netfilter: conntrack: death_by_timeout() fix

Submitter	Eric Dumazet
Date	June 18, 2009, 10:46 p.m.
Message ID	<4A3AC3B3.2030002@gmail.com>
Download	mbox \| patch
Permalink	/patch/28885/
State	Not Applicable
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Message-ID: <4A3AC3B3.2030002@gmail.com> Date: Fri, 19 Jun 2009 00:46:11 +0200 From: Eric Dumazet <eric.dumazet@gmail.com> User-Agent: Thunderbird 2.0.0.21 (Windows/20090302) MIME-Version: 1.0 To: Patrick McHardy <kaber@trash.net> CC: Ingo Molnar <mingo@elte.hu>, David Miller <davem@davemloft.net>, Thomas Gleixner <tglx@linutronix.de>, torvalds@linux-foundation.org, akpm@linux-foundation.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org> Subject: [PATCH] netfilter: conntrack: death_by_timeout() fix References: <20090615.050449.144947903.davem@davemloft.net> <20090616091538.GA4184@elte.hu> <20090616.034752.226811527.davem@davemloft.net> <20090616105304.GA3579@elte.hu> <20090616122415.GA16630@elte.hu> <20090617092152.GA17449@elte.hu> <4A38C2F3.3000009@gmail.com> <20090617110803.GA10175@elte.hu> <20090618052356.GA18722@elte.hu> <4A39D778.9020607@cosmosbay.com> <4A3A0D45.8090806@trash.net> <4A3A5599.4080906@trash.net> <4A3A6143.3040607@gmail.com> <4A3A66CC.4090205@trash.net> In-Reply-To: <4A3A66CC.4090205@trash.net> Content-Type: text/plain; charset=ISO-8859-15 Content-Transfer-Encoding: 8bit Sender: netdev-owner@vger.kernel.org Precedence: bulk

Comments

Eric Dumazet - June 18, 2009, 10:46 p.m.

Patrick McHardy a écrit :
> Eric Dumazet wrote:
>> In my own analysis, I found death_by_timeout() might be problematic,
>> with RCU and lockless lookups.
>>
>> static void death_by_timeout(unsigned long ul_conntrack)
>> {
>>         struct nf_conn *ct = (void *)ul_conntrack;
>>
>>         if (!test_bit(IPS_DYING_BIT, &ct->status) &&
>>             unlikely(nf_conntrack_event(IPCT_DESTROY, ct) < 0)) {
>>                 /* destroy event was not delivered */
>>                 nf_ct_delete_from_lists(ct);
>> << HERE >>
>>
>>                 nf_ct_insert_dying_list(ct);
>>                 return;
>>         }
>>         set_bit(IPS_DYING_BIT, &ct->status);
>>         nf_ct_delete_from_lists(ct);
>>         nf_ct_put(ct);
>> }
>>
>>
>> We delete ct from a list and insert it in a new list.
>>
>> I believe a reader could "*catch*" ct while doing a lookup and miss
>> the end
>> of its chain. (nulls algo check the null value at the end of lookup
>> and can
>> decide to restart the lookup if the null value is not the expected one)
>>
>> We need to change nf_conntrack_init_net() and use a different "null"
>> value,
>> guaranteed not being used in regular lists
> 
> Good catch. This is a new bug, but it shouldn't matter in this case
> since nf_conntrack_event() can't fail unless you have a userspace
> listener that makes use of reliable delivery, which I think hasn't
> even been released yet.
> 
>> Patch follows :
> 
> Looks good. If you send me a Signed-off-by: I'll already apply it.

Sure, here it is.

Thank you

[PATCH] netfilter: conntrack: death_by_timeout() fix

death_by_timeout() might delete a conntrack from hash list
and insert it in dying list.

 nf_ct_delete_from_lists(ct);
 nf_ct_insert_dying_list(ct);

I believe a (lockless) reader could *catch* ct while doing a lookup 
and miss the end of its chain.
(nulls lookup algo must check the null value at the end of lookup and
should restart if the null value is not the expected one.
cf Documentation/RCU/rculist_nulls.txt for details)

We need to change nf_conntrack_init_net() and use a different "null" value,
guaranteed not being used in regular lists. Choose very large values, since
hash table uses [0..size-1] null values.

Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
Acked-by: Patrick McHardy <kaber@trash.net>
---


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patrick McHardy - June 19, 2009, 11:15 a.m.

Eric Dumazet wrote:
> [PATCH] netfilter: conntrack: death_by_timeout() fix
> 
> death_by_timeout() might delete a conntrack from hash list
> and insert it in dying list.
> 
>  nf_ct_delete_from_lists(ct);
>  nf_ct_insert_dying_list(ct);
> 
> I believe a (lockless) reader could *catch* ct while doing a lookup 
> and miss the end of its chain.
> (nulls lookup algo must check the null value at the end of lookup and
> should restart if the null value is not the expected one.
> cf Documentation/RCU/rculist_nulls.txt for details)
> 
> We need to change nf_conntrack_init_net() and use a different "null" value,
> guaranteed not being used in regular lists. Choose very large values, since
> hash table uses [0..size-1] null values.

Applied, thanks Eric.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 5f72b94..5276a2d 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -1267,13 +1267,19 @@  err_cache:
 	return ret;
 }
 
+/*
+ * We need to use special "null" values, not used in hash table
+ */
+#define UNCONFIRMED_NULLS_VAL	((1<<30)+0)
+#define DYING_NULLS_VAL		((1<<30)+1)
+
 static int nf_conntrack_init_net(struct net *net)
 {
 	int ret;
 
 	atomic_set(&net->ct.count, 0);
-	INIT_HLIST_NULLS_HEAD(&net->ct.unconfirmed, 0);
-	INIT_HLIST_NULLS_HEAD(&net->ct.dying, 0);
+	INIT_HLIST_NULLS_HEAD(&net->ct.unconfirmed, UNCONFIRMED_NULLS_VAL);
+	INIT_HLIST_NULLS_HEAD(&net->ct.dying, DYING_NULLS_VAL);
 	net->ct.stat = alloc_percpu(struct ip_conntrack_stat);
 	if (!net->ct.stat) {
 		ret = -ENOMEM;

Patchwork netfilter: conntrack: death_by_timeout() fix

Comments

Patch