From patchwork Thu Feb 8 21:53:52 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Cong Wang X-Patchwork-Id: 871148 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="KFbeo5le"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3zcsR63gDcz9s7v for ; Fri, 9 Feb 2018 08:54:10 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752203AbeBHVyE (ORCPT ); Thu, 8 Feb 2018 16:54:04 -0500 Received: from mail-pl0-f68.google.com ([209.85.160.68]:45370 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751756AbeBHVyD (ORCPT ); Thu, 8 Feb 2018 16:54:03 -0500 Received: by mail-pl0-f68.google.com with SMTP id p5so510092plo.12; Thu, 08 Feb 2018 13:54:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=5hZDCPxY+myKMy8GMveFJeF3Ug59IlXT4JDkcaSws/U=; b=KFbeo5lewUqRbXsRvlT0Yo9OdQs72tEcCz4CTJk24fNEozxNQqmPpb0o4uk351E/++ TwN/GP29B25OJW6uekibP5gnINnPGIcDQZ7FxUyD/M7ek860XjaXbcCFDvlsma30XH0e 0EtlO5rgsGiBeynAdXVme8wRYIfF5jp/c0XpDfq5p0Y+p1KrBCKG+2L/nKk0elwsQ6Xe U/V/VYImdA/orY4VbVBePmlUFsX6ot+VuonAaYV4+0hlhR3jTFtPciZ6yRUMCfS80GxR 3juvsgYzCzNYU9KObHQypA22Po/lNlpK6fWYFj12UuwAKtOHuxjb1l47SIRXSq4JcZ3C TzSw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=5hZDCPxY+myKMy8GMveFJeF3Ug59IlXT4JDkcaSws/U=; b=advjEscoD0Y/E/CA+PEy+fFkTnjBYZcn/u54NpN1Y6OcLySlW4E4qbHxlyPqatW/sI Mo0uOpVH+LQS6W4VNZJqTXkLMtnW4ehqHmlBNePhx00YRCsnjsciXHzReNJ5e/5/fBuI Jv6mJpUMEx9MdZug+kGDkZB33kR+NP8V1XrXZAYbZ2ij9ZIC6h/b0hj6Ha8kSynrIiIv GKsiymIj42dSX+036ETuuTda48EA2e9lGcSVJdT6iV/ZeUiK5OjtIcAwCJ3YtFy0OQ+m N52yMj8QIGoPR/L0Y8TQ3gvVtUf0SdrB36zO6v02u+7gfYi3gZjRIfN2bMRepUtDT6av zLkQ== X-Gm-Message-State: APf1xPD5snfeBeUUySM5w54VyaxSoBBxubm/R+tpfxwcG1ERHktoZNWr aBleseAmf0DgGvh5ygDnnWiUtvP/ X-Google-Smtp-Source: AH8x225/2muyRVpaAxCmg06x9mDTRKbbvTe4ghiAVAPzyL+3EZosUOpxYN+jUZBUg32EkSkYLcXlww== X-Received: by 2002:a17:902:396a:: with SMTP id e39-v6mr414103plg.324.1518126843043; Thu, 08 Feb 2018 13:54:03 -0800 (PST) Received: from tw-172-25-30-113.office.twttr.net ([8.25.197.25]) by smtp.gmail.com with ESMTPSA id d74sm3231120pfb.54.2018.02.08.13.54.01 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Thu, 08 Feb 2018 13:54:01 -0800 (PST) From: Cong Wang To: netdev@vger.kernel.org Cc: netfilter-devel@vger.kernel.org, pabeni@redhat.com, Cong Wang , Eric Dumazet , Pablo Neira Ayuso , Florian Westphal Subject: [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() Date: Thu, 8 Feb 2018 13:53:52 -0800 Message-Id: <20180208215352.8294-1-xiyou.wangcong@gmail.com> X-Mailer: git-send-email 2.9.4 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org In clusterip_config_find_get() we hold RCU read lock so it could run concurrently with clusterip_config_entry_put(), as a result, the refcnt could go back to 1 from 0, which leads to a double list_del()... Just replace refcount_inc() with refcount_inc_not_zero(), as for c->refcount. Fixes: d73f33b16883 ("netfilter: CLUSTERIP: RCU conversion") Cc: Eric Dumazet Cc: Pablo Neira Ayuso Cc: Florian Westphal Signed-off-by: Cong Wang Reviewed-by: Florian Westphal --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 1ff72b87a066..4b02ab39ebc5 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -154,8 +154,12 @@ clusterip_config_find_get(struct net *net, __be32 clusterip, int entry) #endif if (unlikely(!refcount_inc_not_zero(&c->refcount))) c = NULL; - else if (entry) - refcount_inc(&c->entries); + else if (entry) { + if (unlikely(!refcount_inc_not_zero(&c->entries))) { + clusterip_config_put(c); + c = NULL; + } + } } rcu_read_unlock_bh();