netfilter: call nf_hook_ingress with rcu_read_lock

This commit ensures that the rcu read-side lock is held while the
ingress hook is called.  This ensures that a call to nf_hook_slow (and
ultimately nf_ingress) will be read protected.

Signed-off-by: Aaron Conole <aconole@bytheb.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/net/core/dev.c b/net/core/dev.c
index 34b5322bc081e4a4a27e859a7b07eae32ea084dc..064919425b7d621a73132d2bd983f3c52d0c1c51 100644 (file)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4040,12 +4040,17 @@ static inline int nf_ingress(struct sk_buff *skb, struct packet_type **pt_prev,
 {
 #ifdef CONFIG_NETFILTER_INGRESS
        if (nf_hook_ingress_active(skb)) {
+               int ingress_retval;
+
                if (*pt_prev) {
                        *ret = deliver_skb(skb, *pt_prev, orig_dev);
                        *pt_prev = NULL;
                }
 
-               return nf_hook_ingress(skb);
+               rcu_read_lock();
+               ingress_retval = nf_hook_ingress(skb);
+               rcu_read_unlock();
+               return ingress_retval;
        }
 #endif /* CONFIG_NETFILTER_INGRESS */
        return 0;