aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorPatrick McHardy <kaber@trash.net>2008-07-09 18:06:12 -0400
committerDavid S. Miller <davem@davemloft.net>2008-07-09 18:06:12 -0400
commit6b69fe0c73c0f5a8dacf8f889db3cc9adee53649 (patch)
tree94334a28c9db60981a72478b18d54fccd353f7ff
parent32e8d4948bb0b5f3f0ac5cdb71d0ac8e305b29a5 (diff)
netfilter: nf_conntrack_tcp: fix endless loop
When a conntrack entry is destroyed in process context and destruction is interrupted by packet processing and the packet is an attempt to reopen a closed connection, TCP conntrack tries to kill the old entry itself and returns NF_REPEAT to pass the packet through the hook again. This may lead to an endless loop: TCP conntrack repeatedly finds the old entry, but can not kill it itself since destruction is already in progress, but destruction in process context can not complete since TCP conntrack is keeping the CPU busy. Drop the packet in TCP conntrack if we can't kill the connection ourselves to avoid this. Reported by: hemao77@gmail.com [ Kernel bugzilla #11058 ] Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--net/netfilter/nf_conntrack_proto_tcp.c10
1 files changed, 8 insertions, 2 deletions
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 271cd01d57ae..dd28fb239a60 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -844,9 +844,15 @@ static int tcp_packet(struct nf_conn *ct,
844 /* Attempt to reopen a closed/aborted connection. 844 /* Attempt to reopen a closed/aborted connection.
845 * Delete this connection and look up again. */ 845 * Delete this connection and look up again. */
846 write_unlock_bh(&tcp_lock); 846 write_unlock_bh(&tcp_lock);
847 if (del_timer(&ct->timeout)) 847 /* Only repeat if we can actually remove the timer.
848 * Destruction may already be in progress in process
849 * context and we must give it a chance to terminate.
850 */
851 if (del_timer(&ct->timeout)) {
848 ct->timeout.function((unsigned long)ct); 852 ct->timeout.function((unsigned long)ct);
849 return -NF_REPEAT; 853 return -NF_REPEAT;
854 }
855 return -NF_DROP;
850 } 856 }
851 /* Fall through */ 857 /* Fall through */
852 case TCP_CONNTRACK_IGNORE: 858 case TCP_CONNTRACK_IGNORE: