From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Netfilter Development Mailinglist
<netfilter-devel@vger.kernel.org>,
"David S. Miller" <davem@davemloft.net>,
Patrick McHardy <kaber@trash.net>
Subject: [patch 28/29] netfilter -stable: nf_conntrack_tcp: fix endless loop
Date: Wed, 30 Jul 2008 16:27:45 -0700 [thread overview]
Message-ID: <20080730232745.GC30670@suse.de> (raw)
In-Reply-To: <20080730232451.GA30670@suse.de>
[-- Attachment #1: netfilter-stable-nf_conntrack_tcp-fix-endless-loop.patch --]
[-- Type: text/plain, Size: 1876 bytes --]
2.6.25-stable review patch. If anyone has any objections, please let us
know.
------------------
From: Patrick McHardy <kaber@trash.net>
netfilter: nf_conntrack_tcp: fix endless loop
Upstream commit 6b69fe0:
When a conntrack entry is destroyed in process context and destruction
is interrupted by packet processing and the packet is an attempt to
reopen a closed connection, TCP conntrack tries to kill the old entry
itself and returns NF_REPEAT to pass the packet through the hook
again. This may lead to an endless loop: TCP conntrack repeatedly
finds the old entry, but can not kill it itself since destruction
is already in progress, but destruction in process context can not
complete since TCP conntrack is keeping the CPU busy.
Drop the packet in TCP conntrack if we can't kill the connection
ourselves to avoid this.
Reported by: hemao77@gmail.com [ Kernel bugzilla #11058 ]
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/netfilter/nf_conntrack_proto_tcp.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_conntrack_proto_tcp.c
+++ b/net/netfilter/nf_conntrack_proto_tcp.c
@@ -845,9 +845,15 @@ static int tcp_packet(struct nf_conn *ct
/* Attempt to reopen a closed/aborted connection.
* Delete this connection and look up again. */
write_unlock_bh(&tcp_lock);
- if (del_timer(&ct->timeout))
+ /* Only repeat if we can actually remove the timer.
+ * Destruction may already be in progress in process
+ * context and we must give it a chance to terminate.
+ */
+ if (del_timer(&ct->timeout)) {
ct->timeout.function((unsigned long)ct);
- return -NF_REPEAT;
+ return -NF_REPEAT;
+ }
+ return -NF_DROP;
}
/* Fall through */
case TCP_CONNTRACK_IGNORE:
--
next prev parent reply other threads:[~2008-07-30 23:43 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20080730231003.655833364@mini.kroah.org>
2008-07-30 23:24 ` [patch 00/29] 2.6.25-stable review Greg KH
2008-07-30 23:26 ` [patch 01/29] quota: fix possible infinite loop in quota code Greg KH
2008-07-30 23:26 ` [patch 02/29] isofs: fix minor filesystem corruption Greg KH
2008-07-30 23:26 ` [patch 03/29] x86: fix crash due to missing debugctlmsr on AMD K6-3 Greg KH
2008-07-30 23:26 ` [patch 04/29] vmlinux.lds: move __attribute__((__cold__)) functions back into final .text section Greg KH
2008-07-30 23:26 ` [patch 05/29] tcp: Clear probes_out more aggressively in tcp_ack() Greg KH
2008-07-30 23:26 ` [patch 06/29] sparc64: Fix lockdep issues in LDC protocol layer Greg KH
2008-07-30 23:26 ` [patch 07/29] sparc64: Fix cpufreq notifier registry Greg KH
2008-07-30 23:26 ` [patch 08/29] sparc64: Do not define BIO_VMERGE_BOUNDARY Greg KH
2008-07-30 23:27 ` [patch 09/29] pata_atiixp: Dont disable Greg KH
2008-07-30 23:27 ` [patch 10/29] markers: fix duplicate modpost entry Greg KH
2008-07-30 23:27 ` [patch 11/29] ide-cd: fix oops when using growisofs Greg KH
2008-07-30 23:27 ` [patch 12/29] Fix build on COMPAT platforms when CONFIG_EPOLL is disabled Greg KH
2008-07-30 23:27 ` [patch 13/29] ARM: fix fls() for 64-bit arguments Greg KH
2008-07-30 23:27 ` [patch 14/29] ALSA: hda - Fix "alc262_sony_unsol" hda_verb array Greg KH
2008-07-30 23:27 ` [patch 15/29] ALSA: trident - pause s/pdif output Greg KH
2008-07-30 23:27 ` [patch 16/29] ahci: retry enabling AHCI a few times before spitting out WARN_ON() Greg KH
2008-07-30 23:27 ` [patch 17/29] x86: fix kernel_physical_mapping_init() for large x86 systems Greg KH
2008-07-30 23:27 ` [patch 18/29] VFS: increase pseudo-filesystem block size to PAGE_SIZE Greg KH
2008-07-30 23:27 ` [patch 19/29] tmpfs: fix kernel BUG in shmem_delete_inode Greg KH
2008-07-30 23:27 ` [patch 20/29] mpc52xx_psc_spi: fix block transfer Greg KH
2008-07-30 23:27 ` [patch 21/29] markers: fix markers read barrier for multiple probes Greg KH
2008-07-30 23:27 ` [patch 22/29] ixgbe: remove device ID for unsupported device Greg KH
2008-07-30 23:27 ` [patch 23/29] eCryptfs: use page_alloc not kmalloc to get a page of memory Greg KH
2008-07-30 23:27 ` [patch 24/29] cpufreq acpi: only call _PPC after cpufreq ACPI init funcs got called already Greg KH
2008-07-30 23:27 ` [patch 25/29] b43legacy: Release mutex in error handling code Greg KH
2008-07-30 23:27 ` [patch 26/29] ath5k: dont enable MSI, we cannot handle it yet Greg KH
2008-07-30 23:27 ` [patch 27/29] Correct hash flushing from huge_ptep_set_wrprotect() Greg KH
2008-07-30 23:27 ` Greg KH [this message]
2008-07-30 23:27 ` [patch 29/29] Fix off-by-one error in iov_iter_advance() Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080730232745.GC30670@suse.de \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=kaber@trash.net \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox