netfilter: fix a race in nf_ct_ext_create()

As soon as rcu_read_unlock() is called, there is no guarantee current
thread can safely derefence t pointer, rcu protected.

Fix is to copy t->alloc_size in a temporary variable.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 3 insertions, 1 deletions

diff --git a/net/netfilter/nf_conntrack_extend.c b/net/netfilter/nf_conntrack_extend.c
index 7dcf7a404190..8d9e4c949b96 100644
--- a/net/netfilter/nf_conntrack_extend.c
+++ b/net/netfilter/nf_conntrack_extend.c
@@ -48,15 +48,17 @@ nf_ct_ext_create(struct nf_ct_ext **ext, enum nf_ct_ext_id id, gfp_t gfp)
 {
         unsigned int off, len;
         struct nf_ct_ext_type *t;
+        size_t alloc_size;
 
         rcu_read_lock();
         t = rcu_dereference(nf_ct_ext_types[id]);
         BUG_ON(t == NULL);
         off = ALIGN(sizeof(struct nf_ct_ext), t->align);
         len = off + t->len;
+        alloc_size = t->alloc_size;
         rcu_read_unlock();
 
-        *ext = kzalloc(t->alloc_size, gfp);
+        *ext = kzalloc(alloc_size, gfp);
         if (!*ext)
                 return NULL;