projects / GitHub / moto-9609 / android_kernel_motorola_exynos9610.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 69c4719) | patch
netfilter: nf_ct_helper: Fix possible panic after nf_conntrack_helper_unregister
authorGao Feng <gfree.wind@vip.163.com>
Wed, 13 Jun 2018 04:26:13 +0000 (12:26 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Fri, 24 Aug 2018 11:08:57 +0000 (13:08 +0200)
commit175b38277b6d9215ef9c854d666b6223873445e1
tree525f1f4c3422e5be2eecf99d4000ea000fd1218btree | snapshot (tar.gz zip)
parent69c471908ddd7b9927aa0735766d486cbf094cabcommit | diff
netfilter: nf_ct_helper: Fix possible panic after nf_conntrack_helper_unregister

[ Upstream commit ad9852af97587b8abe8102f9ddcb05c9769656f6 ]

The helper module would be unloaded after nf_conntrack_helper_unregister,
so it may cause a possible panic caused by race.

nf_ct_iterate_destroy(unhelp, me) reset the helper of conntrack as NULL,
but maybe someone has gotten the helper pointer during this period. Then
it would panic, when it accesses the helper and the module was unloaded.

Take an example as following:
CPU0                                                   CPU1
ctnetlink_dump_helpinfo
helper = rcu_dereference(help->helper);
                                                       unhelp
                                                       set helper as NULL
                                                       unload helper module
helper->to_nlattr(skb, ct);

As above, the cpu0 tries to access the helper and its module is unloaded,
then the panic happens.

Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/netfilter/nf_conntrack_helper.c diff | blob | blame | history