]> git.baikalelectronics.ru Git - kernel.git/commit
netfilter: nft_compat: don't use refcount_inc on newly allocated entry
authorFlorian Westphal <fw@strlen.de>
Tue, 5 Feb 2019 11:16:18 +0000 (12:16 +0100)
committerPablo Neira Ayuso <pablo@netfilter.org>
Tue, 5 Feb 2019 13:10:33 +0000 (14:10 +0100)
commit2ae1b36f3fdc4904f816f3daa688597d842d23f3
tree1799df05816fbaa4691d52cb2ab34d9965f7d1a1
parent689a610688fda7524fd3f6194a2e39b12d74e472
netfilter: nft_compat: don't use refcount_inc on newly allocated entry

When I moved the refcount to refcount_t type I missed the fact that
refcount_inc() will result in use-after-free warning with
CONFIG_REFCOUNT_FULL=y builds.

The correct fix would be to init the reference count to 1 at allocation
time, but, unfortunately we cannot do this, as we can't undo that
in case something else fails later in the batch.

So only solution I see is to special-case the 'new entry' condition
and replace refcount_inc() with a "delayed" refcount_set(1) in this case,
as done here.

The .activate callback can be removed to simplify things, we only
need to make sure that deactivate() decrements/unlinks the entry
from the list at end of transaction phase (commit or abort).

Fixes: 82a27bdf5209 ("netfilter: nft_compat: use refcnt_t type for nft_xt reference count")
Reported-by: Jordan Glover <Golden_Miller83@protonmail.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/netfilter/nft_compat.c