git.baikalelectronics.ru Git - kernel.git/commit

author	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 5 Oct 2015 14:51:01 +0000 (16:51 +0200)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 12 Oct 2015 15:04:34 +0000 (17:04 +0200)
commit	08d183a218e18c5406d681dcf238aa1e7da8b09d
tree	20ea2799e0bcc69377bd4eeee66f530cb0afae5e	tree \| snapshot
parent	6ac1b098d6363f5dbd1f4080589a7322afbd4eed	commit \| diff

netfilter: conntrack: fix crash on timeout object removal

The object and module refcounts are updated for each conntrack template,
however, if we delete the iptables rules and we flush the timeout
database, we may end up with invalid references to timeout object that
are just gone.

Resolve this problem by setting the timeout reference to NULL when the
custom timeout entry is removed from our base. This patch requires some
RCU trickery to ensure safe pointer handling.

This handling is similar to what we already do with conntrack helpers,
the idea is to avoid bumping the timeout object reference counter from
the packet path to avoid the cost of atomic ops.

Reported-by: Stephen Hemminger <stephen@networkplumber.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

include/net/netfilter/nf_conntrack_timeout.h		diff \| blob \| history
net/netfilter/nf_conntrack_core.c		diff \| blob \| history
net/netfilter/nfnetlink_cttimeout.c		diff \| blob \| history
net/netfilter/xt_CT.c		diff \| blob \| history