[SRU,C,D/Unstable,1/1] netfilter: nf_conncount: don't skip eviction when age is negative

Message ID 20190110034539.32046-2-mfo@canonical.com
State New
Headers show
Series
  • netfilter: nf_conncount: fix for LP#1811094
Related show

Commit Message

Mauricio Faria de Oliveira Jan. 10, 2019, 3:45 a.m.
From: Florian Westphal <fw@strlen.de>

BugLink: https://bugs.launchpad.net/bugs/1811094

age is signed integer, so result can be negative when the timestamps
have a large delta.  In this case we want to discard the entry.

Instead of using age >= 2 || age < 0, just make it unsigned.

Fixes: b36e4523d4d56 ("netfilter: nf_conncount: fix garbage collection confirm race")
Reviewed-by: Shawn Bohrer <sbohrer@cloudflare.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 4cd273bb91b3001f623f516ec726c49754571b1a)
Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
---
 net/netfilter/nf_conncount.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Stefan Bader Jan. 10, 2019, 8:55 a.m. | #1
On 10.01.19 04:45, Mauricio Faria de Oliveira wrote:
> From: Florian Westphal <fw@strlen.de>
> 
> BugLink: https://bugs.launchpad.net/bugs/1811094
> 
> age is signed integer, so result can be negative when the timestamps
> have a large delta.  In this case we want to discard the entry.
> 
> Instead of using age >= 2 || age < 0, just make it unsigned.
> 
> Fixes: b36e4523d4d56 ("netfilter: nf_conncount: fix garbage collection confirm race")
> Reviewed-by: Shawn Bohrer <sbohrer@cloudflare.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit 4cd273bb91b3001f623f516ec726c49754571b1a)
> Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
> ---
>  net/netfilter/nf_conncount.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
> index 510039862aa9..79d1e17a39d8 100644
> --- a/net/netfilter/nf_conncount.c
> +++ b/net/netfilter/nf_conncount.c
> @@ -106,7 +106,7 @@ find_or_evict(struct net *net, struct nf_conncount_tuple *conn)
>  	const struct nf_conntrack_tuple_hash *found;
>  	unsigned long a, b;
>  	int cpu = raw_smp_processor_id();
> -	__s32 age;
> +	u32 age;
>  
>  	found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
>  	if (found)
>
Kleber Souza Jan. 10, 2019, 3:35 p.m. | #2
On 1/10/19 4:45 AM, Mauricio Faria de Oliveira wrote:
> From: Florian Westphal <fw@strlen.de>
>
> BugLink: https://bugs.launchpad.net/bugs/1811094
>
> age is signed integer, so result can be negative when the timestamps
> have a large delta.  In this case we want to discard the entry.
>
> Instead of using age >= 2 || age < 0, just make it unsigned.
>
> Fixes: b36e4523d4d56 ("netfilter: nf_conncount: fix garbage collection confirm race")
> Reviewed-by: Shawn Bohrer <sbohrer@cloudflare.com>
> Signed-off-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
> (cherry picked from commit 4cd273bb91b3001f623f516ec726c49754571b1a)
> Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>

Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>


> ---
>  net/netfilter/nf_conncount.c | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
> index 510039862aa9..79d1e17a39d8 100644
> --- a/net/netfilter/nf_conncount.c
> +++ b/net/netfilter/nf_conncount.c
> @@ -106,7 +106,7 @@ find_or_evict(struct net *net, struct nf_conncount_tuple *conn)
>  	const struct nf_conntrack_tuple_hash *found;
>  	unsigned long a, b;
>  	int cpu = raw_smp_processor_id();
> -	__s32 age;
> +	u32 age;
>  
>  	found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
>  	if (found)

Patch

diff --git a/net/netfilter/nf_conncount.c b/net/netfilter/nf_conncount.c
index 510039862aa9..79d1e17a39d8 100644
--- a/net/netfilter/nf_conncount.c
+++ b/net/netfilter/nf_conncount.c
@@ -106,7 +106,7 @@  find_or_evict(struct net *net, struct nf_conncount_tuple *conn)
 	const struct nf_conntrack_tuple_hash *found;
 	unsigned long a, b;
 	int cpu = raw_smp_processor_id();
-	__s32 age;
+	u32 age;
 
 	found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
 	if (found)