| From stable-bounces@linux.kernel.org Wed Mar 7 13:37:47 2007 |
| From: Patrick McHardy <kaber@trash.net> |
| Date: Wed, 7 Mar 2007 22:34:33 +0100 (MET) |
| Subject: nfnetlink_log: fix use after free |
| To: stable@kernel.org |
| Cc: netfilter-devel@lists.netfilter.org, Patrick McHardy <kaber@trash.net>, <davem@davemloft.net> |
| Message-ID: <20070307213354.22306.58320.sendpatchset@localhost.localdomain> |
| |
| From: Patrick McHardy <kaber@trash.net> |
| |
| [NETFILTER]: nfnetlink_log: fix use after free |
| |
| Paranoia: instance_put() might have freed the inst pointer when we |
| spin_unlock_bh(). |
| |
| Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl> |
| Signed-off-by: Patrick McHardy <kaber@trash.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> |
| |
| --- |
| net/netfilter/nfnetlink_log.c | 2 +- |
| 1 file changed, 1 insertion(+), 1 deletion(-) |
| |
| --- a/net/netfilter/nfnetlink_log.c |
| +++ b/net/netfilter/nfnetlink_log.c |
| @@ -397,8 +397,8 @@ static void nfulnl_timer(unsigned long d |
| if (timer_pending(&inst->timer)) /* is it always true or false here? */ |
| del_timer(&inst->timer); |
| __nfulnl_send(inst); |
| - instance_put(inst); |
| spin_unlock_bh(&inst->lock); |
| + instance_put(inst); |
| } |
| |
| /* This is an inline function, we don't really care about a long |
