git.baikalelectronics.ru Git - kernel.git/commit

author	Gao Feng <gfree.wind@vip.163.com>
	Wed, 13 Jun 2018 04:26:13 +0000 (12:26 +0800)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 18 Jun 2018 12:15:12 +0000 (14:15 +0200)
commit	ee55659ed3deb31b5322dd441331da1f18e23b42
tree	4097fad5a1833ef468785c30f9a7de65005f6513	tree \| snapshot
parent	a6f75c8596acbc3c04dd74bc9f177fca6479aecb	commit \| diff

netfilter: nf_ct_helper: Fix possible panic after nf_conntrack_helper_unregister

The helper module would be unloaded after nf_conntrack_helper_unregister,
so it may cause a possible panic caused by race.

nf_ct_iterate_destroy(unhelp, me) reset the helper of conntrack as NULL,
but maybe someone has gotten the helper pointer during this period. Then
it would panic, when it accesses the helper and the module was unloaded.

Take an example as following:
CPU0                                                   CPU1
ctnetlink_dump_helpinfo
helper = rcu_dereference(help->helper);
                                                       unhelp
                                                       set helper as NULL
                                                       unload helper module
helper->to_nlattr(skb, ct);

As above, the cpu0 tries to access the helper and its module is unloaded,
then the panic happens.

Signed-off-by: Gao Feng <gfree.wind@vip.163.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>