From patchwork Wed Jun 13 04:26:13 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gao Feng X-Patchwork-Id: 928657 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none) header.from=vip.163.com Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 415DMt4k98z9s3C for ; Wed, 13 Jun 2018 14:31:06 +1000 (AEST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S933328AbeFMEbF (ORCPT ); Wed, 13 Jun 2018 00:31:05 -0400 Received: from m181-177.vip.163.com ([123.58.177.181]:38496 "EHLO m181-177.vip.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933290AbeFMEbE (ORCPT ); Wed, 13 Jun 2018 00:31:04 -0400 Received: from ikuai8.com (unknown [123.117.122.9]) by smtp2 (Coremail) with SMTP id oWZ4CgC3xQgbnSBb3NYKFA--.16744S2; Wed, 13 Jun 2018 12:27:27 +0800 (CST) From: gfree.wind@vip.163.com To: pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, netfilter-devel@vger.kernel.org Cc: Gao Feng Subject: [PATCH nf] netfilter: helper: Fix possible panic after nf_conntrack_helper_unregister Date: Wed, 13 Jun 2018 12:26:13 +0800 Message-Id: <1528863973-99514-1-git-send-email-gfree.wind@vip.163.com> X-Mailer: git-send-email 1.9.1 X-CM-TRANSID: oWZ4CgC3xQgbnSBb3NYKFA--.16744S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7ZFyftr4UZF4kuFWDWrWktFb_yoW8Gw1kpw 1fKrW3t348JFs0ya1ku34I93WUJrZ3Aa1UWr93AryfCw1DJr47CFWSkrW7WFZ8Jrs7Xr1x AF4ayr17AFykJF7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jjQ6LUUUUU= X-Originating-IP: [123.117.122.9] X-CM-SenderInfo: 5jiuvvgozl0vg6yl1hqrwthudrp/1tbiCw9ks1gEgs5M1AAAsb Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org From: Gao Feng The helper module would be unloaded after nf_conntrack_helper_unregister, so it may cause a possible panic caused by race. nf_ct_iterate_destroy(unhelp, me) reset the helper of conntrack as NULL, but maybe someone has gotten the helper pointer during this period. Then it would panic, when it accesses the helper and the module was unloaded. Take an example as following: CPU0 CPU1 ctnetlink_dump_helpinfo helper = rcu_dereference(help->helper); unhelp set helper as NULL unload helper module helper->to_nlattr(skb, ct); As above, the cpu0 tries to access the helper and its module is unloaded, then the panic happens. Signed-off-by: Gao Feng --- net/netfilter/nf_conntrack_helper.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 551a1ed..b5b655d 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -465,6 +465,11 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me) nf_ct_expect_iterate_destroy(expect_iter_me, NULL); nf_ct_iterate_destroy(unhelp, me); + + /* Maybe someone has gotten the helper already when unhelp above. + * So need to wait it. + */ + synchronize_rcu(); } EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister);