Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5413497imm; Tue, 31 Jul 2018 10:28:23 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdW47VaP3GzS9yiP12CXP7+Z3EpOj53o+1dP0kP5GomYZhKvzKZh1k5+B5wwQ/VcEleMdMp X-Received: by 2002:a17:902:4d46:: with SMTP id o6-v6mr13423006plh.59.1533058103639; Tue, 31 Jul 2018 10:28:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1533058103; cv=none; d=google.com; s=arc-20160816; b=ILxNLgxvfLBsrU01ldPS9mxT35oM6GGTGNy98MLepyqbl4z/l5yx7czazMXUMxHz8W ansnMFJUIdVuCycrInUlM8hFZ8M/aKFldElRhkOGoye3TMy/Sb0uB7tpTvMVhET5qEDP /y8UiHQMQ13YyslHHd2jdi/o+508cprKdjBHzmcrhQgnf7PX6Ue6ymbQCY1FOEN1ovqK TFxCyw3W8rtyh/P7HrIMurC76GSWYgMMkUMhTgeArALS/aFBhNKWjwOPBcKtiPdXA24M 9sKJJ+6peiicbuzYA2+DHRQ17gugwy5Xb2n2aevaDoP4MCUjFZkkRpMdMiuvv8GYCeYd Fg/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:organisation:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=9R3mN0rPOtG7pXQ7ikyEFigaSt3ewRirjD+MJx9c85M=; b=e1KKZHpjA7WOi3GbIAZzggR+yB3JTbGbF//Shw/vnBlfYdBFLTPcvg3BW6SksHz6aN reXUTt4UAv03mTfCYuAYN7Zb0v1Cl0gOmQ+TFKuiwr1eomQumoDvTb9A+L15vrUQg9ZM 8gAj89Jio5jGtSlM59Mf4eGGI0KGPRaRlIornbCteHS7GdIgkQG6XwOX7Gj/vmIgte+8 jlTb0Q0T+91hfjIN4V75waVQ15qict/WS2soS/ohV7BHgqC1AJ9miFcG/1LO4M8t727L oBlxIPuamREp/LQ3M+8cM6sXzGOfwmZ1bWvozxYtoHuM+l7sQJRF5fI9cl3kn1Ect2JK 0I2w== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@verge.net.au header.s=mail header.b=DfBpkHMq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 72-v6si2769681pfv.131.2018.07.31.10.28.08; Tue, 31 Jul 2018 10:28:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@verge.net.au header.s=mail header.b=DfBpkHMq; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732032AbeGaSfh (ORCPT + 99 others); Tue, 31 Jul 2018 14:35:37 -0400 Received: from kirsty.vergenet.net ([202.4.237.240]:38512 "EHLO kirsty.vergenet.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727471AbeGaSfg (ORCPT ); Tue, 31 Jul 2018 14:35:36 -0400 Received: from reginn.horms.nl (watermunt.horms.nl [80.127.179.77]) by kirsty.vergenet.net (Postfix) with ESMTPA id D7B1D25AD5C; Wed, 1 Aug 2018 02:54:23 +1000 (AEST) DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=verge.net.au; s=mail; t=1533056064; bh=XNXJS4tHsNmYTDWeXNHXQGpmX1RfWhVl449EjLmdtt4=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=DfBpkHMqe0W4sXmzLqxqh8iAnt5lfEwpr2TmpKluP9f651CknPZjsZGm2c59AJrJ/ uAcMSOvwydvQjVkse4hysKJzNaEOy+RflmVt7unxveWPUhva/Ub1c8ftzYFokZNZeh AUuVwX4I1ydRZ+IaUdwE9+LgPcAMV19sSnb9hcEk= Received: by reginn.horms.nl (Postfix, from userid 7100) id BC7CA940355; Tue, 31 Jul 2018 18:54:21 +0200 (CEST) Date: Tue, 31 Jul 2018 18:54:21 +0200 From: Simon Horman To: Julian Anastasov , Pablo Neira Ayuso Cc: Tan Hu , wensong@linux-vs.org, pablo@netfilter.org, kadlec@blackhole.kfki.hu, fw@strlen.de, davem@davemloft.net, netdev@vger.kernel.org, lvs-devel@vger.kernel.org, netfilter-devel@vger.kernel.org, coreteam@netfilter.org, linux-kernel@vger.kernel.org, zhong.weidong@zte.com.cn, jiang.biao2@zte.com.cn Subject: Re: [PATCH v3] ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() Message-ID: <20180731165421.ee265xghmbqcy54g@verge.net.au> References: <1532503387-3800-1-git-send-email-tan.hu@zte.com.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Organisation: Horms Solutions BV User-Agent: NeoMutt/20170113 (1.7.2) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 25, 2018 at 10:12:48PM +0300, Julian Anastasov wrote: > > Hello, > > On Wed, 25 Jul 2018, Tan Hu wrote: > > > We came across infinite loop in ipvs when using ipvs in docker > > env. > > > > When ipvs receives new packets and cannot find an ipvs connection, > > it will create a new connection, then if the dest is unavailable > > (i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently. > > > > But if the dropped packet is the first packet of this connection, > > the connection control timer never has a chance to start and the > > ipvs connection cannot be released. This will lead to memory leak, or > > infinite loop in cleanup_net() when net namespace is released like > > this: > > > > ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs] > > __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs] > > ops_exit_list at ffffffff81567a49 > > cleanup_net at ffffffff81568b40 > > process_one_work at ffffffff810a851b > > worker_thread at ffffffff810a9356 > > kthread at ffffffff810b0b6f > > ret_from_fork at ffffffff81697a18 > > > > race condition: > > CPU1 CPU2 > > ip_vs_in() > > ip_vs_conn_new() > > ip_vs_del_dest() > > __ip_vs_unlink_dest() > > ~IP_VS_DEST_F_AVAILABLE > > cp->dest && !IP_VS_DEST_F_AVAILABLE > > __ip_vs_conn_put > > ... > > cleanup_net ---> infinite looping > > > > Fix this by checking whether the timer already started. > > > > Signed-off-by: Tan Hu > > Reviewed-by: Jiang Biao > > v3 looks good to me, > > Acked-by: Julian Anastasov > > Simon and Pablo, this can be applied to ipvs/nf tree... Acked-by: Simon Horman Pablo, please consider this for the nf tree. > > > --- > > v2: fix use-after-free in CONN_ONE_PACKET case suggested by Julian Anastasov > > v3: remove trailing whitespace for patch checking > > > > net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++---- > > 1 file changed, 11 insertions(+), 4 deletions(-) > > > > diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c > > index 0679dd1..a17104f 100644 > > --- a/net/netfilter/ipvs/ip_vs_core.c > > +++ b/net/netfilter/ipvs/ip_vs_core.c > > @@ -1972,13 +1972,20 @@ static int ip_vs_in_icmp_v6(struct netns_ipvs *ipvs, struct sk_buff *skb, > > if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) { > > /* the destination server is not available */ > > > > - if (sysctl_expire_nodest_conn(ipvs)) { > > + __u32 flags = cp->flags; > > + > > + /* when timer already started, silently drop the packet.*/ > > + if (timer_pending(&cp->timer)) > > + __ip_vs_conn_put(cp); > > + else > > + ip_vs_conn_put(cp); > > + > > + if (sysctl_expire_nodest_conn(ipvs) && > > + !(flags & IP_VS_CONN_F_ONE_PACKET)) { > > /* try to expire the connection immediately */ > > ip_vs_conn_expire_now(cp); > > } > > - /* don't restart its timer, and silently > > - drop the packet. */ > > - __ip_vs_conn_put(cp); > > + > > return NF_DROP; > > } > > > > -- > > 1.8.3.1 > > Regards > > -- > Julian Anastasov >