diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2010-10-29 13:59:40 -0400 |
|---|---|---|
| committer | Patrick McHardy <kaber@trash.net> | 2010-10-29 13:59:40 -0400 |
| commit | d817d29d0b37290d90b3a9e2a61162f1dbf2be4f (patch) | |
| tree | 7414a1334cdac82a61340623a23109c3222f4a48 /net | |
| parent | 64e46749224aa658d8fc0d37ea83ab20b1d7955d (diff) | |
netfilter: fix nf_conntrack_l4proto_register()
While doing __rcu annotations work on net/netfilter I found following
bug. On some arches, it is possible we publish a table while its content
is not yet committed to memory, and lockless reader can dereference wild
pointer.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/netfilter/nf_conntrack_proto.c | 6 |
1 files changed, 6 insertions, 0 deletions
diff --git a/net/netfilter/nf_conntrack_proto.c b/net/netfilter/nf_conntrack_proto.c index ed6d9295802..dc7bb74110d 100644 --- a/net/netfilter/nf_conntrack_proto.c +++ b/net/netfilter/nf_conntrack_proto.c | |||
| @@ -292,6 +292,12 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto) | |||
| 292 | 292 | ||
| 293 | for (i = 0; i < MAX_NF_CT_PROTO; i++) | 293 | for (i = 0; i < MAX_NF_CT_PROTO; i++) |
| 294 | proto_array[i] = &nf_conntrack_l4proto_generic; | 294 | proto_array[i] = &nf_conntrack_l4proto_generic; |
| 295 | |||
| 296 | /* Before making proto_array visible to lockless readers, | ||
| 297 | * we must make sure its content is committed to memory. | ||
| 298 | */ | ||
| 299 | smp_wmb(); | ||
| 300 | |||
| 295 | nf_ct_protos[l4proto->l3proto] = proto_array; | 301 | nf_ct_protos[l4proto->l3proto] = proto_array; |
| 296 | } else if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto] != | 302 | } else if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto] != |
| 297 | &nf_conntrack_l4proto_generic) { | 303 | &nf_conntrack_l4proto_generic) { |