Reported by Chuck Ebbert as:
https://bugzilla.redhat.com/show_bug.cgi?id=259501#c14
This routine is called each time hash should be replaced, nf_conn has
extension list which contains pointers to connection tracking users
(like nat, which is right now the only such user), so when replace takes
place it should copy own extensions. Loop above checks for own
extension, but tries to move higer-layer one, which can lead to above
oops.
Signed-off-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
rcu_read_lock();
t = rcu_dereference(nf_ct_ext_types[i]);
if (t && t->move)
- t->move(ct, ct->ext + ct->ext->offset[id]);
+ t->move(ct, ct->ext + ct->ext->offset[i]);
rcu_read_unlock();
}
kfree(ct->ext);