Message ID | 1285139854-11827-5-git-send-email-kaber@trash.net |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
Le mercredi 22 septembre 2010 à 09:17 +0200, kaber@trash.net a écrit : > From: Eric Dumazet <Eric Dumazet> > strange email address ;) > As soon as rcu_read_unlock() is called, there is no guarantee current > thread can safely derefence t pointer, rcu protected. > > Fix is to copy t->alloc_size in a temporary variable. > > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> > Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> > Signed-off-by: Patrick McHardy <kaber@trash.net> > --- > net/netfilter/nf_conntrack_extend.c | 4 +++- > 1 files changed, 3 insertions(+), 1 deletions(-) > > diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c > index 7dcf7a4..8d9e4c9 100644 > --- a/net/netfilter/nf_conntrack_extend.c > +++ b/net/netfilter/nf_conntrack_extend.c > @@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp) > { > unsigned int off, len; > struct nf_ct_ext_type *t; > + size_t alloc_size; > > rcu_read_lock(); > t = rcu_dereference(nf_ct_ext_types[id]); > BUG_ON(t == NULL); > off = ALIGN(sizeof(struct nf_ct_ext), t->align); > len = off + t->len; > + alloc_size = t->alloc_size; > rcu_read_unlock(); > > - *ext = kzalloc(t->alloc_size, gfp); > + *ext = kzalloc(alloc_size, gfp); > if (!*ext) > return NULL; > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Am 22.09.2010 09:23, schrieb Eric Dumazet: > Le mercredi 22 septembre 2010 à 09:17 +0200, kaber@trash.net a écrit : >> From: Eric Dumazet <Eric Dumazet> >> > > strange email address ;) Indeed, cut-and-paste error, sorry :) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c index 7dcf7a4..8d9e4c9 100644 --- a/net/netfilter/nf_conntrack_extend.c +++ b/net/netfilter/nf_conntrack_extend.c @@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp) { unsigned int off, len; struct nf_ct_ext_type *t; + size_t alloc_size; rcu_read_lock(); t = rcu_dereference(nf_ct_ext_types[id]); BUG_ON(t == NULL); off = ALIGN(sizeof(struct nf_ct_ext), t->align); len = off + t->len; + alloc_size = t->alloc_size; rcu_read_unlock(); - *ext = kzalloc(t->alloc_size, gfp); + *ext = kzalloc(alloc_size, gfp); if (!*ext) return NULL;