* netfilter -stable: nf_conntrack_tcp: fix endless loop
@ 2008-07-17 12:07 Patrick McHardy
2008-07-30 22:09 ` patch netfilter-stable-nf_conntrack_tcp-fix-endless-loop.patch added to 2.6.25-stable tree gregkh
0 siblings, 1 reply; 2+ messages in thread
From: Patrick McHardy @ 2008-07-17 12:07 UTC (permalink / raw)
To: stable; +Cc: David S. Miller, Netfilter Development Mailinglist
[-- Attachment #1: Type: text/plain, Size: 141 bytes --]
This patch for 2.6.25.x fixes a race condition between TCP conntrack
and ctnetlink that can lead to an endless loop.
Please apply, thanks.
[-- Attachment #2: 01.diff --]
[-- Type: text/x-diff, Size: 1896 bytes --]
commit e85c8c076640e9cd42fb52f27fea16f74b236626
Author: Patrick McHardy <kaber@trash.net>
Date: Thu Jul 17 14:06:16 2008 +0200
netfilter: nf_conntrack_tcp: fix endless loop
Upstream commit 6b69fe0:
When a conntrack entry is destroyed in process context and destruction
is interrupted by packet processing and the packet is an attempt to
reopen a closed connection, TCP conntrack tries to kill the old entry
itself and returns NF_REPEAT to pass the packet through the hook
again. This may lead to an endless loop: TCP conntrack repeatedly
finds the old entry, but can not kill it itself since destruction
is already in progress, but destruction in process context can not
complete since TCP conntrack is keeping the CPU busy.
Drop the packet in TCP conntrack if we can't kill the connection
ourselves to avoid this.
Reported by: hemao77@gmail.com [ Kernel bugzilla #11058 ]
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
diff --git a/net/netfilter/nf_conntrack_proto_tcp.c b/net/netfilter/nf_conntrack_proto_tcp.c
index 6256795..73cef18 100644
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -844,9 +844,15 @@ static int tcp_packet(struct nf_conn *ct,
/* Attempt to reopen a closed/aborted connection.
* Delete this connection and look up again. */
write_unlock_bh(&tcp_lock);
- if (del_timer(&ct->timeout))
+ /* Only repeat if we can actually remove the timer.
+ * Destruction may already be in progress in process
+ * context and we must give it a chance to terminate.
+ */
+ if (del_timer(&ct->timeout)) {
ct->timeout.function((unsigned long)ct);
- return -NF_REPEAT;
+ return -NF_REPEAT;
+ }
+ return -NF_DROP;
}
/* Fall through */
case TCP_CONNTRACK_IGNORE:
^ permalink raw reply related [flat|nested] 2+ messages in thread* patch netfilter-stable-nf_conntrack_tcp-fix-endless-loop.patch added to 2.6.25-stable tree
2008-07-17 12:07 netfilter -stable: nf_conntrack_tcp: fix endless loop Patrick McHardy
@ 2008-07-30 22:09 ` gregkh
0 siblings, 0 replies; 2+ messages in thread
From: gregkh @ 2008-07-30 22:09 UTC (permalink / raw)
To: kaber, davem, gregkh, netfilter-devel; +Cc: stable, stable-commits
This is a note to let you know that we have just queued up the patch titled
Subject: netfilter -stable: nf_conntrack_tcp: fix endless loop
to the 2.6.25-stable tree. Its filename is
netfilter-stable-nf_conntrack_tcp-fix-endless-loop.patch
A git repo of this tree can be found at
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
>From stable-bounces@linux.kernel.org Thu Jul 17 05:08:03 2008
From: Patrick McHardy <kaber@trash.net>
Date: Thu, 17 Jul 2008 14:07:47 +0200
Subject: netfilter -stable: nf_conntrack_tcp: fix endless loop
To: stable@kernel.org
Cc: Netfilter Development Mailinglist <netfilter-devel@vger.kernel.org>, "David S. Miller" <davem@davemloft.net>
Message-ID: <487F3613.6040708@trash.net>
From: Patrick McHardy <kaber@trash.net>
netfilter: nf_conntrack_tcp: fix endless loop
Upstream commit 6b69fe0:
When a conntrack entry is destroyed in process context and destruction
is interrupted by packet processing and the packet is an attempt to
reopen a closed connection, TCP conntrack tries to kill the old entry
itself and returns NF_REPEAT to pass the packet through the hook
again. This may lead to an endless loop: TCP conntrack repeatedly
finds the old entry, but can not kill it itself since destruction
is already in progress, but destruction in process context can not
complete since TCP conntrack is keeping the CPU busy.
Drop the packet in TCP conntrack if we can't kill the connection
ourselves to avoid this.
Reported by: hemao77@gmail.com [ Kernel bugzilla #11058 ]
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/netfilter/nf_conntrack_proto_tcp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -845,9 +845,15 @@ static int tcp_packet(struct nf_conn *ct
/* Attempt to reopen a closed/aborted connection.
* Delete this connection and look up again. */
write_unlock_bh(&tcp_lock);
- if (del_timer(&ct->timeout))
+ /* Only repeat if we can actually remove the timer.
+ * Destruction may already be in progress in process
+ * context and we must give it a chance to terminate.
+ */
+ if (del_timer(&ct->timeout)) {
ct->timeout.function((unsigned long)ct);
- return -NF_REPEAT;
+ return -NF_REPEAT;
+ }
+ return -NF_DROP;
}
/* Fall through */
case TCP_CONNTRACK_IGNORE:
Patches currently in stable-queue which might be from kaber@trash.net are
queue-2.6.25/netfilter-stable-nf_conntrack_tcp-fix-endless-loop.patch
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2008-07-30 22:13 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-07-17 12:07 netfilter -stable: nf_conntrack_tcp: fix endless loop Patrick McHardy
2008-07-30 22:09 ` patch netfilter-stable-nf_conntrack_tcp-fix-endless-loop.patch added to 2.6.25-stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.