Re: [PATCH nf] netfilter: nf_tables: use RCU-safe list primitives for basechain hook list

Next message: ZhengYuan Huang: "Re: [PATCH v2] ocfs2: validate inline dir size during inode reads"
Previous message: Ben Guo: "[PATCH] docs/zh_CN: add --no-merges to git log example in how-to.rst"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Xiang Mei

Date: Thu Apr 16 2026 - 00:32:13 EST

On Wed, Apr 15, 2026 at 9:55 AM Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> wrote:
>
> On Fri, Apr 10, 2026 at 06:13:22PM +0800, Weiming Shi wrote:
> > NFT_MSG_GETCHAIN runs as an NFNL_CB_RCU callback, so chain dumps
> > traverse basechain->hook_list under rcu_read_lock() without holding
> > commit_mutex. Meanwhile, nft_delchain_hook() mutates that same live
> > hook_list with plain list_move() and list_splice(), and the commit/abort
> > paths splice hooks back with plain list_splice(). None of these are
> > RCU-safe list operations.
> >
> > A concurrent GETCHAIN dump can observe partially updated list pointers,
> > follow them into stack-local or transaction-private list heads, and
> > crash when container_of() produces a bogus struct nft_hook pointer.
>
> For the record, v1 of proposed series to fix this is here:
>
> https://patchwork.ozlabs.org/project/netfilter-devel/list/?series=499757

Hi Pablo,

Thanks for working on this.
If this addresses the issue I originally reported, could you please
consider adding:
Reported-by: Xiang Mei <xmei5@xxxxxxx>

Thanks,
Xiang