netfilter: fix nf_conntrack_l4proto_register()

While doing __rcu annotations work on net/netfilter I found following bug. On some arches, it is possible we publish a table while its content is not yet committed to memory, and lockless reader can dereference wild pointer. Signed-off-by: N Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: N Patrick McHardy <kaber@trash.net>

netfilter: fix nf_conntrack_l4proto_register()
While doing __rcu annotations work on net/netfilter I found following bug. On some arches, it is possible we publish a table while its content is not yet committed to memory, and lockless reader can dereference wild pointer. Signed-off-by: N Eric Dumazet <eric.dumazet@gmail.com> Signed-off-by: N Patrick McHardy <kaber@trash.net>
d817d29d · Eric Dumazet · Patrick McHardy · 64e46749 · d817d29d
隐藏空白更改
内联并排

Showing with 6 addition and 0 deletion

net/netfilter/nf_conntrack_proto.c net/netfilter/nf_conntrack_proto.c +6 -0

未找到文件。
--- a/net/netfilter/nf_conntrack_proto.c
+++ b/net/netfilter/nf_conntrack_proto.c
@@ -292,6 +292,12 @@ int nf_conntrack_l4proto_register(struct nf_conntrack_l4proto *l4proto)
 		for (i = 0; i < MAX_NF_CT_PROTO; i++)
 			proto_array[i] = &nf_conntrack_l4proto_generic;
+		/* Before making proto_array visible to lockless readers,
+		 * we must make sure its content is committed to memory.
+		 */
+		smp_wmb();
 		nf_ct_protos[l4proto->l3proto] = proto_array;
 	} else if (nf_ct_protos[l4proto->l3proto][l4proto->l4proto] !=
 					&nf_conntrack_l4proto_generic) {