From patchwork Wed Sep 28 15:35:14 2016
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Aaron Conole <aconole@bytheb.org>
X-Patchwork-Id: 676289
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3skhcd3dzGz9t0J
	for <patchwork-incoming@ozlabs.org>;
	Thu, 29 Sep 2016 01:36:01 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=bytheb-org.20150623.gappssmtp.com
	header.i=@bytheb-org.20150623.gappssmtp.com header.b=MM7BAbqy;
	dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S932824AbcI1Pfm (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Wed, 28 Sep 2016 11:35:42 -0400
Received: from mail-yb0-f195.google.com ([209.85.213.195]:34954 "EHLO
	mail-yb0-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S932753AbcI1Pfi (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 28 Sep 2016 11:35:38 -0400
Received: by mail-yb0-f195.google.com with SMTP id p81so327507ybb.2
	for <netdev@vger.kernel.org>; Wed, 28 Sep 2016 08:35:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=bytheb-org.20150623.gappssmtp.com; s=20150623;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=kCjZnIynLSRgITaCQQ/2OwB46kj70HkDJCWxKqyRiB4=;
	b=MM7BAbqyaji3scam/xQ3p9GIN79Z4nAZlood04Q0c0pBqmqY0NhonPwm6X8Mv1Iz2W
	eHSDPIKTrTbWOOJCaKn4ZIAnyzxf+ezhef+5UqIVGxdlKbh7vsuI3g7DEqQ/PBsUOpDH
	4RPOMa6IaE0SJIA9aJWXK1F4QqSw+v/f/tKjvDj7Ar43UrTMH0fxu/V42RD+5UgXo7fv
	CLk4rqjwgZvQxIeeRiBngnjLXciaYdghVQHjwWOzwMA6mxtcUFKBqkF26djW9kX4MxEr
	LBdsa3mBq7obyed5PuEq1SaxX0oYzurbpqvMqTQWDnzIlHkgISIEbeESRemp/YsYRhOm
	1j5w==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20130820;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=kCjZnIynLSRgITaCQQ/2OwB46kj70HkDJCWxKqyRiB4=;
	b=hefPl6lCbORG47QKm+DMa02kKz0cYcRxqNKebSWuPDoYGRD1kPVBc4b8TiI78OqTpI
	bEaY+kZia78aLFGp5Gi/4MiE0Eo5B1SA+sdZIokhq6zUG5FmlUQqrT84EyQZN46ruHkh
	tCzLyEuSBmXJ8T+CL4PSIyNid9IZKSjdZ3JIWRpgksoo8w0K2zGfbbYNIbhDvKGuWApI
	9u3VK20moxPThODfR9tRmUZ05zQfBp8dy1k5hUhbNAc6y+VNY+9vzIqKoiE4twQOySQd
	K3a0u2JOvGlQYvoL43c21dgGCxOukGpUYvxRrpinWBbg94J4g6sGKrV2pTKtStWuH46b
	s/dg==
X-Gm-Message-State: 
 AE9vXwPO0bNJOwyQjXDtxvaXdfOgf3bBMwVzDGvdTUiEdU0N78ndBft4IM/1QFx5cex8DA==
X-Received: by 10.37.53.130 with SMTP id c124mr25722924yba.39.1475076925260;
	Wed, 28 Sep 2016 08:35:25 -0700 (PDT)
Received: from dhcp-25-97.bos.redhat.com
	(c-24-63-163-118.hsd1.ma.comcast.net. [24.63.163.118])
	by smtp.gmail.com with ESMTPSA id
	b9sm3295255ywh.45.2016.09.28.08.35.23
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 28 Sep 2016 08:35:24 -0700 (PDT)
From: Aaron Conole <aconole@bytheb.org>
To: netfilter-devel@vger.kernel.org, netdev@vger.kernel.org
Cc: Florian Westphal <fw@strlen.de>, Pablo Neira Ayuso <pablo@netfilter.org>
Subject: [PATCH nf-next v4 1/2] netfilter: Fix potential null pointer
	dereference
Date: Wed, 28 Sep 2016 11:35:14 -0400
Message-Id: <1475076915-5920-2-git-send-email-aconole@bytheb.org>
X-Mailer: git-send-email 2.7.4
In-Reply-To: <1475076915-5920-1-git-send-email-aconole@bytheb.org>
References: <1475076915-5920-1-git-send-email-aconole@bytheb.org>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

It's possible for nf_hook_entry_head to return NULL.  If two
nf_unregister_net_hook calls happen simultaneously with a single hook
entry in the list, both will enter the nf_hook_mutex critical section.
The first will successfully delete the head, but the second will see
this NULL pointer and attempt to dereference.

This fix ensures that no null pointer dereference could occur when such
a condition happens.

Fixes: e3b37f11e6e4 ("netfilter: replace list_head with single linked list")
Signed-off-by: Aaron Conole <aconole@bytheb.org>
---
 net/netfilter/core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 360c63d..e58e420 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -160,7 +160,7 @@ void nf_unregister_net_hook(struct net *net, const struct nf_hook_ops *reg)
 
 	mutex_lock(&nf_hook_mutex);
 	hooks_entry = nf_hook_entry_head(net, reg);
-	if (hooks_entry->orig_ops == reg) {
+	if (hooks_entry && hooks_entry->orig_ops == reg) {
 		nf_set_hooks_head(net, reg,
 				  nf_entry_dereference(hooks_entry->next));
 		goto unlock;