diff mbox

[4/6] netfilter: fix a race in nf_ct_ext_create()

Message ID 1285139854-11827-5-git-send-email-kaber@trash.net
State Accepted, archived
Delegated to: David Miller
Headers show

Commit Message

Patrick McHardy Sept. 22, 2010, 7:17 a.m. UTC 
From: Eric Dumazet <Eric Dumazet>

As soon as rcu_read_unlock() is called, there is no guarantee current
thread can safely derefence t pointer, rcu protected.

Fix is to copy t->alloc_size in a temporary variable.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
---
 net/netfilter/nf_conntrack_extend.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

Comments

Eric Dumazet Sept. 22, 2010, 7:23 a.m. UTC | #1 
Le mercredi 22 septembre 2010 à 09:17 +0200, kaber@trash.net a écrit :
> From: Eric Dumazet <Eric Dumazet>
> 

strange email address ;)

> As soon as rcu_read_unlock() is called, there is no guarantee current
> thread can safely derefence t pointer, rcu protected.
> 
> Fix is to copy t->alloc_size in a temporary variable.
> 
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
> Signed-off-by: Patrick McHardy <kaber@trash.net>
> ---
>  net/netfilter/nf_conntrack_extend.c |    4 +++-
>  1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
> index 7dcf7a4..8d9e4c9 100644
> --- a/net/netfilter/nf_conntrack_extend.c
> +++ b/net/netfilter/nf_conntrack_extend.c
> @@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
>  {
>  	unsigned int off, len;
>  	struct nf_ct_ext_type *t;
> +	size_t alloc_size;
>  
>  	rcu_read_lock();
>  	t = rcu_dereference(nf_ct_ext_types[id]);
>  	BUG_ON(t == NULL);
>  	off = ALIGN(sizeof(struct nf_ct_ext), t->align);
>  	len = off + t->len;
> +	alloc_size = t->alloc_size;
>  	rcu_read_unlock();
>  
> -	*ext = kzalloc(t->alloc_size, gfp);
> +	*ext = kzalloc(alloc_size, gfp);
>  	if (!*ext)
>  		return NULL;
>  


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Patrick McHardy Sept. 22, 2010, 7:28 a.m. UTC | #2 
Am 22.09.2010 09:23, schrieb Eric Dumazet:
> Le mercredi 22 septembre 2010 à 09:17 +0200, kaber@trash.net a écrit :
>> From: Eric Dumazet <Eric Dumazet>
>>
> 
> strange email address ;)

Indeed, cut-and-paste error, sorry :)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 7dcf7a4..8d9e4c9 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -48,15 +48,17 @@  nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
 {
 	unsigned int off, len;
 	struct nf_ct_ext_type *t;
+	size_t alloc_size;
 
 	rcu_read_lock();
 	t = rcu_dereference(nf_ct_ext_types[id]);
 	BUG_ON(t == NULL);
 	off = ALIGN(sizeof(struct nf_ct_ext), t->align);
 	len = off + t->len;
+	alloc_size = t->alloc_size;
 	rcu_read_unlock();
 
-	*ext = kzalloc(t->alloc_size, gfp);
+	*ext = kzalloc(alloc_size, gfp);
 	if (!*ext)
 		return NULL;