diff options
| author | Patrick McHarrdy | 2007-06-05 21:55:27 +0200 |
|---|---|---|
| committer | David S. Miller | 2007-06-07 22:40:26 +0200 |
| commit | 3c158f7f57601bc27eab82f0dc4fd3fad314d845 (patch) | |
| tree | 03c8f9d7fa1e51d852ff6b90c35030491613df03 /net/netfilter/nf_conntrack_netlink.c | |
| parent | [RTNETLINK]: ifindex 0 does not exist (diff) | |
| download | kernel-qcow2-linux-3c158f7f57601bc27eab82f0dc4fd3fad314d845.tar.gz kernel-qcow2-linux-3c158f7f57601bc27eab82f0dc4fd3fad314d845.tar.xz kernel-qcow2-linux-3c158f7f57601bc27eab82f0dc4fd3fad314d845.zip | |
[NETFILTER]: nf_conntrack: fix helper module unload races
When a helper module is unloaded all conntracks refering to it have their
helper pointer NULLed out, leading to lots of races. In most places this
can be fixed by proper use of RCU (they do already check for != NULL,
but in a racy way), additionally nf_conntrack_expect_related needs to
bail out when no helper is present.
Also remove two paranoid BUG_ONs in nf_conntrack_proto_gre that are racy
and not worth fixing.
Signed-off-by: Patrick McHarrdy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter/nf_conntrack_netlink.c')
| -rw-r--r-- | net/netfilter/nf_conntrack_netlink.c | 34 |
1 files changed, 23 insertions, 11 deletions
diff --git a/net/netfilter/nf_conntrack_netlink.c b/net/netfilter/nf_conntrack_netlink.c index d6d39e241327..3f73327794ab 100644 --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -171,21 +171,29 @@ ctnetlink_dump_helpinfo(struct sk_buff *skb, const struct nf_conn *ct) { struct nfattr *nest_helper; const struct nf_conn_help *help = nfct_help(ct); + struct nf_conntrack_helper *helper; - if (!help || !help->helper) + if (!help) return 0; + rcu_read_lock(); + helper = rcu_dereference(help->helper); + if (!helper) + goto out; + nest_helper = NFA_NEST(skb, CTA_HELP); - NFA_PUT(skb, CTA_HELP_NAME, strlen(help->helper->name), help->helper->name); + NFA_PUT(skb, CTA_HELP_NAME, strlen(helper->name), helper->name); - if (help->helper->to_nfattr) - help->helper->to_nfattr(skb, ct); + if (helper->to_nfattr) + helper->to_nfattr(skb, ct); NFA_NEST_END(skb, nest_helper); - +out: + rcu_read_unlock(); return 0; nfattr_failure: + rcu_read_unlock(); return -1; } @@ -842,7 +850,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[]) if (help && help->helper) { /* we had a helper before ... */ nf_ct_remove_expectations(ct); - help->helper = NULL; + rcu_assign_pointer(help->helper, NULL); } return 0; @@ -866,7 +874,7 @@ ctnetlink_change_helper(struct nf_conn *ct, struct nfattr *cda[]) /* need to zero data of old helper */ memset(&help->help, 0, sizeof(help->help)); - help->helper = helper; + rcu_assign_pointer(help->helper, helper); return 0; } @@ -950,6 +958,7 @@ ctnetlink_create_conntrack(struct nfattr *cda[], struct nf_conn *ct; int err = -EINVAL; struct nf_conn_help *help; + struct nf_conntrack_helper *helper = NULL; ct = nf_conntrack_alloc(otuple, rtuple); if (ct == NULL || IS_ERR(ct)) @@ -980,14 +989,17 @@ ctnetlink_create_conntrack(struct nfattr *cda[], #endif help = nfct_help(ct); - if (help) - help->helper = nf_ct_helper_find_get(rtuple); + if (help) { + helper = nf_ct_helper_find_get(rtuple); + /* not in hash table yet so not strictly necessary */ + rcu_assign_pointer(help->helper, helper); + } add_timer(&ct->timeout); nf_conntrack_hash_insert(ct); - if (help && help->helper) - nf_ct_helper_put(help->helper); + if (helper) + nf_ct_helper_put(helper); return 0; |