From: Vishwanath Pai <vpai@akamai.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Patrick McHardy <kaber@trash.net>,
netfilter-devel@vger.kernel.org, coreteam@netfilter.org,
johunt@akamai.com, netdev@vger.kernel.org
Subject: Re: [PATCH] netfilter: fix race condition in ipset save and delete
Date: Sun, 13 Mar 2016 12:25:36 -0400 [thread overview]
Message-ID: <56E59480.1060304@akamai.com> (raw)
In-Reply-To: <alpine.DEB.2.10.1603131254230.18557@blackhole.kfki.hu>
Hi Jozsef,
On 03/13/2016 08:07 AM, Jozsef Kadlecsik wrote:
> Hi,
>
> On Sat, 12 Mar 2016, Vishwanath Pai wrote:
>
>> netfilter: fix race condition in ipset save and delete
>>
>> This fix adds a new reference counter (ref_kernel) for the struct ip_set.
>> The other reference counter (ref) is used to track references from the
>> userspace and we need a separate counter to keep track of in-kernel
>> references. Using the same ref counter for both userspace and kernel
>> references causes a race condition which can be demonstrated by the
>> following script:
>>
>> #!/bin/sh
>> ipset create hash_ip1 hash:ip family inet hashsize 1024 maxelem 500000 \
>> counters
>> ipset create hash_ip2 hash:ip family inet hashsize 300000 maxelem 500000 \
>> counters
>> ipset create hash_ip3 hash:ip family inet hashsize 1024 maxelem 500000 \
>> counters
>>
>> ipset save &
>>
>> ipset swap hash_ip3 hash_ip2
>> ipset destroy hash_ip3 /* will crash the machine */
>>
>> Swap will exchange the values of ref so destroy will see ref = 0 instead of
>> ref = 1. With this fix in place swap will not suceed because ipset save
>> still has ref_kernel on the set (ip_set_swap doesn't swap ref_kernel).
>>
>> Both delete and swap will error out if ref_kernel != 0 on the set.
>>
>> Note: The changes to *_head functions is because previously we would
>> increment ref whenever we called these functions, we don't do that
>> anymore.
>
> Overall, I agree with your patch, however I disagree with the description
> and some details.
>
> It's a race between dump & swap and then destroy - dump and destroy are
> safe. The "ref" reference counter *is* kernel related: it keeps track of
> references from other kernel subsystems (netfilter matches/targets) and
> from ipset itself when a set is a member of another set. It would be
> misleading to call "ref" as userspace reference counter.
>
> The reference counter you introduce is for netlink events (technically
> just for dump), so it would better be named "ref_netlink" instead of
> "ref_kernel" (similarly, ip_set_get|put_ref_netlink).
>
> Please update the patch, the description and resubmit. Thanks!
>
> Best regards,
> Jozsef
>
Thanks for reviewing, I will update the patch and send it again.
Thanks,
Vishwanath
prev parent reply other threads:[~2016-03-13 16:25 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-03-13 2:33 [PATCH] netfilter: fix race condition in ipset save and delete Vishwanath Pai
2016-03-13 12:07 ` Jozsef Kadlecsik
2016-03-13 16:25 ` Vishwanath Pai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=56E59480.1060304@akamai.com \
--to=vpai@akamai.com \
--cc=coreteam@netfilter.org \
--cc=johunt@akamai.com \
--cc=kaber@trash.net \
--cc=kadlec@blackhole.kfki.hu \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).