From patchwork Fri Jan 31 20:52:14 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cong Wang <xiyou.wangcong@gmail.com>
X-Patchwork-Id: 1232110
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67;
	helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.a=rsa-sha256 header.s=20161025 header.b=Ifr+XYVL;
	dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 488TvG4Ywvz9sRh
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  1 Feb 2020 07:52:58 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1726747AbgAaUw5 (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 31 Jan 2020 15:52:57 -0500
Received: from mail-pj1-f66.google.com ([209.85.216.66]:56036 "EHLO
	mail-pj1-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726102AbgAaUwz (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 31 Jan 2020 15:52:55 -0500
Received: by mail-pj1-f66.google.com with SMTP id d5so3368331pjz.5;
	Fri, 31 Jan 2020 12:52:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=oAzrzsjfwfb2NIzzZbZDHsuVL/on7pj6/MP3jhQnaRY=;
	b=Ifr+XYVLgJV7/+DBXpVG23JNLzbRw3PFkfqiSksCI3muXUMZBlo5pJyTHVKMZlYrG2
	fVJeraB+wCKQpvnWmDgJa/1ZVC1tJNesfk8pWYBulOTVFslg/KK6qDac/HmK0rZhswmA
	fc7xAUoJG+P0Cc8Wz4g9LtRrhQ1qVkCwke6Bxd1fNmAHZP/BNpuaS1zVnmgYV1pC87Rd
	eCl5pRutrXtnI9AtdTjdMEuaf2JiqT9loHI/gZKJEN7vGg0ERf68cNA9DCikl6ASDLa1
	RLgzsKx/PkOG0GtRM63xQUdXfHZimsSBwiH9Z8lDJPuqCNA7bUGAtKJmP7UzGPv1oG7A
	HJTg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=oAzrzsjfwfb2NIzzZbZDHsuVL/on7pj6/MP3jhQnaRY=;
	b=AFO9/Te2qcRm1VxgupLCHPdOfR1QHG0MlDshM9j8lP71pZ6Z8Ej7LncPa6aNW0FXSP
	I9HeSOonOoTXR2k+O5a+J8eCw0BZX5tmxWgYZNfV7HcDZm2+t2qfoddSmVQE4uodhdw8
	8I8lyf7vgOHjiMUcPsk8HP08nY5Q+wDqfOn1+nsj0E+qGL9z1LK+R85eMXrG3AVgZbxA
	6tg9cYMBkGghgw3bmBI/XDDQgPegelpPpT76nSnS0P8yHzaHLz9MISFtaF2bIsGp/mPw
	oMk9ELK6gqPgHa4xN/+tNBUbM7Th1njoh5A+ImwTpu2pepf9Cda3Fp/7tXU1KOUs0eEI
	L6tQ==
X-Gm-Message-State: APjAAAVPNEXTMxtxTcSK5Gb4GNcrW361NFjFA5Mu9KwWBpMLycp/cbrH
	MsZmH1fsU0IPn9ZgvpqtUdWZKmwv888=
X-Google-Smtp-Source: 
 APXvYqw2w5weWDxQil8rnx96IEgzQK9YOcuE+JjskYVY6LG8n7fURa1Q1fMK1+LnhXx95tVD7Cy6tQ==
X-Received: by 2002:a17:90a:26ab:: with SMTP id
	m40mr14844193pje.42.1580503974452;
	Fri, 31 Jan 2020 12:52:54 -0800 (PST)
Received: from tw-172-25-31-76.office.twttr.net ([8.25.197.24])
	by smtp.gmail.com with ESMTPSA id
	m128sm11599169pfm.183.2020.01.31.12.52.53
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Fri, 31 Jan 2020 12:52:54 -0800 (PST)
From: Cong Wang <xiyou.wangcong@gmail.com>
To: netdev@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org, Cong Wang <xiyou.wangcong@gmail.com>,
	syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>
Subject: [Patch nf 1/3] xt_hashlimit: avoid OOM for user-controlled vmalloc
Date: Fri, 31 Jan 2020 12:52:14 -0800
Message-Id: <20200131205216.22213-2-xiyou.wangcong@gmail.com>
X-Mailer: git-send-email 2.21.1
In-Reply-To: <20200131205216.22213-1-xiyou.wangcong@gmail.com>
References: <20200131205216.22213-1-xiyou.wangcong@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The hashtable size could be controlled by user, so use flags
GFP_USER | __GFP_NOWARN to avoid OOM warning triggered by user-space.

Also add __GFP_NORETRY to avoid retrying, as this is just a
best effort and the failure is already handled gracefully.

Reported-and-tested-by: syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/netfilter/xt_hashlimit.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index bccd47cd7190..885a266d8e57 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -293,8 +293,9 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
 		if (size < 16)
 			size = 16;
 	}
-	/* FIXME: don't use vmalloc() here or anywhere else -HW */
-	hinfo = vmalloc(struct_size(hinfo, hash, size));
+	/* FIXME: don't use __vmalloc() here or anywhere else -HW */
+	hinfo = __vmalloc(struct_size(hinfo, hash, size),
+			  GFP_USER | __GFP_NOWARN | __GFP_NORETRY, PAGE_KERNEL);
 	if (hinfo == NULL)
 		return -ENOMEM;
 	*out_hinfo = hinfo;

From patchwork Fri Jan 31 20:52:15 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cong Wang <xiyou.wangcong@gmail.com>
X-Patchwork-Id: 1232115
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67;
	helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.a=rsa-sha256 header.s=20161025 header.b=NXejuL7Y;
	dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 488Tvl2T9cz9sRm
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  1 Feb 2020 07:53:23 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1727066AbgAaUxW (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 31 Jan 2020 15:53:22 -0500
Received: from mail-pf1-f195.google.com ([209.85.210.195]:34987 "EHLO
	mail-pf1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726643AbgAaUw4 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 31 Jan 2020 15:52:56 -0500
Received: by mail-pf1-f195.google.com with SMTP id y73so3955340pfg.2;
	Fri, 31 Jan 2020 12:52:55 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=wat0pZ5YhU+1OSyNdyIWpU8kZvFRlp/ltTMqcWyCzTc=;
	b=NXejuL7Y2f7dgcSQvsDkrvn2HWsXawtYkEmTxoSZUij5Q5mCBBlzt5v14gu8zOl9ul
	n1YpyyM6xPwcONn4vzzmc8yx+CmQPYgQenSZ85tWsFKYEGuQ9ytMh3f6pJEocwBEXIEJ
	nRNzzmuJesGE3vsDnmxdf9hjTjHXcP97sBXrUvhtkZ6ospFjCheO3m8dVEvU8JRFh/Sq
	KLKGeFzfdP9UoLsC3CP+kdP+L7slMVFDoPzz5SmXoL6mtlr/Haqtek+lHl9YkHp1++bJ
	LBCSd1P8mX2mlRzsgr0vNlB6Oo58Krdzk/Zwceo3S/jMeLKJaeHDz7estwN4742daBiU
	cwFw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=wat0pZ5YhU+1OSyNdyIWpU8kZvFRlp/ltTMqcWyCzTc=;
	b=UUuv15Wa86C6EjL+TbVzBIqsczh3nHE5XZcphapFVYawHsBH2i1h0gXA1N0sCFs+zb
	Z/6REr+ZF8HhYE8uouaIKHAZsjd1I/fOPOZ4783bQu3R3WFBhoYdZRKDEdoO37GpIDul
	uzc8vtHJnkjfK4gJqtvOCOx0bFIwZD4/9HpqZ/bOJ/cx5Kr0V8S/gxhr4WVJRWPjh86x
	V5Zma2MsNmlFYXACsGSFQFR4X+qwNA3liVeaPLcE5CKa42bYny1sUbYwmwUD8711RTfp
	2yRjAAJLolOdDTUqdVo0AAuEo4mSsv4P6fnBfXe6Un2xte1QXDYSSpx5CUIKpZA79ke9
	1I7A==
X-Gm-Message-State: APjAAAUdzePjxuffObdM/V0GHVDM0JQh8cfSYbFaEcJIWNuWIx0SvEl0
	7Oeki/2HhxQMdVhJy6sWGV441N+aTKg=
X-Google-Smtp-Source: 
 APXvYqyLNu0JQq+2uR4TjNDD8HVj+o8E+F0w08J1KPKY+K0dqFNvlDrFY+y3JnnhzKybtIsZeSJknw==
X-Received: by 2002:a63:df0a:: with SMTP id
	u10mr12612095pgg.282.1580503975395;
	Fri, 31 Jan 2020 12:52:55 -0800 (PST)
Received: from tw-172-25-31-76.office.twttr.net ([8.25.197.24])
	by smtp.gmail.com with ESMTPSA id
	m128sm11599169pfm.183.2020.01.31.12.52.54
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Fri, 31 Jan 2020 12:52:55 -0800 (PST)
From: Cong Wang <xiyou.wangcong@gmail.com>
To: netdev@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org, Cong Wang <xiyou.wangcong@gmail.com>,
	syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>
Subject: [Patch nf 2/3] xt_hashlimit: reduce hashlimit_mutex scope for
	htable_put()
Date: Fri, 31 Jan 2020 12:52:15 -0800
Message-Id: <20200131205216.22213-3-xiyou.wangcong@gmail.com>
X-Mailer: git-send-email 2.21.1
In-Reply-To: <20200131205216.22213-1-xiyou.wangcong@gmail.com>
References: <20200131205216.22213-1-xiyou.wangcong@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

It is unnecessary to hold hashlimit_mutex for htable_destroy()
as it is already removed from the global hashtable and its
refcount is already zero.

Also, switch hinfo->use to refcount_t so that we don't have
to hold the mutex until it reaches zero in htable_put().

Reported-and-tested-by: syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Florian Westphal <fw@strlen.de>
---
 net/netfilter/xt_hashlimit.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 885a266d8e57..57a2639bcc22 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -36,6 +36,7 @@
 #include <linux/netfilter_ipv6/ip6_tables.h>
 #include <linux/mutex.h>
 #include <linux/kernel.h>
+#include <linux/refcount.h>
 #include <uapi/linux/netfilter/xt_hashlimit.h>
 
 #define XT_HASHLIMIT_ALL (XT_HASHLIMIT_HASH_DIP | XT_HASHLIMIT_HASH_DPT | \
@@ -114,7 +115,7 @@ struct dsthash_ent {
 
 struct xt_hashlimit_htable {
 	struct hlist_node node;		/* global list of all htables */
-	int use;
+	refcount_t use;
 	u_int8_t family;
 	bool rnd_initialized;
 
@@ -316,7 +317,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
 	for (i = 0; i < hinfo->cfg.size; i++)
 		INIT_HLIST_HEAD(&hinfo->hash[i]);
 
-	hinfo->use = 1;
+	refcount_set(&hinfo->use, 1);
 	hinfo->count = 0;
 	hinfo->family = family;
 	hinfo->rnd_initialized = false;
@@ -421,7 +422,7 @@ static struct xt_hashlimit_htable *htable_find_get(struct net *net,
 	hlist_for_each_entry(hinfo, &hashlimit_net->htables, node) {
 		if (!strcmp(name, hinfo->name) &&
 		    hinfo->family == family) {
-			hinfo->use++;
+			refcount_inc(&hinfo->use);
 			return hinfo;
 		}
 	}
@@ -430,12 +431,11 @@ static struct xt_hashlimit_htable *htable_find_get(struct net *net,
 
 static void htable_put(struct xt_hashlimit_htable *hinfo)
 {
-	mutex_lock(&hashlimit_mutex);
-	if (--hinfo->use == 0) {
+	if (refcount_dec_and_mutex_lock(&hinfo->use, &hashlimit_mutex)) {
 		hlist_del(&hinfo->node);
+		mutex_unlock(&hashlimit_mutex);
 		htable_destroy(hinfo);
 	}
-	mutex_unlock(&hashlimit_mutex);
 }
 
 /* The algorithm used is the Simple Token Bucket Filter (TBF)

From patchwork Fri Jan 31 20:52:16 2020
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Cong Wang <xiyou.wangcong@gmail.com>
X-Patchwork-Id: 1232112
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming-netdev@ozlabs.org
Delivered-To: patchwork-incoming-netdev@ozlabs.org
Authentication-Results: ozlabs.org; spf=none (no SPF record)
	smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67;
	helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org;
	dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.a=rsa-sha256 header.s=20161025 header.b=Nphb9NXe;
	dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 488Tvf2Tc7z9sRs
	for <patchwork-incoming-netdev@ozlabs.org>;
	Sat,  1 Feb 2020 07:53:18 +1100 (AEDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1727027AbgAaUxQ (ORCPT
	<rfc822;patchwork-incoming-netdev@ozlabs.org>);
	Fri, 31 Jan 2020 15:53:16 -0500
Received: from mail-pl1-f196.google.com ([209.85.214.196]:38125 "EHLO
	mail-pl1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1726718AbgAaUw5 (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 31 Jan 2020 15:52:57 -0500
Received: by mail-pl1-f196.google.com with SMTP id t6so3212647plj.5;
	Fri, 31 Jan 2020 12:52:56 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id:in-reply-to:references
	:mime-version:content-transfer-encoding;
	bh=OU7pCbPuM2E7mJI/H5ckjCXxPxlbQB9wqm/B7j0dW/4=;
	b=Nphb9NXeamgOuoKh37H38HpKV+y/WJaeOnUbwII6g8CamLlsV4tOtcuVGMV0eihm1W
	qIvxY24VpBIxz1xTb0BPmcS47tfTb+fa7T+C6LE1Gdnl58C7LxbHl9lxdhPuCGQh5HDX
	R7Y5Sm7nSz9tYz1/TvFMRNHcvIjqk9A+9/2jJ7rBovbWE/TyWLzkPKKSZQVpbtYGWciR
	5/r0VPSGtp3gf7pC79WFEF0SMRFP73GWn/LLpqDzg3GFZqjC87/Uj8l/ZGLRjWdRVdnV
	Rf94jDNOYqPFbolW91a12vc6bC+xEETTQqXAm1HSTl1ngmAiahN3qO7e00cUece3U2pP
	+mYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to
	:references:mime-version:content-transfer-encoding;
	bh=OU7pCbPuM2E7mJI/H5ckjCXxPxlbQB9wqm/B7j0dW/4=;
	b=CPH9CAjf3wNPGLMSseJNaNbz5MMSJ53pM69oNsslyQDf0p68CsZ5sslV3D9QzbL98g
	ufY4pSbjGys0q0V2utSAzEtAZ8+nPVaP8aWpjgfjiKBl71XD1+hP02D6sPkpqglXeTxC
	NeQ119f7OM2C9jG+cRJY/3EUH6Vy1TObCAwkGDLLkzXwEsMN/R1zBqIDT7+jhrQ/CVJv
	52O1we0OrwjvWY1ErsAvpHGBUopwnw0Ifbq2i9F3nKxMIWJ0SsL72Bx9xgTTRMO8nfjR
	SoKvo0vWeh5B+PKUfnWjjjzSl4FwlVBfaYitJtF/aa8C+dfGPJlnasY+sfPY/kKaLiQU
	PXvQ==
X-Gm-Message-State: APjAAAUJRZjngrPe3bqddU3Iw9PNcM+7IMT1YpaS1OzntdlyJToFQ6sW
	0+iZDhPS33o6GEp7Kiz/iwq/9OMV06I=
X-Google-Smtp-Source: 
 APXvYqyXzlJSRWytiAEImeyGlflJaG5k/1+DneHvRmmRD2bjxg77FVFMTGc8s25B/qoJvPeqlGZCtw==
X-Received: by 2002:a17:90a:a48a:: with SMTP id
	z10mr7124931pjp.52.1580503976350;
	Fri, 31 Jan 2020 12:52:56 -0800 (PST)
Received: from tw-172-25-31-76.office.twttr.net ([8.25.197.24])
	by smtp.gmail.com with ESMTPSA id
	m128sm11599169pfm.183.2020.01.31.12.52.55
	(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
	Fri, 31 Jan 2020 12:52:55 -0800 (PST)
From: Cong Wang <xiyou.wangcong@gmail.com>
To: netdev@vger.kernel.org
Cc: netfilter-devel@vger.kernel.org, Cong Wang <xiyou.wangcong@gmail.com>,
	syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com,
	Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@netfilter.org>, Florian Westphal <fw@strlen.de>
Subject: [Patch nf 3/3] xt_hashlimit: limit the max size of hashtable
Date: Fri, 31 Jan 2020 12:52:16 -0800
Message-Id: <20200131205216.22213-4-xiyou.wangcong@gmail.com>
X-Mailer: git-send-email 2.21.1
In-Reply-To: <20200131205216.22213-1-xiyou.wangcong@gmail.com>
References: <20200131205216.22213-1-xiyou.wangcong@gmail.com>
MIME-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

The user-specified hashtable size is unbound, this could
easily lead to an OOM or a hung task as we hold the global
mutex while allocating and initializing the new hashtable.

The max value is derived from the max value when chosen by
the kernel.

Reported-and-tested-by: syzbot+adf6c6c2be1c3a718121@syzkaller.appspotmail.com
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Jozsef Kadlecsik <kadlec@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/netfilter/xt_hashlimit.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 57a2639bcc22..6327134c5886 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -272,6 +272,8 @@ dsthash_free(struct xt_hashlimit_htable *ht, struct dsthash_ent *ent)
 }
 static void htable_gc(struct work_struct *work);
 
+#define HASHLIMIT_MAX_SIZE 8192
+
 static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
 			 const char *name, u_int8_t family,
 			 struct xt_hashlimit_htable **out_hinfo,
@@ -290,7 +292,7 @@ static int htable_create(struct net *net, struct hashlimit_cfg3 *cfg,
 		size = (nr_pages << PAGE_SHIFT) / 16384 /
 		       sizeof(struct hlist_head);
 		if (nr_pages > 1024 * 1024 * 1024 / PAGE_SIZE)
-			size = 8192;
+			size = HASHLIMIT_MAX_SIZE;
 		if (size < 16)
 			size = 16;
 	}
@@ -848,6 +850,8 @@ static int hashlimit_mt_check_common(const struct xt_mtchk_param *par,
 
 	if (cfg->gc_interval == 0 || cfg->expire == 0)
 		return -EINVAL;
+	if (cfg->size > HASHLIMIT_MAX_SIZE)
+		return -ENOMEM;
 	if (par->family == NFPROTO_IPV4) {
 		if (cfg->srcmask > 32 || cfg->dstmask > 32)
 			return -EINVAL;