From: Ben Hutchings <ben@decadent.org.uk>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: akpm@linux-foundation.org, "Liping Zhang" <zlpnobody@gmail.com>,
"Pablo Neira Ayuso" <pablo@netfilter.org>
Subject: [PATCH 3.2 39/59] netfilter: ctnetlink: make it safer when updating ct->status
Date: Fri, 18 Aug 2017 14:13:13 +0100 [thread overview]
Message-ID: <lsq.1503061993.484220627@decadent.org.uk> (raw)
In-Reply-To: <lsq.1503061990.137512306@decadent.org.uk>
3.2.92-rc1 review patch. If anyone has any objections, please let me know.
------------------
From: Liping Zhang <zlpnobody@gmail.com>
commit 53b56da83d7899de375a9de153fd7f5397de85e6 upstream.
After converting to use rcu for conntrack hash, one CPU may update
the ct->status via ctnetlink, while another CPU may process the
packets and update the ct->status.
So the non-atomic operation "ct->status |= status;" via ctnetlink
becomes unsafe, and this may clear the IPS_DYING_BIT bit set by
another CPU unexpectedly. For example:
CPU0 CPU1
ctnetlink_change_status __nf_conntrack_find_get
old = ct->status nf_ct_gc_expired
- nf_ct_kill
- test_and_set_bit(IPS_DYING_BIT
new = old | status; -
ct->status = new; <-- oops, _DYING_ is cleared!
Now using a series of atomic bit operation to solve the above issue.
Also note, user shouldn't set IPS_TEMPLATE, IPS_SEQ_ADJUST directly,
so make these two bits be unchangable too.
If we set the IPS_TEMPLATE_BIT, ct will be freed by nf_ct_tmpl_free,
but actually it is alloced by nf_conntrack_alloc.
If we set the IPS_SEQ_ADJUST_BIT, this may cause the NULL pointer
deference, as the nfct_seqadj(ct) maybe NULL.
Last, add some comments to describe the logic change due to the
commit a963d710f367 ("netfilter: ctnetlink: Fix regression in CTA_STATUS
processing"), which makes me feel a little confusing.
Fixes: 76507f69c44e ("[NETFILTER]: nf_conntrack: use RCU for conntrack hash")
Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
[bwh: Backported to 3.2:
- IPS_UNCHANGEABLE_MASK was not previously defined and ctnetlink_update_status()
is not needed
- enum ip_conntrack_status only assigns 13 bits
- Adjust filename]
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
---
--- a/include/linux/netfilter/nf_conntrack_common.h
+++ b/include/linux/netfilter/nf_conntrack_common.h
@@ -83,6 +83,15 @@ enum ip_conntrack_status {
/* Conntrack is a fake untracked entry */
IPS_UNTRACKED_BIT = 12,
IPS_UNTRACKED = (1 << IPS_UNTRACKED_BIT),
+
+ /* Be careful here, modifying these bits can make things messy,
+ * so don't let users modify them directly.
+ */
+ IPS_UNCHANGEABLE_MASK = (IPS_NAT_DONE_MASK | IPS_NAT_MASK |
+ IPS_EXPECTED | IPS_CONFIRMED | IPS_DYING |
+ IPS_SEQ_ADJUST | IPS_TEMPLATE),
+
+ __IPS_MAX_BIT = 13,
};
/* Connection tracking event types */
--- a/net/netfilter/nf_conntrack_netlink.c
+++ b/net/netfilter/nf_conntrack_netlink.c
@@ -1053,6 +1053,24 @@ ctnetlink_parse_nat_setup(struct nf_conn
}
#endif
+static void
+__ctnetlink_change_status(struct nf_conn *ct, unsigned long on,
+ unsigned long off)
+{
+ unsigned int bit;
+
+ /* Ignore these unchangable bits */
+ on &= ~IPS_UNCHANGEABLE_MASK;
+ off &= ~IPS_UNCHANGEABLE_MASK;
+
+ for (bit = 0; bit < __IPS_MAX_BIT; bit++) {
+ if (on & (1 << bit))
+ set_bit(bit, &ct->status);
+ else if (off & (1 << bit))
+ clear_bit(bit, &ct->status);
+ }
+}
+
static int
ctnetlink_change_status(struct nf_conn *ct, const struct nlattr * const cda[])
{
@@ -1072,10 +1090,7 @@ ctnetlink_change_status(struct nf_conn *
/* ASSURED bit can only be set */
return -EBUSY;
- /* Be careful here, modifying NAT bits can screw up things,
- * so don't let users modify them directly if they don't pass
- * nf_nat_range. */
- ct->status |= status & ~(IPS_NAT_DONE_MASK | IPS_NAT_MASK);
+ __ctnetlink_change_status(ct, status, 0);
return 0;
}
@@ -1258,7 +1273,7 @@ ctnetlink_change_nat_seq_adj(struct nf_c
if (ret < 0)
return ret;
- ct->status |= IPS_SEQ_ADJUST;
+ set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
}
if (cda[CTA_NAT_SEQ_ADJ_REPLY]) {
@@ -1267,7 +1282,7 @@ ctnetlink_change_nat_seq_adj(struct nf_c
if (ret < 0)
return ret;
- ct->status |= IPS_SEQ_ADJUST;
+ set_bit(IPS_SEQ_ADJUST_BIT, &ct->status);
}
return 0;
next prev parent reply other threads:[~2017-08-18 13:13 UTC|newest]
Thread overview: 61+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-08-18 13:13 [PATCH 3.2 00/59] 3.2.92-rc1 review Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 53/59] um: Fix PTRACE_POKEUSER on x86_64 Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 49/59] ipv6: Need to export ipv6_push_frag_opts for tunneling now Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 32/59] [media] ttusb2: limit messages to buffer size Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 28/59] PCI: Fix another sanity check bug in /proc/pci mmap Ben Hutchings
2017-08-18 13:13 ` Ben Hutchings [this message]
2017-08-18 13:13 ` [PATCH 3.2 27/59] PCI: Ignore write combining when mapping I/O port space Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 19/59] [media] cx231xx: fix double free and leaks on failure path in cx231xx_usb_probe() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 33/59] [media] dw2102: Don't use dynamic static allocation Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 31/59] [media] ttusb2: Don't use stack variables for DMA Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 30/59] PCI: Freeze PME scan before suspending devices Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 55/59] x86/mm/32: Set the '__vmalloc_start_set' flag in initmem_init() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 18/59] [media] usbvision: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 02/59] [media] pvrusb2: reduce stack usage pvr2_eeprom_analyze() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 17/59] [media] gspca: konica: add missing endpoint sanity check Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 41/59] usb: Make sure usb/phy/of gets built-in Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 22/59] [media] cx231xx-audio: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 29/59] PCI: Only allow WC mmap on prefetchable resources Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 51/59] cifs: small underflow in cnvrtDosUnixTm() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 44/59] libata: reject passthrough WRITE SAME requests Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 56/59] ipv6: avoid overflow of offset in ip6_find_1stfragopt Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 13/59] [media] mceusb: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 08/59] ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 09/59] serial: sh-sci: Fix panic when serial console and DMA are enabled Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 45/59] net: ethernet: ucc_geth: fix MEM_PART_MURAM mode Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 23/59] padata: free correct variable Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 04/59] ath9k_htc: Add PID/VID for a Ubiquiti WiFiStation Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 11/59] usb: hub: Fix error loop seen after hub communication errors Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 43/59] IB/core: For multicast functions, verify that LIDs are multicast LIDs Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 05/59] ath9k_htc: Add device ID for Buffalo WLI-UV-AG300P Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 15/59] cdc-acm: fix possible invalid access when processing notification Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 42/59] IB/core: If the MGID/MLID pair is not on the list return an error Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 21/59] [media] cx231xx-audio: fix init error path Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 10/59] zd1211rw: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 37/59] usb: host: xhci: print correct command ring address Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 07/59] ath9k_htc: add device ID for Toshiba WLM-20U2/GN-1080 Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 46/59] Bluetooth: Fix user channel for 32bit userspace on 64bit kernel Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 35/59] [media] dw2102: limit messages to buffer size Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 25/59] [media] digitv: " Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 38/59] x86/boot: Fix BSS corruption/overwrite bug in early x86 kernel startup Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 40/59] PCI: Disable boot interrupt quirk for ASUS M2N-LR Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 58/59] mqueue: fix a use-after-free in sys_mq_notify() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 36/59] [media] ov2640: fix vflip control Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 06/59] ath9k_htc: Add new USB ID Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 16/59] ath9k_htc: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 52/59] Set unicode flag on cifs echo request to avoid Mac error Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 47/59] power: supply: pda_power: move from timer to delayed_work Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 20/59] [media] cx231xx-cards: fix NULL-deref at probe Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 57/59] timerfd: Protect the might cancel mechanism proper Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 50/59] tcp: fix wraparound issue in tcp_lp Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 03/59] ath9k_htc: Add Panasonic N5HBZ0000055 device id Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 24/59] PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 12/59] usb: hub: Do not attempt to autosuspend disconnected devices Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 01/59] drm/i915: fix use-after-free in page_flip_completed() Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 54/59] fbdev: sti: don't select CONFIG_VT Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 34/59] [media] dw2102: some missing unlocks on error Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 59/59] packet: fix tp_reserve race in packet_set_ring Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 48/59] ip6_tunnel: Fix missing tunnel encapsulation limit option Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 14/59] USB: Proper handling of Race Condition when two USB class drivers try to call init_usb_class simultaneously Ben Hutchings
2017-08-18 13:13 ` [PATCH 3.2 26/59] [media] zr364xx: enforce minimum size when reading header Ben Hutchings
2017-08-18 14:54 ` [PATCH 3.2 00/59] 3.2.92-rc1 review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=lsq.1503061993.484220627@decadent.org.uk \
--to=ben@decadent.org.uk \
--cc=akpm@linux-foundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=stable@vger.kernel.org \
--cc=zlpnobody@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox