summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <eric.dumazet@gmail.com>2010-10-29 19:59:40 +0200
committerPatrick McHardy <kaber@trash.net>2010-10-29 19:59:40 +0200
commitd817d29d0b37290d90b3a9e2a61162f1dbf2be4f (patch)
tree7414a1334cdac82a61340623a23109c3222f4a48
parent64e46749224aa658d8fc0d37ea83ab20b1d7955d (diff)
downloadop-kernel-dev-d817d29d0b37290d90b3a9e2a61162f1dbf2be4f.zip
op-kernel-dev-d817d29d0b37290d90b3a9e2a61162f1dbf2be4f.tar.gz
netfilter: fix nf_conntrack_l4proto_register()
While doing __rcu annotations work on net/netfilter I found following bug. On some arches, it is possible we publish a table while its content is not yet committed to memory, and lockless reader can dereference wild pointer. Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
-rw-r--r--net/netfilter/nf_conntrack_proto.c6
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c
index ed6d929..dc7bb74 100644
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -292,6 +292,12 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
for (i = 0; i < MAX_NF_CT_PROTO; i++)
proto_array[i] = &nf_conntrack_l4proto_generic;
+
+ /* Before making proto_array visible to lockless readers,
+ * we must make sure its content is committed to memory.
+ */
+ smp_wmb();
+
nf_ct_protos[l4proto->l3proto] = proto_array;
} else if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto] !=
&nf_conntrack_l4proto_generic) {
OpenPOWER on IntegriCloud