diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2010-09-21 21:17:32 +0000 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-09-22 13:13:33 -0700 |
commit | 15cdeadaa5d76009e20c7792aed69f5a73808f97 (patch) | |
tree | 11eb05f550c046b3099d52df146948dce0c12635 | |
parent | b46ffb854554ff939701bdd492b81558da5706fc (diff) | |
download | op-kernel-dev-15cdeadaa5d76009e20c7792aed69f5a73808f97.zip op-kernel-dev-15cdeadaa5d76009e20c7792aed69f5a73808f97.tar.gz |
netfilter: fix a race in nf_ct_ext_create()
As soon as rcu_read_unlock() is called, there is no guarantee current
thread can safely derefence t pointer, rcu protected.
Fix is to copy t->alloc_size in a temporary variable.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/netfilter/nf_conntrack_extend.c | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c index 7dcf7a4..8d9e4c94 100644 --- a/net/netfilter/nf_conntrack_extend.c +++ b/net/netfilter/nf_conntrack_extend.c @@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp) { unsigned int off, len; struct nf_ct_ext_type *t; + size_t alloc_size; rcu_read_lock(); t = rcu_dereference(nf_ct_ext_types[id]); BUG_ON(t == NULL); off = ALIGN(sizeof(struct nf_ct_ext), t->align); len = off + t->len; + alloc_size = t->alloc_size; rcu_read_unlock(); - *ext = kzalloc(t->alloc_size, gfp); + *ext = kzalloc(alloc_size, gfp); if (!*ext) return NULL; |