Re: [PATCH nf] netfilter: nf_tables: use RCU-safe list primitives for basechain hook list

Next message: Yeoreum Yun: "[PATCH v5 01/12] coresight: etm4x: fix wrong check of etm4x_sspcicrn_present()"
Previous message: Paulo Alcantara: "Re: [PATCH] netfs: Fix early put of sink folio in netfs_read_gaps()"
In reply to: Pablo Neira Ayuso: "Re: [PATCH nf] netfilter: nf_tables: use RCU-safe list primitives for basechain hook list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Pablo Neira Ayuso

Date: Wed Apr 15 2026 - 13:04:15 EST

On Fri, Apr 10, 2026 at 06:13:22PM +0800, Weiming Shi wrote:
> NFT_MSG_GETCHAIN runs as an NFNL_CB_RCU callback, so chain dumps
> traverse basechain->hook_list under rcu_read_lock() without holding
> commit_mutex. Meanwhile, nft_delchain_hook() mutates that same live
> hook_list with plain list_move() and list_splice(), and the commit/abort
> paths splice hooks back with plain list_splice(). None of these are
> RCU-safe list operations.
>
> A concurrent GETCHAIN dump can observe partially updated list pointers,
> follow them into stack-local or transaction-private list heads, and
> crash when container_of() produces a bogus struct nft_hook pointer.

For the record, v1 of proposed series to fix this is here:

https://patchwork.ozlabs.org/project/netfilter-devel/list/?series=499757