* FIX: connlimit NULL pointer kernel panic (was: connlimit patch crashes 2.6.11 kernel)
@ 2005-05-18 21:15 Damon Gray
2005-05-19 3:10 ` Pablo Neira
0 siblings, 1 reply; 4+ messages in thread
From: Damon Gray @ 2005-05-18 21:15 UTC (permalink / raw)
To: netfilter-devel; +Cc: mateusz, kaber
I have already submitted this to "the powers that be" but haven't heard
back yet. Here is how to fix it yourself.
The problem is in ipt_connlimit.c(line 67):
found = ip_conntrack_find_get(&conn->tuple,ct);
if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
/* Just to be sure we have it only once in the list.
We should'nt see tuples twice unless someone hooks this
into a table without "-p tcp --syn" */
addit = 0;
}
The problem is that it is the usual case that "found" will not equal NULL,
but the memcmp will also not equal 0. This makes it so
tuplehash_to_ctrack(found) is never run so "found_ct" is always NULL.
Later in the function "found_ct" is dereferenced when it is NULL, which
causes the kernel panic. These operations need to be reordered so it is
guarantee that if "found" != NULL then tuplehash_to_ctrack will always be
run.
Basically it needs to be changed to:
if (found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
Change the file to the above and recompile the kernel. I've tested on
2.6.11.7.
-Damon-
+-------------------------------------------------------+
| Damon Gray | Core Network Development |
| (404)302-9756 | Internap Network Services |
| dgray@internap.com | www.internap.com |
+-------------------------------------------------------+
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: FIX: connlimit NULL pointer kernel panic (was: connlimit patch crashes 2.6.11 kernel)
2005-05-18 21:15 FIX: connlimit NULL pointer kernel panic (was: connlimit patch crashes 2.6.11 kernel) Damon Gray
@ 2005-05-19 3:10 ` Pablo Neira
2005-05-19 7:58 ` Forte Systems - Iosif Peterfi
0 siblings, 1 reply; 4+ messages in thread
From: Pablo Neira @ 2005-05-19 3:10 UTC (permalink / raw)
To: Damon Gray; +Cc: mateusz, netfilter-devel, kaber
Damon Gray wrote:
> The problem is that it is the usual case that "found" will not equal
> NULL, but the memcmp will also not equal 0. This makes it so
> tuplehash_to_ctrack(found) is never run so "found_ct" is always NULL.
> Later in the function "found_ct" is dereferenced when it is NULL, which
> causes the kernel panic. These operations need to be reordered so it is
> guarantee that if "found" != NULL then tuplehash_to_ctrack will always
> be run.
>
> Basically it needs to be changed to:
>
> if (found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
> 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
> found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
nice, could you post a patch against SVN? so it can be applied easily.
While you are at it, could you sed 's/spin_lock/spin_lock_bh/g' as well?
a quick look tells me that current locking is wrong.
For the record, this patch should be re-made to work on top of the
conntrack-event-api, that way it will support more protocols than just
tcp. Actually, someone already did this thing some time ago [1].
[1]
https://lists.netfilter.org/pipermail/netfilter-devel/2004-November/017314.html
--
Pablo
^ permalink raw reply [flat|nested] 4+ messages in thread
* RE: FIX: connlimit NULL pointer kernel panic (was: connlimit patch crashes 2.6.11 kernel)
2005-05-19 3:10 ` Pablo Neira
@ 2005-05-19 7:58 ` Forte Systems - Iosif Peterfi
0 siblings, 0 replies; 4+ messages in thread
From: Forte Systems - Iosif Peterfi @ 2005-05-19 7:58 UTC (permalink / raw)
To: 'Pablo Neira'; +Cc: mateusz, netfilter-devel, kaber
[-- Attachment #1: Type: text/plain, Size: 1881 bytes --]
Here is a diff -urN patch for what has been discussed except the conntrack
event-api. Works fine on 2.6.1-gentoo-r8, patch-o-matic-ng-20050516.
Thanks a lot.
-----Original Message-----
From: netfilter-devel-bounces@lists.netfilter.org
[mailto:netfilter-devel-bounces@lists.netfilter.org] On Behalf Of Pablo
Neira
Sent: Thursday, May 19, 2005 6:11 AM
To: Damon Gray
Cc: mateusz@republika.pl; netfilter-devel@lists.netfilter.org;
kaber@trash.net
Subject: Re: FIX: connlimit NULL pointer kernel panic (was: connlimit patch
crashes 2.6.11 kernel)
Damon Gray wrote:
> The problem is that it is the usual case that "found" will not equal
> NULL, but the memcmp will also not equal 0. This makes it so
> tuplehash_to_ctrack(found) is never run so "found_ct" is always NULL.
> Later in the function "found_ct" is dereferenced when it is NULL, which
> causes the kernel panic. These operations need to be reordered so it is
> guarantee that if "found" != NULL then tuplehash_to_ctrack will always
> be run.
>
> Basically it needs to be changed to:
>
> if (found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
> 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
> found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
nice, could you post a patch against SVN? so it can be applied easily.
While you are at it, could you sed 's/spin_lock/spin_lock_bh/g' as well?
a quick look tells me that current locking is wrong.
For the record, this patch should be re-made to work on top of the
conntrack-event-api, that way it will support more protocols than just
tcp. Actually, someone already did this thing some time ago [1].
[1]
https://lists.netfilter.org/pipermail/netfilter-devel/2004-November/017314.h
tml
--
Pablo
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
[-- Attachment #2: ipt_connlimit.c.patch --]
[-- Type: application/octet-stream, Size: 1165 bytes --]
--- ipt_connlimit.c.orig 2005-05-19 10:15:30.000000000 +0300
+++ ipt_connlimit.c 2005-05-19 10:27:31.000000000 +0300
@@ -55,7 +55,7 @@
struct ipt_connlimit_conn *conn;
struct list_head *hash,*lh;
- spin_lock(&data->lock);
+ spin_lock_bh(&data->lock);
tuple = ct->tuplehash[0].tuple;
hash = &data->iphash[ipt_iphash(addr & mask)];
@@ -64,8 +64,8 @@
struct ip_conntrack *found_ct = NULL;
conn = list_entry(lh,struct ipt_connlimit_conn,list);
found = ip_conntrack_find_get(&conn->tuple,ct);
- if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
- found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
+ if (found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
+ 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
/* Just to be sure we have it only once in the list.
We should'nt see tuples twice unless someone hooks this
[-- Attachment #3: BitDefender.txt --]
[-- Type: text/plain, Size: 131 bytes --]
--
This message was scanned for spam and viruses by BitDefender.
For more information please visit http://linux.bitdefender.com/
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: FIX: connlimit NULL pointer kernel panic (was: connlimit patch crashes 2.6.11 kernel)
[not found] <20050519075405.7DF8640023@socios.momona.org>
@ 2005-05-19 11:30 ` Pablo Neira
0 siblings, 0 replies; 4+ messages in thread
From: Pablo Neira @ 2005-05-19 11:30 UTC (permalink / raw)
To: Forte Systems - Iosif Peterfi; +Cc: mateusz, netfilter-devel, kaber
[-- Attachment #1: Type: text/plain, Size: 364 bytes --]
Forte Systems - Iosif Peterfi wrote:
> Here is a diff -urN patch for what has been discussed except the conntrack
> event-api. Works fine on 2.6.1-gentoo-r8, patch-o-matic-ng-20050516.
Hm, didn't I also tell you that you have to sed
's/spin_unlock/spin_unlock_bh'?
well, it doesn't matter, attached the correct patch that applies cleanly
to pom-ng.
--
Pablo
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 1583 bytes --]
Index: linux-2.6.11/net/ipv4/netfilter/ipt_connlimit.c
===================================================================
--- linux-2.6.11/net/ipv4/netfilter/ipt_connlimit.c (revision 3922)
+++ linux-2.6.11/net/ipv4/netfilter/ipt_connlimit.c (working copy)
@@ -55,7 +55,7 @@
struct ipt_connlimit_conn *conn;
struct list_head *hash,*lh;
- spin_lock(&data->lock);
+ spin_lock_bh(&data->lock);
tuple = ct->tuplehash[0].tuple;
hash = &data->iphash[ipt_iphash(addr & mask)];
@@ -64,9 +64,10 @@
struct ip_conntrack *found_ct = NULL;
conn = list_entry(lh,struct ipt_connlimit_conn,list);
found = ip_conntrack_find_get(&conn->tuple,ct);
- if (0 == memcmp(&conn->tuple,&tuple,sizeof(tuple)) &&
- found != NULL && (found_ct = tuplehash_to_ctrack(found)) != NULL &&
- found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
+ if (found != NULL
+ && (found_ct = tuplehash_to_ctrack(found)) != NULL
+ && 0 == memcmp(&conn->tuple,&tuple,sizeof(tuple))
+ && found_ct->proto.tcp.state != TCP_CONNTRACK_TIME_WAIT) {
/* Just to be sure we have it only once in the list.
We should'nt see tuples twice unless someone hooks this
into a table without "-p tcp --syn" */
@@ -111,7 +112,7 @@
#endif
conn = kmalloc(sizeof(*conn),GFP_ATOMIC);
if (NULL == conn) {
- spin_unlock(&data->lock);
+ spin_unlock_bh(&data->lock);
return -1;
}
memset(conn,0,sizeof(*conn));
@@ -120,7 +121,7 @@
list_add(&conn->list,hash);
matches++;
}
- spin_unlock(&data->lock);
+ spin_unlock_bh(&data->lock);
return matches;
}
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2005-05-19 11:30 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2005-05-18 21:15 FIX: connlimit NULL pointer kernel panic (was: connlimit patch crashes 2.6.11 kernel) Damon Gray
2005-05-19 3:10 ` Pablo Neira
2005-05-19 7:58 ` Forte Systems - Iosif Peterfi
[not found] <20050519075405.7DF8640023@socios.momona.org>
2005-05-19 11:30 ` Pablo Neira
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.