git.baikalelectronics.ru Git - kernel.git/commit

author	Liping Zhang <zlpnobody@gmail.com>
	Sat, 25 Mar 2017 00:53:12 +0000 (08:53 +0800)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 27 Mar 2017 11:47:28 +0000 (13:47 +0200)
commit	d5364b193e06fea5d0ef9e3d99ac45988d2e76f2
tree	7fdc91ed3c571753fbaffaef9e520882925e1703	tree \| snapshot
parent	9ff8e3efd8a74cc89a43d758c6bce55d60ba6dd5	commit \| diff

netfilter: invoke synchronize_rcu after set the _hook_ to NULL

Otherwise, another CPU may access the invalid pointer. For example:
    CPU0                CPU1
     -              rcu_read_lock();
     -              pfunc = _hook_;
  _hook_ = NULL;          -
  mod unload              -
     -                 pfunc(); // invalid, panic
     -             rcu_read_unlock();

So we must call synchronize_rcu() to wait the rcu reader to finish.

Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
by later nf_conntrack_helper_unregister, but I'm inclined to add a
explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
on such obscure assumptions is not a good idea.

Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
remove it too.

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

net/ipv4/netfilter/nf_nat_snmp_basic.c		diff \| blob \| history
net/netfilter/nf_conntrack_ecache.c		diff \| blob \| history
net/netfilter/nf_conntrack_netlink.c		diff \| blob \| history
net/netfilter/nf_nat_core.c		diff \| blob \| history
net/netfilter/nfnetlink_cttimeout.c		diff \| blob \| history