netfilter: nft_synproxy: avoid possible data-race on update operation

During nft_synproxy eval we are reading nf_synproxy_info struct which
can be modified on update operation concurrently. As nf_synproxy_info
struct fits in 32 bits, use READ_ONCE/WRITE_ONCE annotations.

Fixes: ee394f96ad75 ("netfilter: nft_synproxy: add synproxy stateful object support")
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/net/netfilter/nft_synproxy.c b/net/netfilter/nft_synproxy.c
index 5d3e51825985960fdf1a19c818f86c0027cdb010..4d3e5a31b4125d003b903acd05f8ba2e34eee2b5 100644 (file)
--- a/net/netfilter/nft_synproxy.c
+++ b/net/netfilter/nft_synproxy.c
@@ -48,7 +48,7 @@ static void nft_synproxy_eval_v4(const struct nft_synproxy *priv,
                                 struct tcphdr *_tcph,
                                 struct synproxy_options *opts)
 {
-       struct nf_synproxy_info info = priv->info;
+       struct nf_synproxy_info info = READ_ONCE(priv->info);
        struct net *net = nft_net(pkt);
        struct synproxy_net *snet = synproxy_pernet(net);
        struct sk_buff *skb = pkt->skb;
@@ -79,7 +79,7 @@ static void nft_synproxy_eval_v6(const struct nft_synproxy *priv,
                                 struct tcphdr *_tcph,
                                 struct synproxy_options *opts)
 {
-       struct nf_synproxy_info info = priv->info;
+       struct nf_synproxy_info info = READ_ONCE(priv->info);
        struct net *net = nft_net(pkt);
        struct synproxy_net *snet = synproxy_pernet(net);
        struct sk_buff *skb = pkt->skb;
@@ -340,7 +340,7 @@ static void nft_synproxy_obj_update(struct nft_object *obj,
        struct nft_synproxy *newpriv = nft_obj_data(newobj);
        struct nft_synproxy *priv = nft_obj_data(obj);
 
-       priv->info = newpriv->info;
+       WRITE_ONCE(priv->info, newpriv->info);
 }
 
 static struct nft_object_type nft_synproxy_obj_type;