diff options
author | Florian Westphal <fw@strlen.de> | 2019-02-05 12:16:18 +0100 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-03-13 14:04:17 -0700 |
commit | 9796ee19007046562337263590a17d8224dad135 (patch) | |
tree | 37dfe5e0eb44e27b31a99542ba046471d710e7ee /drivers/input | |
parent | 6f9518c5bc88e5206ed68df1f911e47095414476 (diff) |
netfilter: nft_compat: don't use refcount_inc on newly allocated entry
[ Upstream commit 947e492c0fc2132ae5fca081a9c2952ccaab0404 ]
When I moved the refcount to refcount_t type I missed the fact that
refcount_inc() will result in use-after-free warning with
CONFIG_REFCOUNT_FULL=y builds.
The correct fix would be to init the reference count to 1 at allocation
time, but, unfortunately we cannot do this, as we can't undo that
in case something else fails later in the batch.
So only solution I see is to special-case the 'new entry' condition
and replace refcount_inc() with a "delayed" refcount_set(1) in this case,
as done here.
The .activate callback can be removed to simplify things, we only
need to make sure that deactivate() decrements/unlinks the entry
from the list at end of transaction phase (commit or abort).
Fixes: 12c44aba6618 ("netfilter: nft_compat: use refcnt_t type for nft_xt reference count")
Reported-by: Jordan Glover <Golden_Miller83@protonmail.ch>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'drivers/input')
0 files changed, 0 insertions, 0 deletions