Pekka Enberg schrieb:

On Thu, 2008-07-24 at 11:51 -0700, Andrew Morton wrote:

quoted

On Thu, 24 Jul 2008 16:34:36 +0300 Pekka Enberg [off-list ref] wrote:

quoted

quoted

quoted

quoted

Your patch introduced a use-after-free and double-free.
krealloc() frees the old pointer, but it is still used
for the ->move operations, then freed again.

To fix this I think we need a __krealloc() that doesn't
free the old memory, especially since it must not be
freed immediately because it may still be used in a RCU
read side (see the last part in the patch attached to
this mail (based on a kernel without your patch)).

Agreed. Something like this, perhaps?

[PATCH] netfilter: fix double-free and use-after free

As suggested by Patrick McHardy, introduce a __krealloc() that doesn't
free the original buffer to fix a double-free and use-after-free bug
introduced by me in netfilter that uses RCU.

Reported-by: Patrick McHardy <redacted>
Signed-off-by: Pekka Enberg <redacted>

Looks good to me, thanks.

Ingo, can you please test this? Andrew, I'm at OLS so can you pick up
the patch in your tree?

Sure.  Or Patrick can do so and it can be merged via the net tree.

Ingo, did this patch actually fix something over there?

Apparently it didn't but it did fix Dieter's problem:

http://lkml.org/lkml/2008/7/24/337

Dieter, can we add a Tested-by tag from you to this patch?

Yes, it definitely fixed my issue and I have not encountered 
                            further problems with the patch. The machine 
is running fine with it.

Do I have to explicitly add my
Tested-by: Dieter Ries <redacted>
tag somewhere (if yes, where?) or is this enough for you?


cu
Dieter