On Monday, February 4, 2019 4:27 PM, Florian Westphal <fw@xxxxxxxxx> wrote: > Jordan Glover Golden_Miller83@xxxxxxxxxxxxx wrote: > > > Starting from Linux 5.0rc5, executing 'iptables-restore' command > > causes 'refcount_t: increment on 0; use-after-free' warning. > > Those didn't occur on Linux 5.0rc4 and earlier. Below are two examples: > > Linux version 5.0.0-rc5 (builduser@chroot) (gcc version 8.2.1 20181127 (GCC)) #1 SMP PREEMPT > > ... > > ------------[ cut here ]------------ > > refcount_t: increment on 0; use-after-free. > > Bah. Its not UAF. > > No idea how to fix this. > > @@ -504,7 +507,11 @@ __nft_match_init(const struct nft_ctx *ctx, const struct nft_expr *expr, > return ret; > > nft_xt = container_of(expr->ops, struct nft_xt, ops); > > - refcount_inc(&nft_xt->refcnt); > > > > - if (refcount_read(&nft_xt->refcnt) == 0) > > > - refcount_set(&nft_xt->refcnt, 1); > > > - else > > > - refcount_inc(&nft_xt->refcnt); > > > - return 0; > > > > ... but thats just really ugly. Perhaps better to downgrade to atomic_t 8-/ The patch "[nft,2/2] netfilter: nft_compat: don't use refcount_inc on newly allocated entry" from https://patchwork.ozlabs.org/patch/1036102/ fixes this issue. Thank you. Jordan
