android_kernel_xiaomi_sm8350/net
Patrick McHardy ceeff7541e netfilter: nf_conntrack: fix ctnetlink related crash in nf_nat_setup_info()
When creation of a new conntrack entry in ctnetlink fails after having
set up the NAT mappings, the conntrack has an extension area allocated
that is not getting properly destroyed when freeing the conntrack again.
This means the NAT extension is still in the bysource hash, causing a
crash when walking over the hash chain the next time:

BUG: unable to handle kernel paging request at 00120fbd
IP: [<c03d394b>] nf_nat_setup_info+0x221/0x58a
*pde = 00000000
Oops: 0000 [#1] PREEMPT SMP

Pid: 2795, comm: conntrackd Not tainted (2.6.26-rc5 #1)
EIP: 0060:[<c03d394b>] EFLAGS: 00010206 CPU: 1
EIP is at nf_nat_setup_info+0x221/0x58a
EAX: 00120fbd EBX: 00120fbd ECX: 00000001 EDX: 00000000
ESI: 0000019e EDI: e853bbb4 EBP: e853bbc8 ESP: e853bb78
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process conntrackd (pid: 2795, ti=e853a000 task=f7de10f0 task.ti=e853a000)
Stack: 00000000 e853bc2c e85672ec 00000008 c0561084 63c1db4a 00000000 00000000
       00000000 0002e109 61d2b1c3 00000000 00000000 00000000 01114e22 61d2b1c3
       00000000 00000000 f7444674 e853bc04 00000008 c038e728 0000000a f7444674
Call Trace:
 [<c038e728>] nla_parse+0x5c/0xb0
 [<c0397c1b>] ctnetlink_change_status+0x190/0x1c6
 [<c0397eec>] ctnetlink_new_conntrack+0x189/0x61f
 [<c0119aee>] update_curr+0x3d/0x52
 [<c03902d1>] nfnetlink_rcv_msg+0xc1/0xd8
 [<c0390228>] nfnetlink_rcv_msg+0x18/0xd8
 [<c0390210>] nfnetlink_rcv_msg+0x0/0xd8
 [<c038d2ce>] netlink_rcv_skb+0x2d/0x71
 [<c0390205>] nfnetlink_rcv+0x19/0x24
 [<c038d0f5>] netlink_unicast+0x1b3/0x216
 ...

Move invocation of the extension destructors to nf_conntrack_free()
to fix this problem.

Fixes http://bugzilla.kernel.org/show_bug.cgi?id=10875

Reported-and-Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
2008-06-11 17:51:10 -07:00
..
9p 9p: fix error path during early mount 2008-05-14 19:23:27 -05:00
802
8021q vlan: Use bitmask of feature flags instead of seperate feature bits 2008-05-23 00:27:50 -07:00
appletalk
atm Revert "atm: Do not free already unregistered net device." 2008-05-06 00:00:16 -07:00
ax25 ax25: Fix NULL pointer dereference and lockup. 2008-06-03 14:53:46 -07:00
bluetooth bluetooth: rfcomm_dev_state_change deadlock fix 2008-06-03 14:27:17 -07:00
bridge bridge: Consolidate error paths in br_add_bridge(). 2008-05-04 17:58:07 -07:00
can Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-05-08 19:03:26 -07:00
core tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits. 2008-06-04 15:45:58 -07:00
dccp inet{6}_request_sock: Init ->opt and ->pktopts in the constructor 2008-06-10 12:39:35 -07:00
decnet ip: Use inline function dst_metric() instead of direct access to dst->metric[] 2008-05-04 22:14:42 -07:00
econet net: Allow netdevices to specify needed head/tailroom 2008-05-12 20:48:31 -07:00
ethernet [NET]: Return more appropriate error from eth_validate_addr(). 2008-04-13 22:45:40 -07:00
ieee80211 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2008-04-14 02:30:23 -07:00
ipv4 net: Fix routing tables with id > 255 for legacy software 2008-06-10 15:44:49 -07:00
ipv6 inet{6}_request_sock: Init ->opt and ->pktopts in the constructor 2008-06-10 12:39:35 -07:00
ipx
irda irda: Sock leak on error path in irda_create. 2008-06-03 15:18:36 -07:00
iucv iucv: Delay bus registration until core is ready. 2008-04-10 02:12:45 -07:00
key ipsec: pfkey should ignore events when no listeners 2008-06-10 14:25:34 -07:00
lapb
llc llc: Fix double accounting of received packets 2008-05-30 02:57:29 -07:00
mac80211 mac80211: Checking IBSS support while changing channel in ad-hoc mode 2008-06-09 15:53:37 -04:00
netfilter netfilter: nf_conntrack: fix ctnetlink related crash in nf_nat_setup_info() 2008-06-11 17:51:10 -07:00
netlabel Audit: collect sessionid in netlink messages 2008-04-28 06:18:03 -04:00
netlink netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
netrom
packet net: Allow netdevices to specify needed head/tailroom 2008-05-12 20:48:31 -07:00
rfkill rfkill: Fix device type check when toggling states 2008-04-15 15:04:35 -04:00
rose rose: Wrong list_lock argument in rose_node seqops 2008-05-02 17:03:22 -07:00
rxrpc net: Add missing braces to multi-statement if()s 2008-05-02 16:20:10 -07:00
sched netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
sctp sctp: Fix ECN markings for IPv6 2008-06-04 12:40:15 -07:00
sunrpc Merge branch 'for-2.6.26' of git://linux-nfs.org/~bfields/linux 2008-05-20 19:30:54 -07:00
tipc tipc: Increase buffer header to support worst-case device 2008-05-08 21:38:24 -07:00
unix Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-2.6 2008-04-24 08:40:34 -07:00
wanrouter
wireless netlink: Improve returned error codes 2008-06-03 16:36:54 -07:00
x25
xfrm xfrm: xfrm_algo: correct usage of RIPEMD-160 2008-06-04 12:04:55 -07:00
compat.c net: Add compat support for getsockopt (MCAST_MSFILTER) 2008-04-29 03:23:22 -07:00
Kconfig
Makefile
nonet.c
socket.c net: Unexport move_addr_to_{kernel,user} 2008-04-23 03:37:49 -07:00
sysctl_net.c net: fix returning void-valued expression warnings 2008-05-01 02:47:38 -07:00
TUNABLE