git.osdn.net Git - sagit-ice-cold/kernel_xiaomi

author	Liping Zhang <zlpnobody@gmail.com>
	Sat, 25 Mar 2017 00:53:12 +0000 (08:53 +0800)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Sun, 8 Oct 2017 08:14:19 +0000 (10:14 +0200)
commit	f7f46b3ba20def4321bfbe3a88cd1ae23eb40b07
tree	cdd3d9e3f4d5e6120d1a3ed128ba3ef0e1cd4c45	tree \| snapshot
parent	e29066778bc28eff5f63616800c6b60f12c87267	commit \| diff

netfilter: invoke synchronize_rcu after set the _hook_ to NULL

[ Upstream commit 3b7dabf029478bb80507a6c4500ca94132a2bc0b ]

Otherwise, another CPU may access the invalid pointer. For example:
    CPU0                CPU1
     -              rcu_read_lock();
     -              pfunc = _hook_;
  _hook_ = NULL;          -
  mod unload              -
     -                 pfunc(); // invalid, panic
     -             rcu_read_unlock();

So we must call synchronize_rcu() to wait the rcu reader to finish.

Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
by later nf_conntrack_helper_unregister, but I'm inclined to add a
explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
on such obscure assumptions is not a good idea.

Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
remove it too.

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

net/ipv4/netfilter/nf_nat_snmp_basic.c		diff \| blob \| history
net/netfilter/nf_conntrack_ecache.c		diff \| blob \| history
net/netfilter/nf_conntrack_netlink.c		diff \| blob \| history
net/netfilter/nf_nat_core.c		diff \| blob \| history
net/netfilter/nfnetlink_cttimeout.c		diff \| blob \| history