Received: by 10.192.165.156 with SMTP id m28csp1199457imm; Wed, 11 Apr 2018 14:25:06 -0700 (PDT) X-Google-Smtp-Source: AIpwx4/WNMCB9+17S6Cv8Dwu7wuLerpzsvSue1a7QzwccZArbitraEXZNnmUu8X8weoRDV+BAKfq X-Received: by 2002:a17:902:3381:: with SMTP id b1-v6mr6766149plc.214.1523481905908; Wed, 11 Apr 2018 14:25:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523481905; cv=none; d=google.com; s=arc-20160816; b=xXzeyJM3GaifVEvyyrkAzApzLZdjDiRTaJt2jFjTCtEtOZStpXPPs52LOTyRb2VbtU RS7vnrvDfhv9X23xMYXg+b08c3YLn+3VrItZIxSuWF65kkhPTJIPenNYRidujsDTXBPg vVrbKI+ygovw+PefUYUjLdqyu7NtwwwVM2PCl84l9IhZaHD7pk66hmKyoYemIJynD76z r+kUqM8VuRVPjcZQB/KG+5+12m6xvufPsk7a/uqXsb9ks45bR2Dv6OPEIl2vgYakyvdc V/Kj3udXd0HFoaa/Mie3W9tmW2+z797XyATLSfB9/LkeFFN36XAT3Xg2/gC7eJjHMGAL vWyA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=NX3DZRPHVUaGx8D2aevi+NQ/UokoHm2rcmnxtr2SHQA=; b=xGksAPZK/0Ut9Zd/jm2hPXn9JOwnqWycKacV9viCeIc6ZJTu18tnS1AH8UUTD17e3i gD1nbvJQsVHdHfGFFGjpZZBd2ESzU/fMFvetWO4qMY9RWPmntVpos+ip39yLIZOz1jUl WsxoxsuKSjoQ/5wRirETi8PJr77wr7JidZZzWXCThQs9K6R3xypk5m9xtzaZB3KYy9Vy MkD/yZ+xVl/PYL3Lx2t3vKnWfMksRUT+xyLTNLNs3lsuXT2H2/K5VYXrsLreA1xjTbPI wvHxAIwBIDwQrcciUSk0PzV4G1AEbVXK/ENBnx0T+zJu8PZxw8fqr0IrFTL+uTkzbtho O0Eg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i133si1203239pgc.299.2018.04.11.14.24.28; Wed, 11 Apr 2018 14:25:05 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755111AbeDKVUL (ORCPT + 99 others); Wed, 11 Apr 2018 17:20:11 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:56100 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754410AbeDKSjb (ORCPT ); Wed, 11 Apr 2018 14:39:31 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 97A63CBB; Wed, 11 Apr 2018 18:39:30 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Liping Zhang , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 3.18 041/121] netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize Date: Wed, 11 Apr 2018 20:35:44 +0200 Message-Id: <20180411183458.939977653@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180411183456.195010921@linuxfoundation.org> References: <20180411183456.195010921@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Liping Zhang [ Upstream commit fefa92679dbe0c613e62b6c27235dcfbe9640ad1 ] If nf_conntrack_htable_size was adjusted by the user during the ct dump operation, we may invoke nf_ct_put twice for the same ct, i.e. the "last" ct. This will cause the ct will be freed but still linked in hash buckets. It's very easy to reproduce the problem by the following commands: # while : ; do echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets done # while : ; do conntrack -L done # iperf -s 127.0.0.1 & # iperf -c 127.0.0.1 -P 60 -t 36000 After a while, the system will hang like this: NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [bash:20184] NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [iperf:20382] ... So at last if we find cb->args[1] is equal to "last", this means hash resize happened, then we can set cb->args[1] to 0 to fix the above issue. Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping") Signed-off-by: Liping Zhang Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/nf_conntrack_netlink.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) --- a/net/netfilter/nf_conntrack_netlink.c +++ b/net/netfilter/nf_conntrack_netlink.c @@ -828,8 +828,13 @@ restart: } out: local_bh_enable(); - if (last) + if (last) { + /* nf ct hash resize happened, now clear the leftover. */ + if ((struct nf_conn *)cb->args[1] == last) + cb->args[1] = 0; + nf_ct_put(last); + } return skb->len; }