Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3535701imu; Mon, 7 Jan 2019 05:15:10 -0800 (PST) X-Google-Smtp-Source: ALg8bN5eYxIRu/WgGG7d18h1wfvD+dTM6mC6Vl8+sLrxm/o/7oGStqT4WlBYZkLbkHL7QwPhwPh7 X-Received: by 2002:a63:dd15:: with SMTP id t21mr10525105pgg.347.1546866910761; Mon, 07 Jan 2019 05:15:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546866910; cv=none; d=google.com; s=arc-20160816; b=ERZMKzTRjb/utk1HI+ckHjCjeR3jUgpKN+oSX4p+dXSmvrB9/hQJxnmWGZ5LPUuMVp 7LTEx/lRvhRJ+tmpLJM92coHs1aO6vEMwo6WxiFkHL3bJH+L6btXM1b7Bteo+MWlsvma 0hRdHnn3wMMf9D1mkGjl80pzqa3nZOWfhh+cEVmwyG8w9BhZfV1rxOq6u79jPePA6Mta WuDUNR8iYkFeyzclUEAs3bx3h8V7jtqt5k4GwK7Ma56RBBKfzvUmNhxr/rv3UJ/mYO1w 6hDSxUDA+gAgHzDeLsFtIyy00bk+QHL/dnq6F4rTJD7f0R/HfHfDdLe13vy3xB2NB0DV DyqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=F7T6YaaHf/xV3dt+L6DAO+/DzWs5pYHBRHbPHBBwk4I=; b=yq8YPJI3oq1MSBjoOD6uJVCGBcAAI0J8CFWYEA0I7BhH9W3idM7KkN57SEH+hy0tby YJOK5fHxREVbz7Qu4KPZMjfXC4cFNAJv+8D7lKpmGoKGHlbEMePBFm+8KMrbo78Elkn4 Sqnoi6FaaayblCT1Bgo6bL5MfR/Ftx/Kr8QGKI7e0jnMOAYNk2OnFT0eoF1QxJB4IL/y SBm0iqq4cg+8+cTbdsPjcP7gUVaX+1xut5GIF1MhSbBwPe/rQR13ty3Qry1qkpJNLegC s/kq2gAw5Pb813ABv7GboE3rqrSunV0k71uEdh5WThBNvec/fvxYnoy8/zNmi7AjUzhi QgQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="p6sOkB/+"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v25si59602048pgk.341.2019.01.07.05.14.55; Mon, 07 Jan 2019 05:15:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b="p6sOkB/+"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731164AbfAGNE2 (ORCPT + 99 others); Mon, 7 Jan 2019 08:04:28 -0500 Received: from mail.kernel.org ([198.145.29.99]:52036 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731382AbfAGNE0 (ORCPT ); Mon, 7 Jan 2019 08:04:26 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 05DFC21736; Mon, 7 Jan 2019 13:04:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1546866265; bh=RqfecMqVd4p+8vp0lH/1NKMDEWxhl74hBX0XHQECKW0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=p6sOkB/+dNnWocrSh/AjAJdbqMIR4+MfcqT0ZJbDEqfVOTQf0TjSXubTqo25RqHm3 CN6nkuoKsl5Gvi9T3mFLBmgH7169ZYTvBHIAU2F/XdpqZ4MVsw8ugI87KoFLMbPay0 WE8VWNDmQ03h7jkB3J6VTcktBtD7mUbgMys+L6Lk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yi-Hung Wei , Pablo Neira Ayuso , Mauricio Faria de Oliveira , Sasha Levin Subject: [PATCH 4.14 082/101] netfilter: nf_conncount: Fix garbage collection with zones Date: Mon, 7 Jan 2019 13:33:10 +0100 Message-Id: <20190107105337.426859757@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190107105330.372621917@linuxfoundation.org> References: <20190107105330.372621917@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ commit 21ba8847f857028dc83a0f341e16ecc616e34740 upstream. Currently, we use check_hlist() for garbage colleciton. However, we use the ‘zone’ from the counted entry to query the existence of existing entries in the hlist. This could be wrong when they are in different zones, and this patch fixes this issue. Fixes: e59ea3df3fc2 ("netfilter: xt_connlimit: honor conntrack zone if available") Signed-off-by: Yi-Hung Wei Signed-off-by: Pablo Neira Ayuso [mfo: backport: refresh context lines and use older symbol/file names, note hunk 5: - nf_conncount.c -> xt_connlimit.c - nf_conncount_rb -> xt_connlimit_rb - nf_conncount_tuple -> xt_connlimit_conn - hunk 5: remove check for non-NULL 'tuple', that isn't required as it's introduced by upstream commit 35d8deb80 ("netfilter: conncount: Support count only use case") which addresses nf_conncount_count() that does not exist yet -- it's introduced by upstream commit 625c556118f3 ("netfilter: connlimit: split xt_connlimit into front and backend"), a refactor change. - nft_connlimit.c -> removed, not used/doesn't exist yet.] Signed-off-by: Mauricio Faria de Oliveira Signed-off-by: Sasha Levin --- include/net/netfilter/nf_conntrack_count.h | 3 ++- net/netfilter/xt_connlimit.c | 13 +++++++++---- 2 files changed, 11 insertions(+), 5 deletions(-) diff --git a/include/net/netfilter/nf_conntrack_count.h b/include/net/netfilter/nf_conntrack_count.h index 54e43b8a8da1..4b71a2f4c351 100644 --- a/include/net/netfilter/nf_conntrack_count.h +++ b/include/net/netfilter/nf_conntrack_count.h @@ -7,7 +7,8 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, bool *addit); bool nf_conncount_add(struct hlist_head *head, - const struct nf_conntrack_tuple *tuple); + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone); void nf_conncount_cache_free(struct hlist_head *hhead); diff --git a/net/netfilter/xt_connlimit.c b/net/netfilter/xt_connlimit.c index 7af58750ab49..ab1f849464fa 100644 --- a/net/netfilter/xt_connlimit.c +++ b/net/netfilter/xt_connlimit.c @@ -46,6 +46,7 @@ struct xt_connlimit_conn { struct hlist_node node; struct nf_conntrack_tuple tuple; + struct nf_conntrack_zone zone; }; struct xt_connlimit_rb { @@ -115,7 +116,8 @@ same_source_net(const union nf_inet_addr *addr, } bool nf_conncount_add(struct hlist_head *head, - const struct nf_conntrack_tuple *tuple) + const struct nf_conntrack_tuple *tuple, + const struct nf_conntrack_zone *zone) { struct xt_connlimit_conn *conn; @@ -123,6 +125,7 @@ bool nf_conncount_add(struct hlist_head *head, if (conn == NULL) return false; conn->tuple = *tuple; + conn->zone = *zone; hlist_add_head(&conn->node, head); return true; } @@ -143,7 +146,7 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, /* check the saved connections */ hlist_for_each_entry_safe(conn, n, head, node) { - found = nf_conntrack_find_get(net, zone, &conn->tuple); + found = nf_conntrack_find_get(net, &conn->zone, &conn->tuple); if (found == NULL) { hlist_del(&conn->node); kmem_cache_free(connlimit_conn_cachep, conn); @@ -152,7 +155,8 @@ unsigned int nf_conncount_lookup(struct net *net, struct hlist_head *head, found_ct = nf_ct_tuplehash_to_ctrack(found); - if (nf_ct_tuple_equal(&conn->tuple, tuple)) { + if (nf_ct_tuple_equal(&conn->tuple, tuple) && + nf_ct_zone_equal(found_ct, zone, zone->dir)) { /* * Just to be sure we have it only once in the list. * We should not see tuples twice unless someone hooks @@ -231,7 +235,7 @@ count_tree(struct net *net, struct rb_root *root, if (!addit) return count; - if (!nf_conncount_add(&rbconn->hhead, tuple)) + if (!nf_conncount_add(&rbconn->hhead, tuple, zone)) return 0; /* hotdrop */ return count + 1; @@ -270,6 +274,7 @@ count_tree(struct net *net, struct rb_root *root, } conn->tuple = *tuple; + conn->zone = *zone; rbconn->addr = *addr; INIT_HLIST_HEAD(&rbconn->hhead); -- 2.19.1