diff options
| author | Florian Westphal <fw@strlen.de> | 2026-04-07 17:00:01 +0200 |
|---|---|---|
| committer | Florian Westphal <fw@strlen.de> | 2026-04-08 13:34:51 +0200 |
| commit | 936206e3f6ff411581e615e930263d6f8b78df9d (patch) | |
| tree | 19ac9b93237d0326546edb6bcc4814670a6906ea /include | |
| parent | f8dca15a1b190787bbd03285304b569631160eda (diff) | |
| download | lwn-936206e3f6ff411581e615e930263d6f8b78df9d.tar.gz lwn-936206e3f6ff411581e615e930263d6f8b78df9d.zip | |
netfilter: nfnetlink_queue: make hash table per queue
Sharing a global hash table among all queues is tempting, but
it can cause crash:
BUG: KASAN: slab-use-after-free in nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
[..]
nfqnl_recv_verdict+0x11ac/0x15e0 [nfnetlink_queue]
nfnetlink_rcv_msg+0x46a/0x930
kmem_cache_alloc_node_noprof+0x11e/0x450
struct nf_queue_entry is freed via kfree, but parallel cpu can still
encounter such an nf_queue_entry when walking the list.
Alternative fix is to free the nf_queue_entry via kfree_rcu() instead,
but as we have to alloc/free for each skb this will cause more mem
pressure.
Cc: Scott Mitchell <scott.k.mitch1@gmail.com>
Fixes: e19079adcd26 ("netfilter: nfnetlink_queue: optimize verdict lookup with hash table")
Signed-off-by: Florian Westphal <fw@strlen.de>
Diffstat (limited to 'include')
| -rw-r--r-- | include/net/netfilter/nf_queue.h | 1 |
1 files changed, 0 insertions, 1 deletions
diff --git a/include/net/netfilter/nf_queue.h b/include/net/netfilter/nf_queue.h index 45eb26b2e95b..d17035d14d96 100644 --- a/include/net/netfilter/nf_queue.h +++ b/include/net/netfilter/nf_queue.h @@ -23,7 +23,6 @@ struct nf_queue_entry { struct nf_hook_state state; bool nf_ct_is_unconfirmed; u16 size; /* sizeof(entry) + saved route keys */ - u16 queue_num; /* extra space to store route keys */ }; |