[8/9] netfilter: xt_connmark: fix list corruption on rmmod

Message ID	20180613105700.12894-9-pablo@netfilter.org
State	Accepted
Delegated to:	Pablo Neira
Headers	show Return-Path: <netfilter-devel-owner@vger.kernel.org> sender: pneira@us.es) by entrada.int (Postfix) with ESMTPA id 9ADF9411A648; Wed, 13 Jun 2018 12:55:52 +0200 (CEST) From: Pablo Neira Ayuso <pablo@netfilter.org> To: netfilter-devel@vger.kernel.org Cc: davem@davemloft.net, netdev@vger.kernel.org Subject: [PATCH 8/9] netfilter: xt_connmark: fix list corruption on rmmod Date: Wed, 13 Jun 2018 12:56:59 +0200 Message-Id: <20180613105700.12894-9-pablo@netfilter.org> In-Reply-To: <20180613105700.12894-1-pablo@netfilter.org> References: <20180613105700.12894-1-pablo@netfilter.org> Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk
Series	[1/9] netfilter: fix null-ptr-deref in nf_nat_decode_session \| expand [1/9] netfilter: fix null-ptr-deref in nf_nat_decode_session [2/9] netfilter: nft_socket: fix module autoload [3/9] netfilter: nft_dynset: do not reject set updates with NFT_SET_EVAL [4/9] netfilter: nf_tables: fix module unload race [5/9] netfilter: nf_tables: close race between netns exit and rmmod [6/9] netfilter: nf_tables: use WARN_ON_ONCE instead of BUG_ON in nft_do_chain() [7/9] netfilter: ctnetlink: avoid null pointer dereference [8/9] netfilter: xt_connmark: fix list corruption on rmmod [9/9] netfilter: nf_conncount: Fix garbage collection with zones

Message ID

20180613105700.12894-9-pablo@netfilter.org

State

Accepted

Delegated to:

Pablo Neira

Headers

From: Pablo Neira Ayuso <pablo@netfilter.org>
To: netfilter-devel@vger.kernel.org
Cc: davem@davemloft.net, netdev@vger.kernel.org
Subject: [PATCH 8/9] netfilter: xt_connmark: fix list corruption on rmmod
Date: Wed, 13 Jun 2018 12:56:59 +0200
Message-Id: <20180613105700.12894-9-pablo@netfilter.org>
In-Reply-To: <20180613105700.12894-1-pablo@netfilter.org>
References: <20180613105700.12894-1-pablo@netfilter.org>
Sender: netfilter-devel-owner@vger.kernel.org
Precedence: bulk

Series

[1/9] netfilter: fix null-ptr-deref in nf_nat_decode_session | expand

Commit Message

Pablo Neira Ayuso June 13, 2018, 10:56 a.m. UTC

From: Florian Westphal <fw@strlen.de>

This needs to use xt_unregister_targets, else new revision is left
on the list which then causes list to point to a target struct that has been free'd.

Fixes: 472a73e00757 ("netfilter: xt_conntrack: Support bit-shifting for CONNMARK & MARK targets.")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
---
 net/netfilter/xt_connmark.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/xt_connmark.c b/net/netfilter/xt_connmark.c
index 94df000abb92..29c38aa7f726 100644
--- a/net/netfilter/xt_connmark.c
+++ b/net/netfilter/xt_connmark.c
@@ -211,7 +211,7 @@  static int __init connmark_mt_init(void)
 static void __exit connmark_mt_exit(void)
 {
 	xt_unregister_match(&connmark_mt_reg);
-	xt_unregister_target(connmark_tg_reg);
+	xt_unregister_targets(connmark_tg_reg, ARRAY_SIZE(connmark_tg_reg));
 }
 
 module_init(connmark_mt_init);

[8/9] netfilter: xt_connmark: fix list corruption on rmmod

Commit Message

Patch