[NETFILTER]: nf_conntrack: fix helper module unload races

When a helper module is unloaded all conntracks refering to it have their
helper pointer NULLed out, leading to lots of races. In most places this
can be fixed by proper use of RCU (they do already check for != NULL,
but in a racy way), additionally nf_conntrack_expect_related needs to
bail out when no helper is present.

Also remove two paranoid BUG_ONs in nf_conntrack_proto_gre that are racy
and not worth fixing.

Signed-off-by: Patrick McHarrdy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 7 insertions, 2 deletions

diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
index dc442fb791b0..1b1797f1f33d 100644
--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c
@@ -160,6 +160,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
 {
         struct nf_conn *ct;
         struct nf_conn_help *help;
+        struct nf_conntrack_helper *helper;
         enum ip_conntrack_info ctinfo;
         unsigned int ret, protoff;
         unsigned int extoff = (u8 *)(ipv6_hdr(*pskb) + 1) - (*pskb)->data;
@@ -172,7 +173,11 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
                 goto out;
 
         help = nfct_help(ct);
-        if (!help || !help->helper)
+        if (!help)
+                goto out;
+        /* rcu_read_lock()ed by nf_hook_slow */
+        helper = rcu_dereference(help->helper);
+        if (!helper)
                 goto out;
 
         protoff = nf_ct_ipv6_skip_exthdr(*pskb, extoff, &pnum,
@@ -182,7 +187,7 @@ static unsigned int ipv6_confirm(unsigned int hooknum,
                 return NF_ACCEPT;
         }
 
-        ret = help->helper->help(pskb, protoff, ct, ctinfo);
+        ret = helper->help(pskb, protoff, ct, ctinfo);
         if (ret != NF_ACCEPT)
                 return ret;
 out: