* BUG? a possible race between htable_find_get() and htable_put()
@ 2010-01-13 2:51 홍신 shin hong
2010-01-13 6:39 ` Patrick McHardy
0 siblings, 1 reply; 3+ messages in thread
From: 홍신 shin hong @ 2010-01-13 2:51 UTC (permalink / raw)
To: netfilter-devel
Hi. I am reporting a suspected race between htable_find_get()
and htable_put() in net/netfilter/xt_hashlimit.c.
I found this issue while I read the code so that it might not realistic.
But, please examine the code to check possibility of race condition.
htable_put() first updates hinfo->use and then unlink the object from the list.
But, htable_find_get() first searches an object from the list,
and then updates hinfo->use.
Therefore, race would be possible for the following situation.
hinfo->use == 1.
htable_put() | htable_find_get()
--------------------------------------------------------------------------------------------------------------
atomic_dec_and_test(&hinfo->use) ; |
|
spin_lock_bh(&hashlimit_lock) ;
|
hlist_for_each_entry(...) ;
| ...
|
atomic_inc(&hinfo->use) ;
|
spin_unlock_bh(&hashlimit_lock) ;
spin_lock_bh(&hashlimit_lock) ; |
hlist_del(&hinfo->node) ; |
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: BUG? a possible race between htable_find_get() and htable_put()
2010-01-13 2:51 BUG? a possible race between htable_find_get() and htable_put() 홍신 shin hong
@ 2010-01-13 6:39 ` Patrick McHardy
2010-01-13 6:41 ` Patrick McHardy
0 siblings, 1 reply; 3+ messages in thread
From: Patrick McHardy @ 2010-01-13 6:39 UTC (permalink / raw)
To: 홍신 shin hong; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 812 bytes --]
홍신 shin hong wrote:
> Hi. I am reporting a suspected race between htable_find_get()
> and htable_put() in net/netfilter/xt_hashlimit.c.
>
> I found this issue while I read the code so that it might not realistic.
> But, please examine the code to check possibility of race condition.
>
> htable_put() first updates hinfo->use and then unlink the object from the list.
> But, htable_find_get() first searches an object from the list,
> and then updates hinfo->use.
Nice catch, this does indeed look like a bug. The entire locking
concept seems a bit strange, we neither need an atomic_t for the
reference count nor two locks to protect the list. This patch
changes the code to use the hashlimit_mutex for list and reference
count protection.
I'll commit this later unless someone can spot further bugs :)
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 4751 bytes --]
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index dd16e40..02d95df 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -79,7 +79,7 @@ struct dsthash_ent {
struct xt_hashlimit_htable {
struct hlist_node node; /* global list of all htables */
- atomic_t use;
+ int use;
u_int8_t family;
struct hashlimit_cfg1 cfg; /* config */
@@ -97,8 +97,7 @@ struct xt_hashlimit_htable {
struct hlist_head hash[0]; /* hashtable itself */
};
-static DEFINE_SPINLOCK(hashlimit_lock); /* protects htables list */
-static DEFINE_MUTEX(hlimit_mutex); /* additional checkentry protection */
+static DEFINE_MUTEX(hashlimit_mutex); /* protects htables list */
static HLIST_HEAD(hashlimit_htables);
static struct kmem_cache *hashlimit_cachep __read_mostly;
@@ -232,7 +231,7 @@ static int htable_create_v0(struct xt_hashlimit_info *minfo, u_int8_t family)
for (i = 0; i < hinfo->cfg.size; i++)
INIT_HLIST_HEAD(&hinfo->hash[i]);
- atomic_set(&hinfo->use, 1);
+ hinfo->use = 1;
hinfo->count = 0;
hinfo->family = family;
hinfo->rnd_initialized = 0;
@@ -250,9 +249,9 @@ static int htable_create_v0(struct xt_hashlimit_info *minfo, u_int8_t family)
hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval);
add_timer(&hinfo->timer);
- spin_lock_bh(&hashlimit_lock);
+ mutex_lock(&hashlimit_mutex);
hlist_add_head(&hinfo->node, &hashlimit_htables);
- spin_unlock_bh(&hashlimit_lock);
+ mutex_unlock(&hashlimit_mutex);
return 0;
}
@@ -293,7 +292,7 @@ static int htable_create(struct xt_hashlimit_mtinfo1 *minfo, u_int8_t family)
for (i = 0; i < hinfo->cfg.size; i++)
INIT_HLIST_HEAD(&hinfo->hash[i]);
- atomic_set(&hinfo->use, 1);
+ hinfo->use = 1;
hinfo->count = 0;
hinfo->family = family;
hinfo->rnd_initialized = 0;
@@ -312,9 +311,9 @@ static int htable_create(struct xt_hashlimit_mtinfo1 *minfo, u_int8_t family)
hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval);
add_timer(&hinfo->timer);
- spin_lock_bh(&hashlimit_lock);
+ mutex_lock(&hashlimit_mutex);
hlist_add_head(&hinfo->node, &hashlimit_htables);
- spin_unlock_bh(&hashlimit_lock);
+ mutex_unlock(&hashlimit_mutex);
return 0;
}
@@ -380,25 +379,20 @@ static struct xt_hashlimit_htable *htable_find_get(const char *name,
struct xt_hashlimit_htable *hinfo;
struct hlist_node *pos;
- spin_lock_bh(&hashlimit_lock);
hlist_for_each_entry(hinfo, pos, &hashlimit_htables, node) {
if (!strcmp(name, hinfo->pde->name) &&
hinfo->family == family) {
- atomic_inc(&hinfo->use);
- spin_unlock_bh(&hashlimit_lock);
+ hinfo->use++;
return hinfo;
}
}
- spin_unlock_bh(&hashlimit_lock);
return NULL;
}
static void htable_put(struct xt_hashlimit_htable *hinfo)
{
- if (atomic_dec_and_test(&hinfo->use)) {
- spin_lock_bh(&hashlimit_lock);
+ if (--hinfo->use == 0) {
hlist_del(&hinfo->node);
- spin_unlock_bh(&hashlimit_lock);
htable_destroy(hinfo);
}
}
@@ -687,19 +681,13 @@ static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
if (r->name[sizeof(r->name) - 1] != '\0')
return false;
- /* This is the best we've got: We cannot release and re-grab lock,
- * since checkentry() is called before x_tables.c grabs xt_mutex.
- * We also cannot grab the hashtable spinlock, since htable_create will
- * call vmalloc, and that can sleep. And we cannot just re-search
- * the list of htable's in htable_create(), since then we would
- * create duplicate proc files. -HW */
- mutex_lock(&hlimit_mutex);
+ mutex_lock(&hashlimit_mutex);
r->hinfo = htable_find_get(r->name, par->match->family);
if (!r->hinfo && htable_create_v0(r, par->match->family) != 0) {
- mutex_unlock(&hlimit_mutex);
+ mutex_unlock(&hashlimit_mutex);
return false;
}
- mutex_unlock(&hlimit_mutex);
+ mutex_unlock(&hashlimit_mutex);
return true;
}
@@ -728,19 +716,13 @@ static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
return false;
}
- /* This is the best we've got: We cannot release and re-grab lock,
- * since checkentry() is called before x_tables.c grabs xt_mutex.
- * We also cannot grab the hashtable spinlock, since htable_create will
- * call vmalloc, and that can sleep. And we cannot just re-search
- * the list of htable's in htable_create(), since then we would
- * create duplicate proc files. -HW */
- mutex_lock(&hlimit_mutex);
+ mutex_lock(&hashlimit_mutex);
info->hinfo = htable_find_get(info->name, par->match->family);
if (!info->hinfo && htable_create(info, par->match->family) != 0) {
- mutex_unlock(&hlimit_mutex);
+ mutex_unlock(&hashlimit_mutex);
return false;
}
- mutex_unlock(&hlimit_mutex);
+ mutex_unlock(&hashlimit_mutex);
return true;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: BUG? a possible race between htable_find_get() and htable_put()
2010-01-13 6:39 ` Patrick McHardy
@ 2010-01-13 6:41 ` Patrick McHardy
0 siblings, 0 replies; 3+ messages in thread
From: Patrick McHardy @ 2010-01-13 6:41 UTC (permalink / raw)
To: 홍신 shin hong; +Cc: netfilter-devel
[-- Attachment #1: Type: text/plain, Size: 966 bytes --]
Patrick McHardy wrote:
> 홍신 shin hong wrote:
>> Hi. I am reporting a suspected race between htable_find_get()
>> and htable_put() in net/netfilter/xt_hashlimit.c.
>>
>> I found this issue while I read the code so that it might not realistic.
>> But, please examine the code to check possibility of race condition.
>>
>> htable_put() first updates hinfo->use and then unlink the object from the list.
>> But, htable_find_get() first searches an object from the list,
>> and then updates hinfo->use.
>
> Nice catch, this does indeed look like a bug. The entire locking
> concept seems a bit strange, we neither need an atomic_t for the
> reference count nor two locks to protect the list. This patch
> changes the code to use the hashlimit_mutex for list and reference
> count protection.
>
> I'll commit this later unless someone can spot further bugs :)
Locking around list removal and destruction was missing from the
previous patch, fixed version attached.
[-- Attachment #2: x --]
[-- Type: text/plain, Size: 4882 bytes --]
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index dd16e40..4a72044 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -79,7 +79,7 @@ struct dsthash_ent {
struct xt_hashlimit_htable {
struct hlist_node node; /* global list of all htables */
- atomic_t use;
+ int use;
u_int8_t family;
struct hashlimit_cfg1 cfg; /* config */
@@ -97,8 +97,7 @@ struct xt_hashlimit_htable {
struct hlist_head hash[0]; /* hashtable itself */
};
-static DEFINE_SPINLOCK(hashlimit_lock); /* protects htables list */
-static DEFINE_MUTEX(hlimit_mutex); /* additional checkentry protection */
+static DEFINE_MUTEX(hashlimit_mutex); /* protects htables list */
static HLIST_HEAD(hashlimit_htables);
static struct kmem_cache *hashlimit_cachep __read_mostly;
@@ -232,7 +231,7 @@ static int htable_create_v0(struct xt_hashlimit_info *minfo, u_int8_t family)
for (i = 0; i < hinfo->cfg.size; i++)
INIT_HLIST_HEAD(&hinfo->hash[i]);
- atomic_set(&hinfo->use, 1);
+ hinfo->use = 1;
hinfo->count = 0;
hinfo->family = family;
hinfo->rnd_initialized = 0;
@@ -250,9 +249,9 @@ static int htable_create_v0(struct xt_hashlimit_info *minfo, u_int8_t family)
hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval);
add_timer(&hinfo->timer);
- spin_lock_bh(&hashlimit_lock);
+ mutex_lock(&hashlimit_mutex);
hlist_add_head(&hinfo->node, &hashlimit_htables);
- spin_unlock_bh(&hashlimit_lock);
+ mutex_unlock(&hashlimit_mutex);
return 0;
}
@@ -293,7 +292,7 @@ static int htable_create(struct xt_hashlimit_mtinfo1 *minfo, u_int8_t family)
for (i = 0; i < hinfo->cfg.size; i++)
INIT_HLIST_HEAD(&hinfo->hash[i]);
- atomic_set(&hinfo->use, 1);
+ hinfo->use = 1;
hinfo->count = 0;
hinfo->family = family;
hinfo->rnd_initialized = 0;
@@ -312,9 +311,9 @@ static int htable_create(struct xt_hashlimit_mtinfo1 *minfo, u_int8_t family)
hinfo->timer.expires = jiffies + msecs_to_jiffies(hinfo->cfg.gc_interval);
add_timer(&hinfo->timer);
- spin_lock_bh(&hashlimit_lock);
+ mutex_lock(&hashlimit_mutex);
hlist_add_head(&hinfo->node, &hashlimit_htables);
- spin_unlock_bh(&hashlimit_lock);
+ mutex_unlock(&hashlimit_mutex);
return 0;
}
@@ -380,27 +379,24 @@ static struct xt_hashlimit_htable *htable_find_get(const char *name,
struct xt_hashlimit_htable *hinfo;
struct hlist_node *pos;
- spin_lock_bh(&hashlimit_lock);
hlist_for_each_entry(hinfo, pos, &hashlimit_htables, node) {
if (!strcmp(name, hinfo->pde->name) &&
hinfo->family == family) {
- atomic_inc(&hinfo->use);
- spin_unlock_bh(&hashlimit_lock);
+ hinfo->use++;
return hinfo;
}
}
- spin_unlock_bh(&hashlimit_lock);
return NULL;
}
static void htable_put(struct xt_hashlimit_htable *hinfo)
{
- if (atomic_dec_and_test(&hinfo->use)) {
- spin_lock_bh(&hashlimit_lock);
+ mutex_lock(&hashlimit_mutex);
+ if (--hinfo->use == 0) {
hlist_del(&hinfo->node);
- spin_unlock_bh(&hashlimit_lock);
htable_destroy(hinfo);
}
+ mutex_unlock(&hashlimit_mutex);
}
/* The algorithm used is the Simple Token Bucket Filter (TBF)
@@ -687,19 +683,13 @@ static bool hashlimit_mt_check_v0(const struct xt_mtchk_param *par)
if (r->name[sizeof(r->name) - 1] != '\0')
return false;
- /* This is the best we've got: We cannot release and re-grab lock,
- * since checkentry() is called before x_tables.c grabs xt_mutex.
- * We also cannot grab the hashtable spinlock, since htable_create will
- * call vmalloc, and that can sleep. And we cannot just re-search
- * the list of htable's in htable_create(), since then we would
- * create duplicate proc files. -HW */
- mutex_lock(&hlimit_mutex);
+ mutex_lock(&hashlimit_mutex);
r->hinfo = htable_find_get(r->name, par->match->family);
if (!r->hinfo && htable_create_v0(r, par->match->family) != 0) {
- mutex_unlock(&hlimit_mutex);
+ mutex_unlock(&hashlimit_mutex);
return false;
}
- mutex_unlock(&hlimit_mutex);
+ mutex_unlock(&hashlimit_mutex);
return true;
}
@@ -728,19 +718,13 @@ static bool hashlimit_mt_check(const struct xt_mtchk_param *par)
return false;
}
- /* This is the best we've got: We cannot release and re-grab lock,
- * since checkentry() is called before x_tables.c grabs xt_mutex.
- * We also cannot grab the hashtable spinlock, since htable_create will
- * call vmalloc, and that can sleep. And we cannot just re-search
- * the list of htable's in htable_create(), since then we would
- * create duplicate proc files. -HW */
- mutex_lock(&hlimit_mutex);
+ mutex_lock(&hashlimit_mutex);
info->hinfo = htable_find_get(info->name, par->match->family);
if (!info->hinfo && htable_create(info, par->match->family) != 0) {
- mutex_unlock(&hlimit_mutex);
+ mutex_unlock(&hashlimit_mutex);
return false;
}
- mutex_unlock(&hlimit_mutex);
+ mutex_unlock(&hashlimit_mutex);
return true;
}
^ permalink raw reply related [flat|nested] 3+ messages in thread
end of thread, other threads:[~2010-01-13 6:41 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2010-01-13 2:51 BUG? a possible race between htable_find_get() and htable_put() 홍신 shin hong
2010-01-13 6:39 ` Patrick McHardy
2010-01-13 6:41 ` Patrick McHardy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).