Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 93b0806f authored by Patrick McHardy's avatar Patrick McHardy Committed by Pablo Neira Ayuso
Browse files

netfilter: nf_tables: replay request after dropping locks to load chain type 



To avoid races, we need to replay to request after dropping the nfnl_mutex
to auto-load the chain type module.

Signed-off-by: default avatarPatrick McHardy <kaber@trash.net>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
parent 88ce65a7

net/netfilter/nf_tables_api.c

+8 −4
Original line number Diff line number Diff line
@@ -147,16 +147,20 @@ nf_tables_chain_type_lookup(const struct nft_af_info *afi, 
	struct nf_chain_type *type;



	type = __nf_tables_chain_type_lookup(afi->family, nla);

	if (type != NULL)

		return type;

#ifdef CONFIG_MODULES

	if (type == NULL && autoload) {

	if (autoload) {

		nfnl_unlock(NFNL_SUBSYS_NFTABLES);

		request_module("nft-chain-%u-%*.s", afi->family,

			       nla_len(nla)-1, (const char *)nla_data(nla));

		nfnl_lock(NFNL_SUBSYS_NFTABLES);

		type = __nf_tables_chain_type_lookup(afi->family, nla);

		if (type != NULL)

			return ERR_PTR(-EAGAIN);

	}

#endif

	return type;

	return ERR_PTR(-ENOENT);

}



static const struct nla_policy nft_table_policy[NFTA_TABLE_MAX + 1] = {
@@ -906,8 +910,8 @@ static int nf_tables_newchain(struct sock *nlsk, struct sk_buff *skb, 
			type = nf_tables_chain_type_lookup(afi,

							   nla[NFTA_CHAIN_TYPE],

							   create);

			if (type == NULL)

				return -ENOENT;

			if (IS_ERR(type))

				return PTR_ERR(type);

		}



		err = nla_parse_nested(ha, NFTA_HOOK_MAX, nla[NFTA_CHAIN_HOOK],