summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorFlorian Westphal <fw@strlen.de>2018-06-20 23:32:26 +0200
committerPablo Neira Ayuso <pablo@netfilter.org>2018-06-26 18:28:57 +0200
commitb36e4523d4d56e2595e28f16f6ccf1cd6a9fc452 (patch)
tree7673a5cc313690b886a770dc165ebf78c12b85a8 /security
parentnetfilter: nf_log: don't hold nf_log_mutex during user access (diff)
downloadlinux-b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452.tar.xz
linux-b36e4523d4d56e2595e28f16f6ccf1cd6a9fc452.zip
netfilter: nf_conncount: fix garbage collection confirm race
Yi-Hung Wei and Justin Pettit found a race in the garbage collection scheme used by nf_conncount. When doing list walk, we lookup the tuple in the conntrack table. If the lookup fails we remove this tuple from our list because the conntrack entry is gone. This is the common cause, but turns out its not the only one. The list entry could have been created just before by another cpu, i.e. the conntrack entry might not yet have been inserted into the global hash. The avoid this, we introduce a timestamp and the owning cpu. If the entry appears to be stale, evict only if: 1. The current cpu is the one that added the entry, or, 2. The timestamp is older than two jiffies The second constraint allows GC to be taken over by other cpu too (e.g. because a cpu was offlined or napi got moved to another cpu). We can't pretend the 'doubtful' entry wasn't in our list. Instead, when we don't find an entry indicate via IS_ERR that entry was removed ('did not exist' or withheld ('might-be-unconfirmed'). This most likely also fixes a xt_connlimit imbalance earlier reported by Dmitry Andrianov. Cc: Dmitry Andrianov <dmitry.andrianov@alertme.com> Reported-by: Justin Pettit <jpettit@vmware.com> Reported-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Yi-Hung Wei <yihung.wei@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions