From patchwork Wed Sep 11 08:17:27 2013
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Michal Kubecek <mkubecek@suse.cz>
X-Patchwork-Id: 274202
Return-Path: <netfilter-devel-owner@vger.kernel.org>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 03E952C01F0
	for <incoming@patchwork.ozlabs.org>;
	Wed, 11 Sep 2013 19:09:05 +1000 (EST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753125Ab3IKJJC (ORCPT <rfc822;incoming@patchwork.ozlabs.org>);
	Wed, 11 Sep 2013 05:09:02 -0400
Received: from cantor2.suse.de ([195.135.220.15]:54922 "EHLO mx2.suse.de"
	rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
	id S1753119Ab3IKJJB (ORCPT <rfc822; netfilter-devel@vger.kernel.org>);
	Wed, 11 Sep 2013 05:09:01 -0400
Received: from relay1.suse.de (unknown [195.135.220.254])
	by mx2.suse.de (Postfix) with ESMTP id 48E65A51CB;
	Wed, 11 Sep 2013 11:09:00 +0200 (CEST)
Received: by unicorn.suse.cz (Postfix, from userid 1000)
	id 0129AE8AFF; Wed, 11 Sep 2013 11:08:59 +0200 (CEST)
From: Michal Kubecek <mkubecek@suse.cz>
Date: Wed, 11 Sep 2013 10:17:27 +0200
Subject: [PATCH nf] netfilter: use RCU safe kfree for conntrack extensions
To: netfilter-devel@vger.kernel.org
Cc: netdev@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>,
	Patrick McHardy <kaber@trash.net>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>, coreteam@netfilter.org
Message-Id: <20130911090900.0129AE8AFF@unicorn.suse.cz>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk
List-ID: <netfilter-devel.vger.kernel.org>
X-Mailing-List: netfilter-devel@vger.kernel.org

Commit 68b80f11 (netfilter: nf_nat: fix RCU races) introduced
RCU protection for freeing extension data when reallocation
moves them to a new location. We need the same protection when
freeing them in nf_ct_ext_free() in order to prevent a
use-after-free by other threads referencing a NAT extension data
via bysource list.

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
---
 include/net/netfilter/nf_conntrack_extend.h | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h
index 977bc8a..3313108 100644
--- a/include/net/netfilter/nf_conntrack_extend.h
+++ b/include/net/netfilter/nf_conntrack_extend.h
@@ -80,7 +80,7 @@ static inline void nf_ct_ext_destroy(struct nf_conn *ct)
 static inline void nf_ct_ext_free(struct nf_conn *ct)
 {
 	if (ct->ext)
-		kfree(ct->ext);
+		kfree_rcu(ct->ext, rcu);
 }
 
 /* Add this type, returns pointer to data or NULL. */