netfilter: invoke synchronize_rcu after set the _hook_ to NULL
authorLiping Zhang <zlpnobody@gmail.com>
Sat, 25 Mar 2017 00:53:12 +0000 (08:53 +0800)
committerPablo Neira Ayuso <pablo@netfilter.org>
Mon, 27 Mar 2017 11:47:28 +0000 (13:47 +0200)
commit3b7dabf029478bb80507a6c4500ca94132a2bc0b
tree7fdc91ed3c571753fbaffaef9e520882925e1703
parentf83bf8da1135ca635aac8f062cad3f001fcf3a26
netfilter: invoke synchronize_rcu after set the _hook_ to NULL

Otherwise, another CPU may access the invalid pointer. For example:
    CPU0                CPU1
     -              rcu_read_lock();
     -              pfunc = _hook_;
  _hook_ = NULL;          -
  mod unload              -
     -                 pfunc(); // invalid, panic
     -             rcu_read_unlock();

So we must call synchronize_rcu() to wait the rcu reader to finish.

Also note, in nf_nat_snmp_basic_fini, synchronize_rcu() will be invoked
by later nf_conntrack_helper_unregister, but I'm inclined to add a
explicit synchronize_rcu after set the nf_nat_snmp_hook to NULL. Depend
on such obscure assumptions is not a good idea.

Last, in nfnetlink_cttimeout, we use kfree_rcu to free the time object,
so in cttimeout_exit, invoking rcu_barrier() is not necessary at all,
remove it too.

Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
net/ipv4/netfilter/nf_nat_snmp_basic.c
net/netfilter/nf_conntrack_ecache.c
net/netfilter/nf_conntrack_netlink.c
net/netfilter/nf_nat_core.c
net/netfilter/nfnetlink_cttimeout.c