netfilter: call nf_hook_ingress with rcu_read_lock

This commit ensures that the rcu read-side lock is held while the ingress hook is called. This ensures that a call to nf_hook_slow (and ultimately nf_ingress) will be read protected. Signed-off-by: N Aaron Conole <aconole@bytheb.org> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>

netfilter: call nf_hook_ingress with rcu_read_lock
This commit ensures that the rcu read-side lock is held while the ingress hook is called. This ensures that a call to nf_hook_slow (and ultimately nf_ingress) will be read protected. Signed-off-by: N Aaron Conole <aconole@bytheb.org> Signed-off-by: N Pablo Neira Ayuso <pablo@netfilter.org>
2c1e2703 · Aaron Conole · Pablo Neira Ayuso · fe72926b · 2c1e2703
隐藏空白更改
内联并排

Showing with 6 addition and 1 deletion

net/core/dev.c net/core/dev.c +6 -1

未找到文件。
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -4040,12 +4040,17 @@ static inline int nf_ingress(struct sk_buff *skb, struct packet_type **pt_prev,
 {
 #ifdef CONFIG_NETFILTER_INGRESS
 	if (nf_hook_ingress_active(skb)) {
+		int ingress_retval;
 		if (*pt_prev) {
 			*ret = deliver_skb(skb, *pt_prev, orig_dev);
 			*pt_prev = NULL;
 		}
-		return nf_hook_ingress(skb);
+		rcu_read_lock();
+		ingress_retval = nf_hook_ingress(skb);
+		rcu_read_unlock();
+		return ingress_retval;
 	}
 #endif /* CONFIG_NETFILTER_INGRESS */
 	return 0;