| Message ID | 20260516115627.967773-2-pablo@netfilter.org |
|---|---|
| State | Accepted, archived |
| Headers | show |
| Series | [net,01/12] netfilter: nf_conntrack_helper: fix possible null deref during error log | expand |
Hello: This series was applied to netdev/net.git (main) by Pablo Neira Ayuso <pablo@netfilter.org>: On Sat, 16 May 2026 13:56:16 +0200 you wrote: > From: Florian Westphal <fw@strlen.de> > > Reported by sashiko: there is a small race window. > > If a helper module is unloaded or a userspace-defined helper is > removed, nf_conntrack_helper_unregister() sets ->helper to NULL. > > [...] Here is the summary with links: - [net,01/12] netfilter: nf_conntrack_helper: fix possible null deref during error log https://git.kernel.org/netdev/net/c/1afc25ae7528 - [net,02/12] ipvs: avoid possible loop in ip_vs_dst_event on resizing https://git.kernel.org/netdev/net/c/5522d65d81a7 - [net,03/12] netfilter: ipset: fix a potential dump-destroy race https://git.kernel.org/netdev/net/c/53d7fd878c28 - [net,04/12] netfilter: nft_inner: Fix IPv6 inner_thoff desync https://git.kernel.org/netdev/net/c/b6a91f68ebfe - [net,05/12] netfilter: ipset: stop hash:* range iteration at end https://git.kernel.org/netdev/net/c/0d3a282ab5f1 - [net,06/12] netfilter: nft_inner: release local_lock before re-enabling softirqs https://git.kernel.org/netdev/net/c/a6cb3ff97985 - [net,07/12] netfilter: ip6t_hbh: reject oversized option lists https://git.kernel.org/netdev/net/c/4322dcde6b41 - [net,08/12] netfilter: ipset: Fix data race between add and list header in all hash types https://git.kernel.org/netdev/net/c/c0c42a0fb271 - [net,09/12] netfilter: ipset: Fix data race between add and dump in all hash types https://git.kernel.org/netdev/net/c/2358f7427ccd - [net,10/12] netfilter: ipset: annotate "pos" for concurrent readers/writers https://git.kernel.org/netdev/net/c/7f7445840b77 - [net,11/12] netfilter: br_netfilter: Reallocate headroom if necessary in neigh_hh_bridge() https://git.kernel.org/netdev/net/c/b2870fc21601 - [net,12/12] netfilter: nf_queue: hold bridge skb->dev while queued https://git.kernel.org/netdev/net/c/e196115ec330 You are awesome, thank you!
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index b594cd244fe1..17e971bd4c74 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -321,8 +321,8 @@ __printf(3, 4) void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct, const char *fmt, ...) { + const char *helper_name = "(null)"; const struct nf_conn_help *help; - const struct nf_conntrack_helper *helper; struct va_format vaf; va_list args; @@ -331,14 +331,17 @@ void nf_ct_helper_log(struct sk_buff *skb, const struct nf_conn *ct, vaf.fmt = fmt; vaf.va = &args; - /* Called from the helper function, this call never fails */ help = nfct_help(ct); + if (help) { + const struct nf_conntrack_helper *helper; - /* rcu_read_lock()ed by nf_hook_thresh */ - helper = rcu_dereference(help->helper); + helper = rcu_dereference(help->helper); + if (helper) + helper_name = helper->name; + } nf_log_packet(nf_ct_net(ct), nf_ct_l3num(ct), 0, skb, NULL, NULL, NULL, - "nf_ct_%s: dropping packet: %pV ", helper->name, &vaf); + "helper %s dropping packet: %pV ", helper_name, &vaf); va_end(args); }