diff options
author | Patrick McHardy <kaber@trash.net> | 2007-03-04 18:57:01 -0500 |
---|---|---|
committer | David S. Miller <davem@sunset.davemloft.net> | 2007-03-05 16:25:18 -0500 |
commit | ec68e97dedacc1c7fb20a4b23b7fa76bee56b5ff (patch) | |
tree | 767bc5044351af36ae97e3975a981ef03ff15382 | |
parent | c3442e296517aee733d62fc3fe03211598902c7d (diff) |
[NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops
Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling:
- unconfirmed entries can not be killed manually, they are removed on
confirmation or final destruction of the conntrack entry, which means
we might iterate forever without making forward progress.
This can happen in combination with the conntrack event cache, which
holds a reference to the conntrack entry, which is only released when
the packet makes it all the way through the stack or a different
packet is handled.
- taking references to an unconfirmed entry and using it outside the
locked section doesn't work, the list entries are not refcounted and
another CPU might already be waiting to destroy the entry
What the code really wants to do is make sure the references of the hash
table to the selected conntrack entries are released, so they will be
destroyed once all references from skbs and the event cache are dropped.
Since unconfirmed entries haven't even entered the hash yet, simply mark
them as dying and skip confirmation based on that.
Reported and tested by Chuck Ebbert <cebbert@redhat.com>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/linux/netfilter_ipv4/ip_conntrack_core.h | 2 | ||||
-rw-r--r-- | include/net/netfilter/nf_conntrack_core.h | 2 | ||||
-rw-r--r-- | net/ipv4/netfilter/ip_conntrack_core.c | 2 | ||||
-rw-r--r-- | net/netfilter/nf_conntrack_core.c | 2 |
4 files changed, 4 insertions, 4 deletions
diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h index 907d4f5ca5dc..e3a6df07aa4b 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_core.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h | |||
@@ -45,7 +45,7 @@ static inline int ip_conntrack_confirm(struct sk_buff **pskb) | |||
45 | int ret = NF_ACCEPT; | 45 | int ret = NF_ACCEPT; |
46 | 46 | ||
47 | if (ct) { | 47 | if (ct) { |
48 | if (!is_confirmed(ct)) | 48 | if (!is_confirmed(ct) && !is_dying(ct)) |
49 | ret = __ip_conntrack_confirm(pskb); | 49 | ret = __ip_conntrack_confirm(pskb); |
50 | ip_ct_deliver_cached_events(ct); | 50 | ip_ct_deliver_cached_events(ct); |
51 | } | 51 | } |
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 7fdc72c01356..85634e1865c3 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h | |||
@@ -64,7 +64,7 @@ static inline int nf_conntrack_confirm(struct sk_buff **pskb) | |||
64 | int ret = NF_ACCEPT; | 64 | int ret = NF_ACCEPT; |
65 | 65 | ||
66 | if (ct) { | 66 | if (ct) { |
67 | if (!nf_ct_is_confirmed(ct)) | 67 | if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) |
68 | ret = __nf_conntrack_confirm(pskb); | 68 | ret = __nf_conntrack_confirm(pskb); |
69 | nf_ct_deliver_cached_events(ct); | 69 | nf_ct_deliver_cached_events(ct); |
70 | } | 70 | } |
diff --git a/net/ipv4/netfilter/ip_conntrack_core.c b/net/ipv4/netfilter/ip_conntrack_core.c index 07ba1dd136b5..23b99ae2cc37 100644 --- a/net/ipv4/netfilter/ip_conntrack_core.c +++ b/net/ipv4/netfilter/ip_conntrack_core.c | |||
@@ -1254,7 +1254,7 @@ get_next_corpse(int (*iter)(struct ip_conntrack *i, void *data), | |||
1254 | list_for_each_entry(h, &unconfirmed, list) { | 1254 | list_for_each_entry(h, &unconfirmed, list) { |
1255 | ct = tuplehash_to_ctrack(h); | 1255 | ct = tuplehash_to_ctrack(h); |
1256 | if (iter(ct, data)) | 1256 | if (iter(ct, data)) |
1257 | goto found; | 1257 | set_bit(IPS_DYING_BIT, &ct->status); |
1258 | } | 1258 | } |
1259 | write_unlock_bh(&ip_conntrack_lock); | 1259 | write_unlock_bh(&ip_conntrack_lock); |
1260 | return NULL; | 1260 | return NULL; |
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 32891ebc9e68..4fdf4849baf8 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
@@ -1070,7 +1070,7 @@ get_next_corpse(int (*iter)(struct nf_conn *i, void *data), | |||
1070 | list_for_each_entry(h, &unconfirmed, list) { | 1070 | list_for_each_entry(h, &unconfirmed, list) { |
1071 | ct = nf_ct_tuplehash_to_ctrack(h); | 1071 | ct = nf_ct_tuplehash_to_ctrack(h); |
1072 | if (iter(ct, data)) | 1072 | if (iter(ct, data)) |
1073 | goto found; | 1073 | set_bit(IPS_DYING_BIT, &ct->status); |
1074 | } | 1074 | } |
1075 | write_unlock_bh(&nf_conntrack_lock); | 1075 | write_unlock_bh(&nf_conntrack_lock); |
1076 | return NULL; | 1076 | return NULL; |