Home Explore Help
Sign In
GfA
/
linux_kernel
5
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest()

We came across infinite loop in ipvs when using ipvs in docker
env.

When ipvs receives new packets and cannot find an ipvs connection,
it will create a new connection, then if the dest is unavailable
(i.e. IP_VS_DEST_F_AVAILABLE), the packet will be dropped sliently.

But if the dropped packet is the first packet of this connection,
the connection control timer never has a chance to start and the
ipvs connection cannot be released. This will lead to memory leak, or
infinite loop in cleanup_net() when net namespace is released like
this:

    ip_vs_conn_net_cleanup at ffffffffa0a9f31a [ip_vs]
    __ip_vs_cleanup at ffffffffa0a9f60a [ip_vs]
    ops_exit_list at ffffffff81567a49
    cleanup_net at ffffffff81568b40
    process_one_work at ffffffff810a851b
    worker_thread at ffffffff810a9356
    kthread at ffffffff810b0b6f
    ret_from_fork at ffffffff81697a18

race condition:
    CPU1                           CPU2
    ip_vs_in()
      ip_vs_conn_new()
                                   ip_vs_del_dest()
                                     __ip_vs_unlink_dest()
                                       ~IP_VS_DEST_F_AVAILABLE
      cp->dest && !IP_VS_DEST_F_AVAILABLE
      __ip_vs_conn_put
    ...
    cleanup_net  ---> infinite looping

Fix this by checking whether the timer already started.

Signed-off-by: Tan Hu <tan.hu@zte.com.cn>
Reviewed-by: Jiang Biao <jiang.biao2@zte.com.cn>
Acked-by: Julian Anastasov <ja@ssi.bg>
Acked-by: Simon Horman <horms@verge.net.au>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Tan Hu 7 years ago
parent
9a76aba02a
commit
a53b42c118
1 changed files with 11 additions and 4 deletions
Unified View Show Diff Stats
  1. 11 4
      net/netfilter/ipvs/ip_vs_core.c

+ 11 - 4
net/netfilter/ipvs/ip_vs_core.c
View File 

@@ -1972,13 +1972,20 @@ ip_vs_in(struct netns_ipvs *ipvs, unsigned int hooknum, struct sk_buff *skb, int
 
 	if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
 
 	if (cp->dest && !(cp->dest->flags & IP_VS_DEST_F_AVAILABLE)) {
 
 		/* the destination server is not available */
 
 		/* the destination server is not available */
 
 
 
-		if (sysctl_expire_nodest_conn(ipvs)) {
 
+		__u32 flags = cp->flags;
 
+
 
+		/* when timer already started, silently drop the packet.*/
 
+		if (timer_pending(&cp->timer))
 
+			__ip_vs_conn_put(cp);
 
+		else
 
+			ip_vs_conn_put(cp);
 
+
 
+		if (sysctl_expire_nodest_conn(ipvs) &&
 
+		    !(flags & IP_VS_CONN_F_ONE_PACKET)) {
 
 			/* try to expire the connection immediately */
 
 			/* try to expire the connection immediately */
 
 			ip_vs_conn_expire_now(cp);
 
 			ip_vs_conn_expire_now(cp);
 
 		}
 
 		}
 
-		/* don't restart its timer, and silently
 
-		   drop the packet. */
 
-		__ip_vs_conn_put(cp);
 
+
 
 		return NF_DROP;
 
 		return NF_DROP;
 
 	}
 
 	}