diff options
| author |   Gao Feng <gfree.wind@vip.163.com> | 2018-06-13 12:26:13 +0800 |
|---|---|---|
| committer |   Pablo Neira Ayuso <pablo@netfilter.org> | 2018-06-18 14:15:12 +0200 |
| commit | ad9852af97587b8abe8102f9ddcb05c9769656f6 (patch) | |
| tree | 4097fad5a1833ef468785c30f9a7de65005f6513 /net | |
| parent | netfilter: ipv6: nf_defrag: reduce struct net memory waste (diff) | |
| download | linux-dev-ad9852af97587b8abe8102f9ddcb05c9769656f6.tar.xz linux-dev-ad9852af97587b8abe8102f9ddcb05c9769656f6.zip | |
netfilter: nf_ct_helper: Fix possible panic after nf_conntrack_helper_unregister
The helper module would be unloaded after nf_conntrack_helper_unregister,
so it may cause a possible panic caused by race.
nf_ct_iterate_destroy(unhelp, me) reset the helper of conntrack as NULL,
but maybe someone has gotten the helper pointer during this period. Then
it would panic, when it accesses the helper and the module was unloaded.
Take an example as following:
CPU0 CPU1
ctnetlink_dump_helpinfo
helper = rcu_dereference(help->helper);
unhelp
set helper as NULL
unload helper module
helper->to_nlattr(skb, ct);
As above, the cpu0 tries to access the helper and its module is unloaded,
then the panic happens.
Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_conntrack_helper.c | 5 |
1 files changed, 5 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_helper.c b/net/netfilter/nf_conntrack_helper.c index 551a1eddf0fa..a75b11c39312 100644 --- a/net/netfilter/nf_conntrack_helper.c +++ b/net/netfilter/nf_conntrack_helper.c @@ -465,6 +465,11 @@ void nf_conntrack_helper_unregister(struct nf_conntrack_helper *me) nf_ct_expect_iterate_destroy(expect_iter_me, NULL); nf_ct_iterate_destroy(unhelp, me); + + /* Maybe someone has gotten the helper already when unhelp above. + * So need to wait it. + */ + synchronize_rcu(); } EXPORT_SYMBOL_GPL(nf_conntrack_helper_unregister); |