netfilter: flowtable: prefer refcount_inc

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

With refcount_inc_not_zero, we'd also need a smp_rmb or similar,
followed by a test of the CONFIRMED bit.

However, the ct pointer is taken from skb->_nfct, its refcount must
not be 0 (else, we'd already have a use-after-free bug).

Use refcount_inc() instead to clarify the ct refcount is expected to
be at least 1.

Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

authored by

Florian Westphal and committed by

Pablo Neira Ayuso 3 years ago f02e7dc4 5787db7c

+3 -8

1 changed file

expand all

net

netfilter

nf_flow_table_core.c

+3 -8

net/netfilter/nf_flow_table_core.c

··· 53 53 { 54 54 struct flow_offload *flow; 55 55 56 - if (unlikely(nf_ct_is_dying(ct) || 57 - !refcount_inc_not_zero(&ct->ct_general.use))) 56 + if (unlikely(nf_ct_is_dying(ct))) 58 57 return NULL; 59 58 60 59 flow = kzalloc(sizeof(*flow), GFP_ATOMIC); 61 60 if (!flow) 62 - goto err_ct_refcnt; 61 + return NULL; 63 62 63 + refcount_inc(&ct->ct_general.use); 64 64 flow->ct = ct; 65 65 66 66 flow_offload_fill_dir(flow, FLOW_OFFLOAD_DIR_ORIGINAL); ··· 72 72 __set_bit(NF_FLOW_DNAT, &flow->flags); 73 73 74 74 return flow; 75 - 76 - err_ct_refcnt: 77 - nf_ct_put(ct); 78 - 79 - return NULL; 80 75 } 81 76 EXPORT_SYMBOL_GPL(flow_offload_alloc); 82 77