diff options
| author | Florian Westphal <fw@strlen.de> | 2019-01-14 14:28:48 +0100 |
|---|---|---|
| committer | Pablo Neira Ayuso <pablo@netfilter.org> | 2019-01-18 02:29:41 +0100 |
| commit | 12c44aba6618b7f6c437076e5722237190f6cd5f (patch) | |
| tree | a23503ee9662241f43904219c08db82c09784c75 /mm/usercopy.c | |
| parent | 88a8121dc1d3d0dbddd411b79ed236b6b6ea415c (diff) | |
| download | blackbird-obmc-linux-12c44aba6618b7f6c437076e5722237190f6cd5f.tar.gz blackbird-obmc-linux-12c44aba6618b7f6c437076e5722237190f6cd5f.zip | |
netfilter: nft_compat: use refcnt_t type for nft_xt reference count
Using standard integer type was fine while all operations on it were
guarded by the nftnl subsys mutex.
This isn't true anymore:
1. transactions are guarded only by a pernet mutex, so concurrent
rule manipulation in different netns is racy
2. the ->destroy hook runs from a work queue after the transaction
mutex has been released already.
cpu0 cpu1 (net 1) cpu2 (net 2)
kworker
nft_compat->destroy nft_compat->init nft_compat->init
if (--nft_xt->ref == 0) nft_xt->ref++ nft_xt->ref++
Switch to refcount_t. Doing this however only fixes a minor aspect,
nft_compat also performs linked-list operations in an unsafe way.
This is addressed in the next two patches.
Fixes: f102d66b335a ("netfilter: nf_tables: use dedicated mutex to guard transactions")
Fixes: 0935d5588400 ("netfilter: nf_tables: asynchronous release")
Reported-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'mm/usercopy.c')
0 files changed, 0 insertions, 0 deletions
