diff options
| author | Pablo Neira <pablo@netfilter.org> | 2014-11-25 13:54:47 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-11-25 14:14:51 -0500 |
| commit | 43612d7c04f1a4f5e60104143918fcdf018b66ee (patch) | |
| tree | cde0881345eea4c43ad76670e001f85271806604 /net/netfilter | |
| parent | 814f7d115ec6348070b57e08851037fce486e16b (diff) | |
Revert "netfilter: conntrack: fix race in __nf_conntrack_confirm against get_next_corpse"
This reverts commit 5195c14c8b27cc0b18220ddbf0e5ad3328a04187.
If the conntrack clashes with an existing one, it is left out of
the unconfirmed list, thus, crashing when dropping the packet and
releasing the conntrack since golden rule is that conntracks are
always placed in any of the existing lists for traceability reasons.
Reported-by: Daniel Borkmann <dborkman@redhat.com>
Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=88841
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/netfilter')
| -rw-r--r-- | net/netfilter/nf_conntrack_core.c | 14 |
1 files changed, 6 insertions, 8 deletions
diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 2c699757bccf..5016a6929085 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c | |||
| @@ -611,16 +611,12 @@ __nf_conntrack_confirm(struct sk_buff *skb) | |||
| 611 | */ | 611 | */ |
| 612 | NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); | 612 | NF_CT_ASSERT(!nf_ct_is_confirmed(ct)); |
| 613 | pr_debug("Confirming conntrack %p\n", ct); | 613 | pr_debug("Confirming conntrack %p\n", ct); |
| 614 | 614 | /* We have to check the DYING flag inside the lock to prevent | |
| 615 | /* We have to check the DYING flag after unlink to prevent | 615 | a race against nf_ct_get_next_corpse() possibly called from |
| 616 | * a race against nf_ct_get_next_corpse() possibly called from | 616 | user context, else we insert an already 'dead' hash, blocking |
| 617 | * user context, else we insert an already 'dead' hash, blocking | 617 | further use of that particular connection -JM */ |
| 618 | * further use of that particular connection -JM. | ||
| 619 | */ | ||
| 620 | nf_ct_del_from_dying_or_unconfirmed_list(ct); | ||
| 621 | 618 | ||
| 622 | if (unlikely(nf_ct_is_dying(ct))) { | 619 | if (unlikely(nf_ct_is_dying(ct))) { |
| 623 | nf_ct_add_to_dying_list(ct); | ||
| 624 | nf_conntrack_double_unlock(hash, reply_hash); | 620 | nf_conntrack_double_unlock(hash, reply_hash); |
| 625 | local_bh_enable(); | 621 | local_bh_enable(); |
| 626 | return NF_ACCEPT; | 622 | return NF_ACCEPT; |
| @@ -640,6 +636,8 @@ __nf_conntrack_confirm(struct sk_buff *skb) | |||
| 640 | zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h))) | 636 | zone == nf_ct_zone(nf_ct_tuplehash_to_ctrack(h))) |
| 641 | goto out; | 637 | goto out; |
| 642 | 638 | ||
| 639 | nf_ct_del_from_dying_or_unconfirmed_list(ct); | ||
| 640 | |||
| 643 | /* Timer relative to confirmation time, not original | 641 | /* Timer relative to confirmation time, not original |
| 644 | setting time, otherwise we'd get timer wrap in | 642 | setting time, otherwise we'd get timer wrap in |
| 645 | weird delay cases. */ | 643 | weird delay cases. */ |