From patchwork Fri Oct 29 17:57:02 2010 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 69616 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id EE23EB70D4 for ; Sat, 30 Oct 2010 04:57:17 +1100 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934275Ab0J2R5J (ORCPT ); Fri, 29 Oct 2010 13:57:09 -0400 Received: from mail-wy0-f174.google.com ([74.125.82.174]:52099 "EHLO mail-wy0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934254Ab0J2R5I (ORCPT ); Fri, 29 Oct 2010 13:57:08 -0400 Received: by wyf28 with SMTP id 28so3389784wyf.19 for ; Fri, 29 Oct 2010 10:57:06 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:subject:from:to:cc :content-type:date:message-id:mime-version:x-mailer :content-transfer-encoding; bh=rApTtEHRUSR52eGZyYICe/7to7dtb+Te7CRdZffdt5E=; b=RPqX0qbDMo1Ln5wv/gLD/aknClNkidW5M3f8e1Ku1MlWdhnziroiqmUsx5OLqf94ra VXDfibvEzB+j6Pdx3+V3HDP29LoiknxLksiylfStg8ENgRR9NRyZoUatfIN5qWaH1BBX S/0IYq1PyaKbIErhJyn/HOhIvu5+GrxxDGmX0= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=subject:from:to:cc:content-type:date:message-id:mime-version :x-mailer:content-transfer-encoding; b=ECNDEEVhd9sku6TLhg6MXpszuv06q2NsH3OyU37VlmRJmqwq+ZF77zE5YNKWlM+1kt UhGZ3diiFmgy6k7Hd7nCGdZ6mgc4z2swGm74DS0/M2EcgKtaAAcymsoYrFtI2KpmW6UF qQVI7g1SD5RbEOE2tnyfkgKSFWX+1CxSmaeqE= Received: by 10.227.127.142 with SMTP id g14mr12442362wbs.200.1288375026203; Fri, 29 Oct 2010 10:57:06 -0700 (PDT) Received: from [10.150.51.216] (gw0.net.jmsp.net [212.23.165.14]) by mx.google.com with ESMTPS id i19sm2291511wbe.11.2010.10.29.10.57.04 (version=SSLv3 cipher=RC4-MD5); Fri, 29 Oct 2010 10:57:05 -0700 (PDT) Subject: [PATCH] netfilter: fix nf_conntrack_l4proto_register() From: Eric Dumazet To: Patrick McHardy Cc: David Miller , netdev , Netfilter Development Mailinglist Date: Fri, 29 Oct 2010 19:57:02 +0200 Message-ID: <1288375022.2560.306.camel@edumazet-laptop> Mime-Version: 1.0 X-Mailer: Evolution 2.30.3 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org While doing __rcu annotations work on net/netfilter I found following bug. On some arches, it is possible we publish a table while its content is not yet committed to memory, and lockless reader can dereference wild pointer. Signed-off-by: Eric Dumazet --- net/netfilter/nf_conntrack_proto.c | 6 ++++++ 1 files changed, 6 insertions(+) -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index ed6d929..dc7bb74 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c @@ -292,6 +292,12 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto) for (i = 0; i < MAX_NF_CT_PROTO; i++) proto_array[i] = &nf_conntrack_l4proto_generic; + + /* Before making proto_array visible to lockless readers, + * we must make sure its content is committed to memory. + */ + smp_wmb(); + nf_ct_protos[l4proto->l3proto] = proto_array; } else if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto] != &nf_conntrack_l4proto_generic) {