Original commit: Subject: [PATCH 09837/10555] [net] netfilter: nf_conntrack: don't resize NULL or freed hashtable Message-id: <b7df5ca78f8c8002d0ef509ec862c926426a18e1.1533642760.git.dcara...@redhat.com> Patchwork-id: 226249 O-Subject: [RHEL7.6 net] netfilter: nf_conntrack: don't resize NULL or freed hashtable Bugzilla: 1601662 RH-Acked-by: Marcelo Leitner <mleit...@redhat.com> RH-Acked-by: Xin Long <l...@redhat.com> RH-Acked-by: Stefano Brivio <sbri...@redhat.com> Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1601662 Upstream Status: RHEL-only, but it's functionally equivalent to net.git 2045cdfa1b40 Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=17639414 Tested: as reported in the bugzilla reproducer, with the following command: # while true; do > modprobe -r iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_conntrack > modprobe nf_conntrack hashsize=16384 hashsize=16384 > done the reported problem was fixed upstream with commit 2045cdfa1b40 ("netfilter: nf_conntrack: Fix possible possible crash on module loading."). The backport is not trivial, because each namespace has its own conntrack hash table, as RHEL does not have upstream commit 56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all namespaces"). Use a static copy of init_net.ct.hash to discriminate whether the kernel is allowed to resize the hash table, or simply store the future hashtable size. Signed-off-by: Davide Caratti <dcara...@redhat.com> Signed-off-by: Timothy Redaelli <tredae...@redhat.com> Signed-off-by: Bruno E. O. Meneguele <bme...@redhat.com>
We roll the patch back because we are going to backport ms commit 56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all namespaces") After the backport we'll fix this issue with ms commit 2045cdfa1b40 ("netfilter: nf_conntrack: Fix possible possible crash on module loading.") https://jira.sw.ru/browse/PSBM-103515 Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com> --- net/netfilter/nf_conntrack_core.c | 14 +------------- 1 file changed, 1 insertion(+), 13 deletions(-) diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c index 86f6227369170..b69f673cdb6c5 100644 --- a/net/netfilter/nf_conntrack_core.c +++ b/net/netfilter/nf_conntrack_core.c @@ -75,9 +75,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_locks); __cacheline_aligned_in_smp DEFINE_SPINLOCK(nf_conntrack_expect_lock); EXPORT_SYMBOL_GPL(nf_conntrack_expect_lock); -/* RHEL: local copy of init_net.ct.hash */ -static struct hlist_nulls_head *nf_conntrack_hash; - static __read_mostly seqcount_t nf_conntrack_generation; static void nf_conntrack_double_unlock(unsigned int h1, unsigned int h2) @@ -1594,10 +1591,6 @@ static int kill_all(struct nf_conn *i, void *data) void nf_ct_free_hashtable(void *hash, unsigned int size) { - /* RHEL: disallow resizing */ - if (hash == nf_conntrack_hash) - nf_conntrack_hash = NULL; - if (is_vmalloc_addr(hash)) vfree(hash); else @@ -1742,7 +1735,7 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp) return -EOPNOTSUPP; /* On boot, we can set this without any fancy locking. */ - if (!nf_conntrack_hash) + if (!nf_conntrack_htable_size) return param_set_uint(val, kp); rc = kstrtouint(val, 0, &hashsize); @@ -1788,8 +1781,6 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp) synchronize_net(); nf_ct_free_hashtable(old_hash, old_size); - /* RHEL: re-allow resizing */ - nf_conntrack_hash = hash; return 0; } EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize); @@ -1979,9 +1970,6 @@ int nf_conntrack_init_net(struct net *net) ret = nf_conntrack_proto_pernet_init(net); if (ret < 0) goto err_proto; - /* RHEL: allow resizing */ - if (net == &init_net) - nf_conntrack_hash = net->ct.hash; return 0; err_proto: -- 2.15.1 _______________________________________________ Devel mailing list Devel@openvz.org https://lists.openvz.org/mailman/listinfo/devel