Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp715510imm; Thu, 13 Sep 2018 06:44:11 -0700 (PDT) X-Google-Smtp-Source: ANB0VdZQBiI8KwJ22tu/nrYxeFRQ1V5SRF8UMfMc3NoJqpq0uuc19sYQV0YTkyjcT9v1NbZzyeuS X-Received: by 2002:a17:902:a613:: with SMTP id u19-v6mr7482040plq.234.1536846251809; Thu, 13 Sep 2018 06:44:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1536846251; cv=none; d=google.com; s=arc-20160816; b=AvVVT2k3+BDcmVN4J9MDPHwrIqFuaxx4/rFZcvODr1bQsu8q9KRh/r3PnhloAwRJFZ w09IL4WVP33/tRUEpIuB2Ip3BrpchYBZKqwPigxdmzMqKtdeXgWK1xBvNBbD8Ozs400Y 8zAhYH1D4HbKqUovgLr3ty/W0I6wRW57JbisvMhWRTeO3D9dIIaVTtnGjsf6A4Z6IsGz V/xE7hsdVmv/jX0yfXkc1iYQ915CbHBCPGzLJwFIR/eWHQUdYOV8oBWr67w9cjR0/GpI JfXx6fYS0FU/kt3afLVZJKRJBz20yXD+RYJHhWlNdSTlYL1RmPSt8kmHyJ5Ax+4GMTiW VRwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from; bh=J8wRIPNSPaqSt8OeJRXgtM/y09J+6sp2Un0WdkYXUdE=; b=G3ExTvahZFtGc10/Iy5A05CipDA1mU8tNgTs3aX0xYLnydVShKX7TF3vJ+PYMDwO2+ zEugGNzLi+nPmgEhNgQk/AhHOTjGJac/Qr2+Gk/4DL4/NEeIQFdBVxW2ClELf/9A5r4/ kzSRja9oki9EqkGhD9UpZdRbtdtuXhcjA8irc+pymMD0ZHurxGF6t6oz9htuta5m1t3C ErdwJYlfCa3VV3/ciYNRsHT4oqBEqg2p8sgIiWsE6iMG9qSRkq0R9KnEnVoESJhsAKxI H+ZwyVjnSAr+36ZtOcP3zs2St5IySIu5Rl6a+mmEV49ADBnAKm/EO5ZTo8GRNnjlDszt ErXg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a5-v6si3916431plh.312.2018.09.13.06.43.56; Thu, 13 Sep 2018 06:44:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729914AbeIMSxW (ORCPT + 99 others); Thu, 13 Sep 2018 14:53:22 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:60412 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728932AbeIMSxV (ORCPT ); Thu, 13 Sep 2018 14:53:21 -0400 Received: from localhost (ip-213-127-77-73.ip.prioritytelecom.net [213.127.77.73]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 79819D19; Thu, 13 Sep 2018 13:43:48 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tan Hu , Jiang Biao , Julian Anastasov , Simon Horman , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 040/115] ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() Date: Thu, 13 Sep 2018 15:31:00 +0200 Message-Id: <20180913131826.177203063@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20180913131823.327472833@linuxfoundation.org> References: <20180913131823.327472833@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tan Hu [ Upstream commit a53b42c11815d2357e31a9403ae3950517525894 ] We came across infinite loop in ipvs when using ipvs in docker env. When ipvs receives new packets and cannot find an ipvs connection, it will create a new connection, then if the dest is unavailable (i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently. But if the dropped packet is the first packet of this connection, the connection control timer never has a chance to start and the ipvs connection cannot be released. This will lead to memory leak, or infinite loop in cleanup_net() when net namespace is released like this: ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs] __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs] ops_exit_list at ffffffff81567a49 cleanup_net at ffffffff81568b40 process_one_work at ffffffff810a851b worker_thread at ffffffff810a9356 kthread at ffffffff810b0b6f ret_from_fork at ffffffff81697a18 race condition: CPU1 CPU2 ip_vs_in() ip_vs_conn_new() ip_vs_del_dest() __ip_vs_unlink_dest() ~IP_VS_DEST_F_AVAILABLE cp->dest && !IP_VS_DEST_F_AVAILABLE __ip_vs_conn_put ... cleanup_net ---> infinite looping Fix this by checking whether the timer already started. Signed-off-by: Tan Hu Reviewed-by: Jiang Biao Acked-by: Julian Anastasov Acked-by: Simon Horman Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/netfilter/ipvs/ip_vs_core.c | 15 +++++++++++---- 1 file changed, 11 insertions(+), 4 deletions(-) --- a/net/netfilter/ipvs/ip_vs_core.c +++ b/net/netfilter/ipvs/ip_vs_core.c @@ -1960,13 +1960,20 @@ ip_vs_in(struct netns_ipvs *ipvs, unsign if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) { /* the destination server is not available */ - if (sysctl_expire_nodest_conn(ipvs)) { + __u32 flags = cp->flags; + + /* when timer already started, silently drop the packet.*/ + if (timer_pending(&cp->timer)) + __ip_vs_conn_put(cp); + else + ip_vs_conn_put(cp); + + if (sysctl_expire_nodest_conn(ipvs) && + !(flags & IP_VS_CONN_F_ONE_PACKET)) { /* try to expire the connection immediately */ ip_vs_conn_expire_now(cp); } - /* don't restart its timer, and silently - drop the packet. */ - __ip_vs_conn_put(cp); + return NF_DROP; }