| Message ID | 1471874298-20503-3-git-send-email-zlpnobody@163.com |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
On Mon, Aug 22, 2016 at 09:58:18PM +0800, Liping Zhang wrote: > From: Liping Zhang <liping.zhang@spreadtrum.com> > > KASAN reported this bug: > BUG: KASAN: use-after-free in icmp_packet+0x25/0x50 [nf_conntrack_ipv4] at > addr ffff880002db08c8 > Read of size 4 by task lt-nf-queue/19041 > Call Trace: > <IRQ> [<ffffffff815eeebb>] dump_stack+0x63/0x88 > [<ffffffff813386f8>] kasan_report_error+0x528/0x560 > [<ffffffff81338cc8>] kasan_report+0x58/0x60 > [<ffffffffa07393f5>] ? icmp_packet+0x25/0x50 [nf_conntrack_ipv4] > [<ffffffff81337551>] __asan_load4+0x61/0x80 > [<ffffffffa07393f5>] icmp_packet+0x25/0x50 [nf_conntrack_ipv4] > [<ffffffffa06ecaa0>] nf_conntrack_in+0x550/0x980 [nf_conntrack] > [<ffffffffa06ec550>] ? __nf_conntrack_confirm+0xb10/0xb10 [nf_conntrack] > [ ... ] > > The main reason is that we missed to unlink the timeout objects in the > unconfirmed ct lists, so we will access the timeout objects that have > already been freed. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/net/netfilter/nfnetlink_cttimeout.c b/net/netfilter/nfnetlink_cttimeout.c index 6844c7a..139e086 100644 --- a/net/netfilter/nfnetlink_cttimeout.c +++ b/net/netfilter/nfnetlink_cttimeout.c @@ -302,7 +302,16 @@ static void ctnl_untimeout(struct net *net, struct ctnl_timeout *timeout) const struct hlist_nulls_node *nn; unsigned int last_hsize; spinlock_t *lock; - int i; + int i, cpu; + + for_each_possible_cpu(cpu) { + struct ct_pcpu *pcpu = per_cpu_ptr(net->ct.pcpu_lists, cpu); + + spin_lock_bh(&pcpu->lock); + hlist_nulls_for_each_entry(h, nn, &pcpu->unconfirmed, hnnode) + untimeout(h, timeout); + spin_unlock_bh(&pcpu->lock); + } local_bh_disable(); restart: