On Wed, Nov 23, 2016 at 01:11:03AM +0100, Florian Westphal wrote: > Stas Nichiporovich reports oops in nf_nat_bysource_cmp(), trying to > access nf_conn struct at address 0xffffffffffffff50. > > This is the result of fetching a null rhash list (struct embedded at > offset 176; 0 - 176 gets us ...fff50). > > The problem is that conntrack entries are allocated from a > SLAB_DESTROY_BY_RCU cache, i.e. entries can be free'd and reused > on another cpu while nf nat bysource hash access the same conntrack entry. > > Freeing is fine (we hold rcu read lock); zeroing rhlist_head isn't. > > -> Move the rhlist struct outside of the memset()-inited area. Also applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
