From patchwork Wed Jan  2 20:42:04 2019
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Mauricio Faria de Oliveira <mfo@canonical.com>
X-Patchwork-Id: 1020071
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dmarc=fail (p=none dis=none)
	header.from=canonical.com
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 43VNKp5RV2z9s7h
	for <patchwork-incoming-netdev@ozlabs.org>;
	Thu,  3 Jan 2019 07:43:10 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1727860AbfABUnJ (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Wed, 2 Jan 2019 15:43:09 -0500
Received: from youngberry.canonical.com ([91.189.89.112]:43844 "EHLO
	youngberry.canonical.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1727193AbfABUnI (ORCPT
	<rfc822;netdev@vger.kernel.org>); Wed, 2 Jan 2019 15:43:08 -0500
Received: from mail-qt1-f199.google.com ([209.85.160.199])
	by youngberry.canonical.com with esmtps
	(TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76)
	(envelope-from <mfo@canonical.com>) id 1genM2-0002dy-NM
	for netdev@vger.kernel.org; Wed, 02 Jan 2019 20:43:06 +0000
Received: by mail-qt1-f199.google.com with SMTP id q3so40301888qtq.15
	for <netdev@vger.kernel.org>; Wed, 02 Jan 2019 12:43:06 -0800 (PST)
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references;
	bh=HEubLEt2IjRABaSPr7Ib16wjjFBZlNNp3QPirrJHQmA=;
	b=RrAgnmv2RA4EoYrE/ZY4BLSVsn9bOHugvkF76pZY+Jb6G1aEJU/scA9FxW0c9z57RY
	v09tnwkgN5N7NdQzoOqT3uGPggLnKn1Df1AsD5Cdr2yYp64PH4MxCTbgiFzP2dFrF6Sd
	9RFlNkKxCOhugeklCRiM296E7mHci25VGjpylqFdEvKX0HCWhUeuZqkQv2I9v06G0p+r
	scMTPr5LkvLNpHVMX1Pse+o4sLB9iQBUlQUqDvx4VRVKYzXyx3teUN1IMo7eEkcyoPcD
	+aq6ChvV55k8yHyUrrRSoG126isEiTqVEDD022UAF/PVCieHpFRn6GvqnpYYcU92KPB5
	aK4g==
X-Gm-Message-State: AJcUukf97fZ2EYIGFjnm0zSWxeLQrWQPF1K4ISekLNUZOPxulZZcchWJ
	kJIgkm0V3UiX34U1CKmepYue6/y6kr0b4SWif7kTDw4eUPeb5BmhRMv7oec1e6hVtQSVYaa0lwN
	AyvVym+r4ZjLepSr89wEBR8FRswUOJinVSg==
X-Received: by 2002:a0c:a326:: with SMTP id
	u35mr44666953qvu.190.1546461785855;
	Wed, 02 Jan 2019 12:43:05 -0800 (PST)
X-Google-Smtp-Source: 
 ALg8bN5VH4IZbTQcTWiZZYaRP0CTJsrSkEkR79axHOonRjOvGERyfcbqwimMnBH8V71lonZV8NHmeA==
X-Received: by 2002:a0c:a326:: with SMTP id
	u35mr44666941qvu.190.1546461785737;
	Wed, 02 Jan 2019 12:43:05 -0800 (PST)
Received: from localhost.localdomain ([179.159.56.118])
	by smtp.gmail.com with ESMTPSA id
	e17sm26679381qte.12.2019.01.02.12.43.02
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Wed, 02 Jan 2019 12:43:05 -0800 (PST)
From: Mauricio Faria de Oliveira <mfo@canonical.com>
To: stable@vger.kernel.org, netdev@vger.kernel.org,
	Florian Westphal <fw@strlen.de>
Cc: Alakesh Haloi <alakeshh@amazon.com>, nivedita.singhvi@canonical.com,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
	"David S. Miller" <davem@davemloft.net>,
	Yi-Hung Wei <yihung.wei@gmail.com>
Subject: [PATCH v2 4.14 5/5] netfilter: nf_conncount: don't skip eviction
	when age is negative
Date: Wed,  2 Jan 2019 18:42:04 -0200
Message-Id: <20190102204204.12389-6-mfo@canonical.com>
X-Mailer: git-send-email 2.17.1
In-Reply-To: <20190102204204.12389-1-mfo@canonical.com>
References: <20190102204204.12389-1-mfo@canonical.com>
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Florian Westphal <fw@strlen.de>

commit 4cd273bb91b3001f623f516ec726c49754571b1a upstream.

(not in Linus's tree now, but in nf.git + linux-next.git already.)

age is signed integer, so result can be negative when the timestamps
have a large delta.  In this case we want to discard the entry.

Instead of using age >= 2 || age < 0, just make it unsigned.

Fixes: b36e4523d4d56 ("netfilter: nf_conncount: fix garbage collection confirm race")
Reviewed-by: Shawn Bohrer <sbohrer@cloudflare.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

[mfo: backport: use older file name, nf_conncount.c -> xt_connlimit.c]
Signed-off-by: Mauricio Faria de Oliveira <mfo@canonical.com>
---
 net/netfilter/xt_connlimit.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c
index 913b86ef..b1646c2 100644
--- a/net/netfilter/xt_connlimit.c
+++ b/net/netfilter/xt_connlimit.c
@@ -141,7 +141,7 @@ find_or_evict(struct net *net, struct xt_connlimit_conn *conn)
 	const struct nf_conntrack_tuple_hash *found;
 	unsigned long a, b;
 	int cpu = raw_smp_processor_id();
-	__s32 age;
+	u32 age;
 
 	found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple);
 	if (found)