From ec68e97dedacc1c7fb20a4b23b7fa76bee56b5ff Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Sun, 4 Mar 2007 15:57:01 -0800 Subject: [NETFILTER]: conntrack: fix {nf,ip}_ct_iterate_cleanup endless loops Fix {nf,ip}_ct_iterate_cleanup unconfirmed list handling: - unconfirmed entries can not be killed manually, they are removed on confirmation or final destruction of the conntrack entry, which means we might iterate forever without making forward progress. This can happen in combination with the conntrack event cache, which holds a reference to the conntrack entry, which is only released when the packet makes it all the way through the stack or a different packet is handled. - taking references to an unconfirmed entry and using it outside the locked section doesn't work, the list entries are not refcounted and another CPU might already be waiting to destroy the entry What the code really wants to do is make sure the references of the hash table to the selected conntrack entries are released, so they will be destroyed once all references from skbs and the event cache are dropped. Since unconfirmed entries haven't even entered the hash yet, simply mark them as dying and skip confirmation based on that. Reported and tested by Chuck Ebbert Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller --- include/linux/netfilter_ipv4/ip_conntrack_core.h | 2 +- include/net/netfilter/nf_conntrack_core.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'include') diff --git a/include/linux/netfilter_ipv4/ip_conntrack_core.h b/include/linux/netfilter_ipv4/ip_conntrack_core.h index 907d4f5ca5dc..e3a6df07aa4b 100644 --- a/include/linux/netfilter_ipv4/ip_conntrack_core.h +++ b/include/linux/netfilter_ipv4/ip_conntrack_core.h @@ -45,7 +45,7 @@ static inline int ip_conntrack_confirm(struct sk_buff **pskb) int ret = NF_ACCEPT; if (ct) { - if (!is_confirmed(ct)) + if (!is_confirmed(ct) && !is_dying(ct)) ret = __ip_conntrack_confirm(pskb); ip_ct_deliver_cached_events(ct); } diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h index 7fdc72c01356..85634e1865c3 100644 --- a/include/net/netfilter/nf_conntrack_core.h +++ b/include/net/netfilter/nf_conntrack_core.h @@ -64,7 +64,7 @@ static inline int nf_conntrack_confirm(struct sk_buff **pskb) int ret = NF_ACCEPT; if (ct) { - if (!nf_ct_is_confirmed(ct)) + if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct)) ret = __nf_conntrack_confirm(pskb); nf_ct_deliver_cached_events(ct); } -- cgit v1.2.3 From 6f30e1867cb73602c6ed7f97e15a48e0a0c96cde Mon Sep 17 00:00:00 2001 From: Florian Zumbiehl Date: Sun, 4 Mar 2007 16:03:22 -0800 Subject: [PPPOE]: Use ifindex instead of device pointer in key lookups. Otherwise we can potentially try to dereference a NULL device pointer in some cases. Signed-off-by: David S. Miller --- drivers/net/pppoe.c | 11 ++++++----- include/linux/if_pppox.h | 2 ++ 2 files changed, 8 insertions(+), 5 deletions(-) (limited to 'include') diff --git a/drivers/net/pppoe.c b/drivers/net/pppoe.c index 86e56f1f2f0b..ebfa2967cd68 100644 --- a/drivers/net/pppoe.c +++ b/drivers/net/pppoe.c @@ -140,7 +140,7 @@ static struct pppox_sock *__get_item(unsigned long sid, unsigned char *addr, int ret = item_hash_table[hash]; - while (ret && !(cmp_addr(&ret->pppoe_pa, sid, addr) && ret->pppoe_dev->ifindex == ifindex)) + while (ret && !(cmp_addr(&ret->pppoe_pa, sid, addr) && ret->pppoe_ifindex == ifindex)) ret = ret->next; return ret; @@ -153,7 +153,7 @@ static int __set_item(struct pppox_sock *po) ret = item_hash_table[hash]; while (ret) { - if (cmp_2_addr(&ret->pppoe_pa, &po->pppoe_pa) && ret->pppoe_dev->ifindex == po->pppoe_dev->ifindex) + if (cmp_2_addr(&ret->pppoe_pa, &po->pppoe_pa) && ret->pppoe_ifindex == po->pppoe_ifindex) return -EALREADY; ret = ret->next; @@ -174,7 +174,7 @@ static struct pppox_sock *__delete_item(unsigned long sid, char *addr, int ifind src = &item_hash_table[hash]; while (ret) { - if (cmp_addr(&ret->pppoe_pa, sid, addr) && ret->pppoe_dev->ifindex == ifindex) { + if (cmp_addr(&ret->pppoe_pa, sid, addr) && ret->pppoe_ifindex == ifindex) { *src = ret->next; break; } @@ -529,7 +529,7 @@ static int pppoe_release(struct socket *sock) po = pppox_sk(sk); if (po->pppoe_pa.sid) { - delete_item(po->pppoe_pa.sid, po->pppoe_pa.remote, po->pppoe_dev->ifindex); + delete_item(po->pppoe_pa.sid, po->pppoe_pa.remote, po->pppoe_ifindex); } if (po->pppoe_dev) @@ -577,7 +577,7 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, pppox_unbind_sock(sk); /* Delete the old binding */ - delete_item(po->pppoe_pa.sid,po->pppoe_pa.remote,po->pppoe_dev->ifindex); + delete_item(po->pppoe_pa.sid,po->pppoe_pa.remote,po->pppoe_ifindex); if(po->pppoe_dev) dev_put(po->pppoe_dev); @@ -597,6 +597,7 @@ static int pppoe_connect(struct socket *sock, struct sockaddr *uservaddr, goto end; po->pppoe_dev = dev; + po->pppoe_ifindex = dev->ifindex; if (!(dev->flags & IFF_UP)) goto err_put; diff --git a/include/linux/if_pppox.h b/include/linux/if_pppox.h index 4fab3d0a4bce..e33ee763c052 100644 --- a/include/linux/if_pppox.h +++ b/include/linux/if_pppox.h @@ -114,6 +114,7 @@ struct pppoe_hdr { #ifdef __KERNEL__ struct pppoe_opt { struct net_device *dev; /* device associated with socket*/ + int ifindex; /* ifindex of device associated with socket */ struct pppoe_addr pa; /* what this socket is bound to*/ struct sockaddr_pppox relay; /* what socket data will be relayed to (PPPoE relaying) */ @@ -132,6 +133,7 @@ struct pppox_sock { unsigned short num; }; #define pppoe_dev proto.pppoe.dev +#define pppoe_ifindex proto.pppoe.ifindex #define pppoe_pa proto.pppoe.pa #define pppoe_relay proto.pppoe.relay -- cgit v1.2.3 From 187f5f84ef14a07dccf5f4503099708d60f6a724 Mon Sep 17 00:00:00 2001 From: Eric Dumazet Date: Mon, 5 Mar 2007 13:32:48 -0800 Subject: [INET]: twcal_jiffie should be unsigned long, not int Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller --- include/net/inet_timewait_sock.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'include') diff --git a/include/net/inet_timewait_sock.h b/include/net/inet_timewait_sock.h index f7be1ac73601..09a2532699b2 100644 --- a/include/net/inet_timewait_sock.h +++ b/include/net/inet_timewait_sock.h @@ -66,7 +66,7 @@ struct inet_hashinfo; struct inet_timewait_death_row { /* Short-time timewait calendar */ int twcal_hand; - int twcal_jiffie; + unsigned long twcal_jiffie; struct timer_list twcal_timer; struct hlist_head twcal_row[INET_TWDR_RECYCLE_SLOTS]; -- cgit v1.2.3 From 64a146513f8f12ba204b7bf5cb7e9505594ead42 Mon Sep 17 00:00:00 2001 From: "David S. Miller" Date: Tue, 6 Mar 2007 11:21:05 -0800 Subject: [NET]: Revert incorrect accept queue backlog changes. This reverts two changes: 8488df894d05d6fa41c2bd298c335f944bb0e401 248f06726e866942b3d8ca8f411f9067713b7ff8 A backlog value of N really does mean allow "N + 1" connections to queue to a listening socket. This allows one to specify "0" as the backlog and still get 1 connection. Noticed by Gerrit Renker and Rick Jones. Signed-off-by: David S. Miller --- include/net/sock.h | 2 +- net/unix/af_unix.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) (limited to 'include') diff --git a/include/net/sock.h b/include/net/sock.h index 849c7df23181..2c7d60ca3548 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -426,7 +426,7 @@ static inline void sk_acceptq_added(struct sock *sk) static inline int sk_acceptq_is_full(struct sock *sk) { - return sk->sk_ack_backlog >= sk->sk_max_ack_backlog; + return sk->sk_ack_backlog > sk->sk_max_ack_backlog; } /* diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index 51ca4383c388..606971645b33 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -934,7 +934,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo) sched = !sock_flag(other, SOCK_DEAD) && !(other->sk_shutdown & RCV_SHUTDOWN) && - (skb_queue_len(&other->sk_receive_queue) >= + (skb_queue_len(&other->sk_receive_queue) > other->sk_max_ack_backlog); unix_state_runlock(other); @@ -1008,7 +1008,7 @@ restart: if (other->sk_state != TCP_LISTEN) goto out_unlock; - if (skb_queue_len(&other->sk_receive_queue) >= + if (skb_queue_len(&other->sk_receive_queue) > other->sk_max_ack_backlog) { err = -EAGAIN; if (!timeo) @@ -1381,7 +1381,7 @@ restart: } if (unix_peer(other) != sk && - (skb_queue_len(&other->sk_receive_queue) >= + (skb_queue_len(&other->sk_receive_queue) > other->sk_max_ack_backlog)) { if (!timeo) { err = -EAGAIN; -- cgit v1.2.3