netfilter: nfnetlink: fix potential dead lock in nfnetlink_rcv_msg()

Ziyang Xuan · gregkh · commit e62cb1c093d6 · 2022-11-16T09:58:20.000+01:00
[ Upstream commit 03832a3 ] When type is NFNL_CB_MUTEX and -EAGAIN error occur in nfnetlink_rcv_msg(), it does not execute nfnl_unlock(). That would trigger potential dead lock. Fixes: 50f2db9 ("netfilter: nfnetlink: consolidate callback types") Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com> Signed-off-by: Florian Westphal <fw@strlen.de> Signed-off-by: Sasha Levin <sashal@kernel.org>
diff --git a/net/netfilter/nfnetlink.c b/net/netfilter/nfnetlink.c
@@ -290,6 +290,7 @@ static int nfnetlink_rcv_msg(struct sk_buff *skb, struct nlmsghdr *nlh,
 			nfnl_lock(subsys_id);
 			if (nfnl_dereference_protected(subsys_id) != ss ||
 			    nfnetlink_find_client(type, ss) != nc) {
+				nfnl_unlock(subsys_id);
 				err = -EAGAIN;
 				break;
 			}

Original file line number	Diff line number	Diff line change
`@@ -290,6 +290,7 @@ static int nfnetlink_rcv_msg(struct sk_buff skb, struct nlmsghdr nlh,`
`290`	`290`	`nfnl_lock(subsys_id);`
`291`	`291`	`if (nfnl_dereference_protected(subsys_id) != ss \|\|`
`292`	`292`	`nfnetlink_find_client(type, ss) != nc) {`
	`293`	`+ nfnl_unlock(subsys_id);`
`293`	`294`	`err = -EAGAIN;`
`294`	`295`	`break;`
`295`	`296`	`}`