diff options
| author |   Florian Westphal <fw@strlen.de> | 2019-02-05 12:16:18 +0100 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2019-02-05 14:10:33 +0100 |
| commit | 947e492c0fc2132ae5fca081a9c2952ccaab0404 (patch) | |
| tree | 1799df05816fbaa4691d52cb2ab34d9965f7d1a1 /net/netfilter/xt_ipcomp.c | |
| parent | netfilter: ipv6: Don't preserve original oif for loopback address (diff) | |
| download | linux-dev-947e492c0fc2132ae5fca081a9c2952ccaab0404.tar.xz linux-dev-947e492c0fc2132ae5fca081a9c2952ccaab0404.zip | |
netfilter: nft_compat: don't use refcount_inc on newly allocated entry
When I moved the refcount to refcount_t type I missed the fact that
refcount_inc() will result in use-after-free warning with
CONFIG_REFCOUNT_FULL=y builds.
The correct fix would be to init the reference count to 1 at allocation
time, but, unfortunately we cannot do this, as we can't undo that
in case something else fails later in the batch.
So only solution I see is to special-case the 'new entry' condition
and replace refcount_inc() with a "delayed" refcount_set(1) in this case,
as done here.
The .activate callback can be removed to simplify things, we only
need to make sure that deactivate() decrements/unlinks the entry
from the list at end of transaction phase (commit or abort).
Fixes: 12c44aba6618 ("netfilter: nft_compat: use refcnt_t type for nft_xt reference count")
Reported-by: Jordan Glover <Golden_Miller83@protonmail.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netfilter/xt_ipcomp.c')
0 files changed, 0 insertions, 0 deletions