From: Patrick McHardy <kaber@trash.net>
Date: Wed, 7 Mar 2007 21:34:33 +0000 (+0100)
Subject: nfnetlink_log: fix use after free
X-Git-Tag: v2.6.20.3~15
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=08bfad45bd7e07dad209f593499fea2d05c1f75c;p=thirdparty%2Fkernel%2Fstable.git

nfnetlink_log: fix use after free

[NETFILTER]: nfnetlink_log: fix use after free

Paranoia: instance_put() might have freed the inst pointer when we
spin_unlock_bh().

Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---

diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 4249515d1ae57..a21bfc4c05704 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -397,8 +397,8 @@ static void nfulnl_timer(unsigned long data)
 	if (timer_pending(&inst->timer))	/* is it always true or false here? */
 		del_timer(&inst->timer);
 	__nfulnl_send(inst);
-	instance_put(inst);
 	spin_unlock_bh(&inst->lock);
+	instance_put(inst);
 }
 
 /* This is an inline function, we don't really care about a long