Hi Pablo, 2016-08-18 6:37 GMT+08:00 Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>: > > Wait. I noticed we have the same problem in cttimeout, so it would be > good to fix this in the same logical change. > > I'm attaching your original patch that I have mangled here, including > the cttimeout chunk. > > Let me know if you have any concern, otherwise I'll apply this new > version, thanks! Not exactly right. Currently ctnl_timeout_try_del will not cause race with ctnl_timeout_put. In ctnl_timeout_put, it only decreases the timeout object's refcnt, but will not try to free it. This is different with nfnetlink_acct. But when we do "ip netns del xxx", this will cause a use after free error. In general, when we delete a netns, cttimeout_net_exit will be called before ipt_unregister_table, i.e. before ctnl_timeout_put. So after call kfree_rcu in cttimeout_net_exit, we will still decrease the timeout object's refcnt in ctnl_timeout_put. Kernel will complain about this: ======================================================================= BUG kmalloc-96 (Tainted: G B E ): Poison overwritten ----------------------------------------------------------------------- INFO: 0xffff88002b5161e8-0xffff88002b5161e8. First byte 0x6a instead of 0x6b INFO: Allocated in cttimeout_new_timeout+0xd4/0x240 [nfnetlink_cttimeout] age=104 cpu=0 pid=3330 ___slab_alloc+0x4da/0x540 __slab_alloc+0x20/0x40 __kmalloc+0x1c8/0x240 cttimeout_new_timeout+0xd4/0x240 [nfnetlink_cttimeout] nfnetlink_rcv_msg+0x21a/0x230 [nfnetlink] So I think it seems better that we take another patch to fix the problem in cttimeout. Attachment is my patch.
Attachment:
0001-netfilter-cttimeout-fix-use-after-free-error-when-de.patch
Description: Binary data
