The patch titled
nf_conntrack: fix use-after-free in helper destroy callback
has been added to the -mm tree. Its filename is
nf_conntrack-fix-use-after-free-in-helper-destroy-callback.patch
*** Remember to use Documentation/SubmitChecklist when testing your code ***
See http://www.zip.com.au/~akpm/linux/patches/stuff/added-to-mm.txt to find
out what to do about this
------------------------------------------------------
Subject: nf_conntrack: fix use-after-free in helper destroy callback
From: Patrick McHardy <kaber@xxxxxxxxx>
When the helper module is removed for a master connection that has a
fulfilled expectation, but has already timed out and got removed from the
hash tables, nf_conntrack_helper_unregister can't find the master
connection to unset the helper, causing a use-after-free when the expected
connection is destroyed and releases the last reference to the master.
The helper destroy callback was introduced for the PPtP helper to clean up
expectations and expected connections when the master connection times out,
but doing this from the destroy_conntrack only works for unfulfilled
expectations since expected connections hold a reference to the master and
it is not destroyed. Move the destroy callback to the timeout function,
which fixes both problems.
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
Cc: Gabor Burjan <buga@xxxxxxxxxxxxx>
Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx>
---
net/netfilter/nf_conntrack_core.c | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff -puN net/netfilter/nf_conntrack_core.c~nf_conntrack-fix-use-after-free-in-helper-destroy-callback net/netfilter/nf_conntrack_core.c
--- a/net/netfilter/nf_conntrack_core.c~nf_conntrack-fix-use-after-free-in-helper-destroy-callback
+++ a/net/netfilter/nf_conntrack_core.c
@@ -298,7 +298,6 @@ static void
destroy_conntrack(struct nf_conntrack *nfct)
{
struct nf_conn *ct = (struct nf_conn *)nfct;
- struct nf_conn_help *help = nfct_help(ct);
struct nf_conntrack_l4proto *l4proto;
typeof(nf_conntrack_destroyed) destroyed;
@@ -309,9 +308,6 @@ destroy_conntrack(struct nf_conntrack *n
nf_conntrack_event(IPCT_DESTROY, ct);
set_bit(IPS_DYING_BIT, &ct->status);
- if (help && help->helper && help->helper->destroy)
- help->helper->destroy(ct);
-
/* To make sure we don't get any weird locking issues here:
* destroy_conntrack() MUST NOT be called with a write lock
* to nf_conntrack_lock!!! -HW */
@@ -353,6 +349,10 @@ destroy_conntrack(struct nf_conntrack *n
static void death_by_timeout(unsigned long ul_conntrack)
{
struct nf_conn *ct = (void *)ul_conntrack;
+ struct nf_conn_help *help = nfct_help(ct);
+
+ if (help && help->helper && help->helper->destroy)
+ help->helper->destroy(ct);
write_lock_bh(&nf_conntrack_lock);
/* Inside lock so preempt is disabled on module removal path.
_
Patches currently in -mm which might be from kaber@xxxxxxxxx are
networking-fix-sending-netlink-message-when-replace-route.patch
nf_conntrack-fix-use-after-free-in-helper-destroy-callback.patch
-
To unsubscribe from this list: send the line "unsubscribe mm-commits" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
