aboutsummaryrefslogtreecommitdiff
path: root/net
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2007-03-07 22:34:33 +0100
committerGreg Kroah-Hartman <gregkh@suse.de>2007-03-13 11:26:45 -0700
commit08bfad45bd7e07dad209f593499fea2d05c1f75c (patch)
treee42387d1c170ad0219e7b14f9f57f083e5f07bb5 /net
parent752d2d17421b051448d7e3765a80040af11cc02b (diff)
nfnetlink_log: fix use after free
[NETFILTER]: nfnetlink_log: fix use after free Paranoia: instance_put() might have freed the inst pointer when we spin_unlock_bh(). Signed-off-by: Michal Miroslaw <mirq-linux@rere.qmqm.pl> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
Diffstat (limited to 'net')
-rw-r--r--net/netfilter/nfnetlink_log.c2
1 files changed, 1 insertions, 1 deletions
diff --git a/net/netfilter/nfnetlink_log.c b/net/netfilter/nfnetlink_log.c
index 4249515d1ae5..a21bfc4c0570 100644
--- a/net/netfilter/nfnetlink_log.c
+++ b/net/netfilter/nfnetlink_log.c
@@ -397,8 +397,8 @@ static void nfulnl_timer(unsigned long data)
if (timer_pending(&inst->timer)) /* is it always true or false here? */
del_timer(&inst->timer);
__nfulnl_send(inst);
- instance_put(inst);
spin_unlock_bh(&inst->lock);
+ instance_put(inst);
}
/* This is an inline function, we don't really care about a long