diff options
| author |   Florian Westphal <fw@strlen.de> | 2019-01-14 14:28:50 +0100 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2019-01-18 02:29:42 +0100 |
| commit | b2e3d68d1251a051a620f9086e18f7ffa6833b5b (patch) | |
| tree | 760de639d95d4ecfe13a661b50598dcb670b7a23 /net/netrom | |
| parent | netfilter: nft_compat: make lists per netns (diff) | |
| download | linux-dev-b2e3d68d1251a051a620f9086e18f7ffa6833b5b.tar.xz linux-dev-b2e3d68d1251a051a620f9086e18f7ffa6833b5b.zip | |
netfilter: nft_compat: destroy function must not have side effects
The nft_compat destroy function deletes the nft_xt object from a list.
This isn't allowed anymore. Destroy functions are called asynchronously,
i.e. next batch can find the object that has a pending ->destroy()
invocation:
cpu0 cpu1
worker
->destroy for_each_entry()
if (x == ...
return x->ops;
list_del(x)
kfree_rcu(x)
expr->ops->... // ops was free'd
To resolve this, the list_del needs to occur before the transaction
mutex gets released. nf_tables has a 'deactivate' hook for this
purpose, so use that to unlink the object from the list.
Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release")
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/netrom')
0 files changed, 0 insertions, 0 deletions