On Thu, 24 Jul 2008 16:34:36 +0300 Pekka Enberg [off-list ref] wrote:

quoted

quoted

quoted

Your patch introduced a use-after-free and double-free.
krealloc() frees the old pointer, but it is still used
for the ->move operations, then freed again.

To fix this I think we need a __krealloc() that doesn't
free the old memory, especially since it must not be
freed immediately because it may still be used in a RCU
read side (see the last part in the patch attached to
this mail (based on a kernel without your patch)).

Agreed. Something like this, perhaps?

[PATCH] netfilter: fix double-free and use-after free

As suggested by Patrick McHardy, introduce a __krealloc() that doesn't
free the original buffer to fix a double-free and use-after-free bug
introduced by me in netfilter that uses RCU.

Reported-by: Patrick McHardy <redacted>
Signed-off-by: Pekka Enberg <redacted>

Looks good to me, thanks.

Ingo, can you please test this? Andrew, I'm at OLS so can you pick up
the patch in your tree?

Sure.  Or Patrick can do so and it can be merged via the net tree.

Ingo, did this patch actually fix something over there?