enum nf_log_type type);
 void nf_logger_request_module(int pf, enum nf_log_type type);
 
diff --git a/net/netfilter/nf_log.c b/net/netfilter/nf_log.c
index ff07ee54bbdd3..dd34fd081a89d 100644
--- a/net/netfilter/nf_log.c
+++ b/net/netfilter/nf_log.c
@@ -19,7 +19,9 @@
 int sysctl_nf_log_all_netns __read_mostly;
 EXPORT_SYMBOL(sysctl_nf_log_all_netns);
 
-static struct nf_logger __rcu *loggers[NFPROTO_NUMPROTO][NF_LOG_TYPE_MAX] __read_mostly;
+struct nf_logger __rcu *loggers[NFPROTO_NUMPROTO][NF_LOG_TYPE_MAX] __read_mostly;
+EXPORT_SYMBOL(loggers);
+
 static DEFINE_MUTEX(nf_log_mutex);
 
 #define nft_log_dereference(logger) \
@@ -164,7 +166,7 @@ void nf_logger_request_module(int pf, enum nf_log_type type)
 }
 EXPORT_SYMBOL_GPL(nf_logger_request_module);
 
-int nf_logger_find_get(int pf, enum nf_log_type type)
+int nf_logger_find_get_nolock(int pf, enum nf_log_type type)
 {
 	struct nf_logger *logger;
 	int ret = -ENOENT;
@@ -184,7 +186,7 @@ int nf_logger_find_get(int pf, enum nf_log_type type)
 	rcu_read_unlock();
 	return ret;
 }
-EXPORT_SYMBOL_GPL(nf_logger_find_get);
+EXPORT_SYMBOL_GPL(nf_logger_find_get_nolock);
 
 void nf_logger_put(int pf, enum nf_log_type type)
 {
diff --git a/net/netfilter/nft_log.c b/net/netfilter/nft_log.c
index d21fe91d50fc0..71e35feb1fe27 100644
--- a/net/netfilter/nft_log.c
+++ b/net/netfilter/nft_log.c
@@ -15,6 +15,7 @@
 #include <linux/netlink.h>
 #include <linux/netfilter.h>
 #include <linux/netfilter/nf_tables.h>
+#include <linux/netfilter/nfnetlink.h>
 #include <net/netfilter/nf_tables.h>
 #include <net/netfilter/nf_log.h>
 #include <linux/netdevice.h>
@@ -46,6 +47,48 @@ static const struct nla_policy nft_log_policy[NFTA_LOG_MAX + 1] = {
 	[NFTA_LOG_FLAGS]	= { .type = NLA_U32 },
 };
 
+extern struct nf_logger __rcu *loggers[NFPROTO_NUMPROTO][NF_LOG_TYPE_MAX] __read_mostly;
+
+/*
+ * In "nft_log" module we need to drop nfnl lock while performing
+ * request_module(), calls to nf_logger_find_get() in other
+ * modules are done without nfnl_lock taken.
+ *
+ * nf_logger_find_get
+ *  nft_log_init
+ *   nf_tables_newexpr
+ *    nf_tables_newrule		// nc->call_batch
+ *				// called with nfnl_lock taken
+ *
+ *     nfnetlink_rcv_batch	// takes nfnl_lock(NFNL_SUBSYS_NFTABLES)
+ *      nfnetlink_rcv
+ *       netlink_unicast
+ *        netlink_sendmsg
+ */
+static int nf_logger_find_get_lock(int pf, enum nf_log_type type)
+{
+	struct nf_logger *logger;
+	int ret = 0;
+
+	logger = loggers[pf][type];
+	if (logger == NULL) {
+		nfnl_unlock(NFNL_SUBSYS_NFTABLES);
+		request_module("nf-logger-%u-%u", pf, type);
+		nfnl_lock(NFNL_SUBSYS_NFTABLES);
+		ret = -EAGAIN;
+	}
+
+	rcu_read_lock();
+	logger = rcu_dereference(loggers[pf][type]);
+
+	if ((logger == NULL) ||
+	    ((ret == 0) && !try_module_get(logger->me))) {
+		ret = -ENOENT;
+	}
+	rcu_read_unlock();
+	return ret;
+}
+
 static int nft_log_init(const struct nft_ctx *ctx,
 			const struct nft_expr *expr,
 			const struct nlattr * const tb[])
@@ -99,11 +142,11 @@ static int nft_log_init(const struct nft_ctx *ctx,
 	}
 
 	if (ctx->afi->family == NFPROTO_INET) {
-		ret = nf_logger_find_get(NFPROTO_IPV4, li->type);
+		ret = nf_logger_find_get_lock(NFPROTO_IPV4, li->type);
 		if (ret < 0)
 			return ret;
 
-		ret = nf_logger_find_get(NFPROTO_IPV6, li->type);
+		ret = nf_logger_find_get_lock(NFPROTO_IPV6, li->type);
 		if (ret < 0) {
 			nf_logger_put(NFPROTO_IPV4, li->type);
 			return ret;
@@ -111,7 +154,7 @@ static int nft_log_init(const struct nft_ctx *ctx,
 		return 0;
 	}
 
-	return nf_logger_find_get(ctx->afi->family, li->type);
+	return nf_logger_find_get_lock(ctx->afi->family, li->type);
 }
 
 static void nft_log_destroy(const struct nft_ctx *ctx,
diff --git a/net/netfilter/xt_LOG.c b/net/netfilter/xt_LOG.c
index eb31d73e31ebf..89059468e0f80 100644
--- a/net/netfilter/xt_LOG.c
+++ b/net/netfilter/xt_LOG.c
@@ -61,7 +61,7 @@ static int log_tg_check(const struct xt_tgchk_param *par)
 		return -EINVAL;
 	}
 
-	return nf_logger_find_get(par->family, NF_LOG_TYPE_LOG);
+	return nf_logger_find_get_nolock(par->family, NF_LOG_TYPE_LOG);
 }
 
 static void log_tg_destroy(const struct xt_tgdtor_param *par)
diff --git a/net/netfilter/xt_TRACE.c b/net/netfilter/xt_TRACE.c
index 858d189a13031..d0e77eea6b829 100644
--- a/net/netfilter/xt_TRACE.c
+++ b/net/netfilter/xt_TRACE.c
@@ -13,7 +13,7 @@ MODULE_ALIAS("ip6t_TRACE");
 
 static int trace_tg_check(const struct xt_tgchk_param *par)
 {
-	return nf_logger_find_get(par->family, NF_LOG_TYPE_LOG);
+	return nf_logger_find_get_nolock(par->family, NF_LOG_TYPE_LOG);
 }
 
 static void trace_tg_destroy(const struct xt_tgdtor_param *par)
-- 
2.15.1



More information about the Devel mailing list