diff mbox

[nf] netfilter: nat: use atomic bit op to clear the _SRC_NAT_DONE_BIT

Message ID 1495377491-46768-1-git-send-email-zlpnobody@163.com
State Accepted
Delegated to: Pablo Neira
Headers show

Commit Message

Liping Zhang May 21, 2017, 2:38 p.m. UTC 
From: Liping Zhang <zlpnobody@gmail.com>

We need to clear the IPS_SRC_NAT_DONE_BIT to indicate that the ct has
been removed from nat_bysource table. But unfortunately, we use the
non-atomic bit operation: "ct->status &= ~IPS_NAT_DONE_MASK". So
there's a race condition that we may clear the _DYING_BIT set by
another CPU unexpectedly.

Since we don't care about the IPS_DST_NAT_DONE_BIT, so just using
clear_bit to clear the IPS_SRC_NAT_DONE_BIT is enough.

Also note, this is the last user which use the non-atomic bit operation
to update the confirmed ct->status.

Reported-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
---
 net/netfilter/nf_nat_core.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Florian Westphal May 21, 2017, 3:45 p.m. UTC | #1 
Liping Zhang <zlpnobody@163.com> wrote:
> From: Liping Zhang <zlpnobody@gmail.com>
> 
> We need to clear the IPS_SRC_NAT_DONE_BIT to indicate that the ct has
> been removed from nat_bysource table. But unfortunately, we use the
> non-atomic bit operation: "ct->status &= ~IPS_NAT_DONE_MASK". So
> there's a race condition that we may clear the _DYING_BIT set by
> another CPU unexpectedly.
> 
> Since we don't care about the IPS_DST_NAT_DONE_BIT, so just using
> clear_bit to clear the IPS_SRC_NAT_DONE_BIT is enough.
> 
> Also note, this is the last user which use the non-atomic bit operation
> to update the confirmed ct->status.

Looks good, thanks Liping.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso May 23, 2017, 9:28 p.m. UTC | #2 
On Sun, May 21, 2017 at 10:38:11PM +0800, Liping Zhang wrote:
> From: Liping Zhang <zlpnobody@gmail.com>
> 
> We need to clear the IPS_SRC_NAT_DONE_BIT to indicate that the ct has
> been removed from nat_bysource table. But unfortunately, we use the
> non-atomic bit operation: "ct->status &= ~IPS_NAT_DONE_MASK". So
> there's a race condition that we may clear the _DYING_BIT set by
> another CPU unexpectedly.
> 
> Since we don't care about the IPS_DST_NAT_DONE_BIT, so just using
> clear_bit to clear the IPS_SRC_NAT_DONE_BIT is enough.
> 
> Also note, this is the last user which use the non-atomic bit operation
> to update the confirmed ct->status.

Applied to nf, thanks.

Does your patchset for nf-next depend on this in any way? If so, you
will have to wait until this propagates to nf-next.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/netfilter/nf_nat_core.c b/net/netfilter/nf_nat_core.c
index ef0be32..6c72922 100644
--- a/net/netfilter/nf_nat_core.c
+++ b/net/netfilter/nf_nat_core.c
@@ -566,7 +566,7 @@  static int nf_nat_proto_clean(struct nf_conn *ct, void *data)
 	 * Else, when the conntrack is destoyed, nf_nat_cleanup_conntrack()
 	 * will delete entry from already-freed table.
 	 */
-	ct->status &= ~IPS_NAT_DONE_MASK;
+	clear_bit(IPS_SRC_NAT_DONE_BIT, &ct->status);
 	rhltable_remove(&nf_nat_bysource_table, &ct->nat_bysource,
 			nf_nat_bysource_params);