* [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()
@ 2018-02-08 21:53 Cong Wang
2018-02-08 21:53 ` Florian Westphal
2018-02-14 19:50 ` Pablo Neira Ayuso
0 siblings, 2 replies; 3+ messages in thread
From: Cong Wang @ 2018-02-08 21:53 UTC (permalink / raw)
To: netdev
Cc: netfilter-devel, pabeni, Cong Wang, Eric Dumazet,
Pablo Neira Ayuso, Florian Westphal
In clusterip_config_find_get() we hold RCU read lock so it could
run concurrently with clusterip_config_entry_put(), as a result,
the refcnt could go back to 1 from 0, which leads to a double
list_del()... Just replace refcount_inc() with
refcount_inc_not_zero(), as for c->refcount.
Fixes: d73f33b16883 ("netfilter: CLUSTERIP: RCU conversion")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>
Cc: Florian Westphal <fw@strlen.de>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
net/ipv4/netfilter/ipt_CLUSTERIP.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index 1ff72b87a066..4b02ab39ebc5 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -154,8 +154,12 @@ clusterip_config_find_get(struct net *net, __be32 clusterip, int entry)
#endif
if (unlikely(!refcount_inc_not_zero(&c->refcount)))
c = NULL;
- else if (entry)
- refcount_inc(&c->entries);
+ else if (entry) {
+ if (unlikely(!refcount_inc_not_zero(&c->entries))) {
+ clusterip_config_put(c);
+ c = NULL;
+ }
+ }
}
rcu_read_unlock_bh();
--
2.13.0
^ permalink raw reply related [flat|nested] 3+ messages in thread* Re: [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()
2018-02-08 21:53 [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() Cong Wang
@ 2018-02-08 21:53 ` Florian Westphal
2018-02-14 19:50 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Florian Westphal @ 2018-02-08 21:53 UTC (permalink / raw)
To: Cong Wang
Cc: netdev, netfilter-devel, pabeni, Eric Dumazet, Pablo Neira Ayuso,
Florian Westphal
Cong Wang <xiyou.wangcong@gmail.com> wrote:
> In clusterip_config_find_get() we hold RCU read lock so it could
> run concurrently with clusterip_config_entry_put(), as a result,
> the refcnt could go back to 1 from 0, which leads to a double
> list_del()... Just replace refcount_inc() with
> refcount_inc_not_zero(), as for c->refcount.
Reviewed-by: Florian Westphal <fw@strlen.de>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get()
2018-02-08 21:53 [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() Cong Wang
2018-02-08 21:53 ` Florian Westphal
@ 2018-02-14 19:50 ` Pablo Neira Ayuso
1 sibling, 0 replies; 3+ messages in thread
From: Pablo Neira Ayuso @ 2018-02-14 19:50 UTC (permalink / raw)
To: Cong Wang; +Cc: netdev, netfilter-devel, pabeni, Eric Dumazet, Florian Westphal
On Thu, Feb 08, 2018 at 01:53:52PM -0800, Cong Wang wrote:
> In clusterip_config_find_get() we hold RCU read lock so it could
> run concurrently with clusterip_config_entry_put(), as a result,
> the refcnt could go back to 1 from 0, which leads to a double
> list_del()... Just replace refcount_inc() with
> refcount_inc_not_zero(), as for c->refcount.
Applied, thanks Cong.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2018-02-14 19:50 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-02-08 21:53 [Patch net v2] ipt_CLUSTERIP: fix a refcount bug in clusterip_config_find_get() Cong Wang
2018-02-08 21:53 ` Florian Westphal
2018-02-14 19:50 ` Pablo Neira Ayuso
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).