[PATCH] netfilter: fix a race in nf_ct_ext_create()

[PATCH] netfilter: fix a race in nf_ct_ext_create()

[Eric Dumazet]

As soon as rcu_read_unlock() is called, there is no guarantee current
thread can safely derefence t pointer, rcu protected.

Fix is to copy t->alloc_size in a temporary variable.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
 net/netfilter/nf_conntrack_extend.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 7dcf7a4..8d9e4c9 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
 {
 	unsigned int off, len;
 	struct nf_ct_ext_type *t;
+	size_t alloc_size;
 
 	rcu_read_lock();
 	t = rcu_dereference(nf_ct_ext_types[id]);
 	BUG_ON(t == NULL);
 	off = ALIGN(sizeof(struct nf_ct_ext), t->align);
 	len = off + t->len;
+	alloc_size = t->alloc_size;
 	rcu_read_unlock();
 
-	*ext = kzalloc(t->alloc_size, gfp);
+	*ext = kzalloc(alloc_size, gfp);
 	if (!*ext)
 		return NULL;
 

Re: [PATCH] netfilter: fix a race in nf_ct_ext_create()

[Paul E. McKenney]

On Tue, Aug 31, 2010 at 05:48:02PM +0200, Eric Dumazet wrote:
> As soon as rcu_read_unlock() is called, there is no guarantee current
> thread can safely derefence t pointer, rcu protected.
> 
> Fix is to copy t->alloc_size in a temporary variable.

Yow!!!  Good catch!!!

Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>

> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> ---
>  net/netfilter/nf_conntrack_extend.c |    4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
> index 7dcf7a4..8d9e4c9 100644
> --- a/net/netfilter/nf_conntrack_extend.c
> +++ b/net/netfilter/nf_conntrack_extend.c
> @@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
>  {
>  	unsigned int off, len;
>  	struct nf_ct_ext_type *t;
> +	size_t alloc_size;
> 
>  	rcu_read_lock();
>  	t = rcu_dereference(nf_ct_ext_types[id]);
>  	BUG_ON(t == NULL);
>  	off = ALIGN(sizeof(struct nf_ct_ext), t->align);
>  	len = off + t->len;
> +	alloc_size = t->alloc_size;
>  	rcu_read_unlock();
> 
> -	*ext = kzalloc(t->alloc_size, gfp);
> +	*ext = kzalloc(alloc_size, gfp);
>  	if (!*ext)
>  		return NULL;
> 
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Re: [PATCH] netfilter: fix a race in nf_ct_ext_create()

[Patrick McHardy]

On 31.08.2010 17:51, Paul E. McKenney wrote:
> On Tue, Aug 31, 2010 at 05:48:02PM +0200, Eric Dumazet wrote:
>> > As soon as rcu_read_unlock() is called, there is no guarantee current
>> > thread can safely derefence t pointer, rcu protected.
>> > 
>> > Fix is to copy t->alloc_size in a temporary variable.
> Yow!!!  Good catch!!!
> 
> Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
> 
>> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

Applied, thanks.