Commit ec0e3f01114a ("netfilter: nf_ct_expect: Add
nf_ct_remove_expect()") introduced a helper nf_ct_remove_expect. It was
used over the code, but one location used a wrong variable and it
resulted in a crash in this call stack:
-> nf_ct_expect_related_report
-> nf_ct_remove_expect
-> del_timer
-> detach_if_pending
Switch to the proper variable.
Fixes: ec0e3f01114a
Signed-off-by: Jiri Slaby <jslaby@xxxxxxx>
Cc: Gao Feng <fgao@xxxxxxxxxx>
Cc: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Cc: Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>
Cc: Florian Westphal <fw@xxxxxxxxx>
Cc: <netfilter-devel@xxxxxxxxxxxxxxx>
Cc: <coreteam@xxxxxxxxxxxxx>
---
net/netfilter/nf_conntrack_expect.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_conntrack_expect.c b/net/netfilter/nf_conntrack_expect.c
index e03d16ed550d..899c2c36da13 100644
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -422,7 +422,7 @@ static inline int __nf_ct_expect_check(struct nf_conntrack_expect *expect)
h = nf_ct_expect_dst_hash(net, &expect->tuple);
hlist_for_each_entry_safe(i, next, &nf_ct_expect_hash[h], hnode) {
if (expect_matches(i, expect)) {
- if (nf_ct_remove_expect(expect))
+ if (nf_ct_remove_expect(i))
break;
} else if (expect_clash(i, expect)) {
ret = -EBUSY;
--
2.13.3
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
