On Tue, 2014-08-05 at 17:30 +0200, Pablo Neira Ayuso wrote: > Fix possible replacemen of the per-cpu chain counters by null > pointer when updating an existing chain in the commit path. > > Reported-by: Matteo Croce <technoboy85@xxxxxxxxx> > Signed-off-by: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> > --- > net/netfilter/nf_tables_api.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c > index f95dc95..f7dce2b 100644 > --- a/net/netfilter/nf_tables_api.c > +++ b/net/netfilter/nf_tables_api.c > @@ -899,6 +899,9 @@ static struct nft_stats __percpu *nft_stats_alloc(const struct nlattr *attr) > static void nft_chain_stats_replace(struct nft_base_chain *chain, > struct nft_stats __percpu *newstats) > { > + if (newstats == NULL) > + return; > + > if (chain->stats) { > struct nft_stats __percpu *oldstats = > nft_dereference(chain->stats); This looks strange. Real bug is that nft_dump_stats() should not try to fold percpu stats and output something if 'stats' is NULL ? Otherwise, why nft_chain_stats_replace() checks if previous pointer is NULL ? diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c index 93692d692ebc..9fbbb42dcffa 100644 --- a/net/netfilter/nf_tables_api.c +++ b/net/netfilter/nf_tables_api.c @@ -648,6 +648,9 @@ static int nft_dump_stats(struct sk_buff *skb, struct nft_stats __percpu *stats) u64 pkts, bytes; int cpu; + if (!stats) + return 0; + memset(&total, 0, sizeof(total)); for_each_possible_cpu(cpu) { cpu_stats = per_cpu_ptr(stats, cpu); -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html