Re: [PATCH] netfilter: xt_connlimit: fix race in connection counting

public inbox for stable@vger.kernel.org
 help / color / mirror / Atom feed

From: Greg KH <gregkh@linuxfoundation.org>
To: Alakesh Haloi <alakeshh@amazon.com>
Cc: stable@vger.kernel.org, Pablo Neira Ayuso <pablo@netfilter.org>,
	Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
	Florian Westphal <fw@strlen.de>,
	"David S. Miller" <davem@davemloft.net>
Subject: Re: [PATCH] netfilter: xt_connlimit: fix race in connection counting
Date: Tue, 20 Nov 2018 08:48:39 +0100	[thread overview]
Message-ID: <20181120074839.GC15276@kroah.com> (raw)
In-Reply-To: <20181119221732.GA82454@dev-dsk-alakeshh-2c-f8a3e6e0.us-west-2.amazon.com>

On Mon, Nov 19, 2018 at 10:17:38PM +0000, Alakesh Haloi wrote:
> An iptable rule like the following on a multicore systems will result in
> accepting more connections than set in the rule.
> 
> iptables  -A INPUT -p tcp -m tcp --syn --dport 7777 -m connlimit \
>       --connlimit-above 2000 --connlimit-mask 0 -j DROP
> 
> In check_hlist function, connections that are found in saved connections
> but not in netfilter conntrack are deleted, assuming that those
> connections do not exist anymore. But for multi core systems, there exists
> a small time window, when a connection has been added to the xt_connlimit
> maintained rb-tree but has not yet made to netfilter conntrack table. This
> causes concurrent connections to return incorrect counts and go over limit
> set in iptable rule.
> 
> Connection 1 on  Core 1                Connection 2 on Core 2
> 
> list_length = N
> conntrack_table_len = N
> spin_lock_bh()
> In check_hlist() function
> a. loop over saved connections
>   1.  call nf_conntrack_find_get()
>   2.  If not found in 1,
>     i.  call hlist_del()
> b. return total count to caller
> c. connection gets added to list
>    of  saved connections.
> spin_unlock_bh()
> 				      list_length = N + 1
>                                       spin_lock_bh()   on core 2
> 				      In check_hlist() function
>                                       a. loop over saved connection.
>                                         1. call nf_conntrack_find_get()
>                                         2. If not found in  1.
>                                           i.   call hlist_del()
> 					     [Connection 1 was in the
>                                               but not in nf_conntrack yet]
> 					  ii. connection 1 gets deleted
> 
> 				      list_length = N
> 				      conntrack_table_len = N
> 				      b. return total count to caller
> 				      c. connection 2 gets added to list
> 				      of saved connections
> 				      spin_unlock_bh()
> 
> d. connection 1 gets added to
>    nf_conntrack
> list_length = N + 1
> conntrack_table_len = N + 1
> 				      e. connection 2 gets added to
> 					 nf_conntrack
> 				      list_length = N + 1
> 				      conntrack_table_len = N + 2
> 
> So we end up with N + 1 connections in the list but N + 2 in nf_conntrack,
> allowing more number of connections eventually than set in the rule.
> 
> This fix adds an additional field to track such pending connections
> and prevent them from being deleted by another execution thread on
> a different core and returns correct count.
> 
> Signed-off-by: Alakesh Haloi <alakeshh@amazon.com>
> Cc: Pablo Neira Ayuso <pablo@netfilter.org>
> Cc: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
> Cc: Florian Westphal <fw@strlen.de>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: stable@vger.kernel.org # v4.15 and before
> ---
>  net/netfilter/xt_connlimit.c | 24 +++++++++++++++++++++---
>  1 file changed, 21 insertions(+), 3 deletions(-)

What is the git commit id of this patch in Linus's tree?

thanks,

greg k-h

next prev parent reply	other threads:[~2018-11-20 18:16 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-11-19 22:17 [PATCH] netfilter: xt_connlimit: fix race in connection counting Alakesh Haloi
2018-11-20  7:48 ` Greg KH [this message]
2018-11-20  9:44   ` Pablo Neira Ayuso
2018-11-21  0:21     ` Alakesh Haloi
2018-11-21  0:51       ` Florian Westphal
2018-11-27 22:22         ` Alakesh Haloi
2018-11-27 22:38           ` Florian Westphal
2018-11-28 23:33             ` Alakesh Haloi
2018-11-29  0:28               ` Florian Westphal
2018-12-07  0:49                 ` Alakesh Haloi
2019-01-03  0:01                 ` Alakesh Haloi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20181120074839.GC15276@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=alakeshh@amazon.com \
    --cc=davem@davemloft.net \
    --cc=fw@strlen.de \
    --cc=kadlec@blackhole.kfki.hu \
    --cc=pablo@netfilter.org \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox