Original commit:
Subject: [PATCH 09837/10555] [net] netfilter: nf_conntrack: don't resize NULL
or freed hashtable
Message-id:
<b7df5ca78f8c8002d0ef509ec862c926426a18e1.1533642760.git.dcara...@redhat.com>
Patchwork-id: 226249
O-Subject: [RHEL7.6 net] netfilter: nf_conntrack: don't resize NULL or freed
hashtable
Bugzilla: 1601662
RH-Acked-by: Marcelo Leitner <mleit...@redhat.com>
RH-Acked-by: Xin Long <l...@redhat.com>
RH-Acked-by: Stefano Brivio <sbri...@redhat.com>
Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1601662
Upstream Status: RHEL-only, but it's functionally equivalent to net.git
2045cdfa1b40
Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=17639414
Tested: as reported in the bugzilla reproducer, with the following command:
# while true; do
> modprobe -r iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_conntrack
> modprobe nf_conntrack hashsize=16384 hashsize=16384
> done
the reported problem was fixed upstream with commit 2045cdfa1b40 ("netfilter:
nf_conntrack: Fix possible possible crash on module loading."). The backport
is not trivial, because each namespace has its own conntrack hash table, as
RHEL does not have upstream commit 56d52d4892d0 ("netfilter: conntrack: use
a single hashtable for all namespaces"). Use a static copy of init_net.ct.hash
to discriminate whether the kernel is allowed to resize the hash table, or
simply store the future hashtable size.
Signed-off-by: Davide Caratti <dcara...@redhat.com>
Signed-off-by: Timothy Redaelli <tredae...@redhat.com>
Signed-off-by: Bruno E. O. Meneguele <bme...@redhat.com>
We roll the patch back because we are going to backport ms commit
56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all
namespaces")
After the backport we'll fix this issue with ms commit
2045cdfa1b40 ("netfilter: nf_conntrack: Fix possible possible crash on module
loading.")
https://jira.sw.ru/browse/PSBM-103515
Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>
---
net/netfilter/nf_conntrack_core.c | 14 +-------------
1 file changed, 1 insertion(+), 13 deletions(-)
diff --git a/net/netfilter/nf_conntrack_core.c
b/net/netfilter/nf_conntrack_core.c
index 86f6227369170..b69f673cdb6c5 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -75,9 +75,6 @@ EXPORT_SYMBOL_GPL(nf_conntrack_locks);
__cacheline_aligned_in_smp DEFINE_SPINLOCK(nf_conntrack_expect_lock);
EXPORT_SYMBOL_GPL(nf_conntrack_expect_lock);
-/* RHEL: local copy of init_net.ct.hash */
-static struct hlist_nulls_head *nf_conntrack_hash;
-
static __read_mostly seqcount_t nf_conntrack_generation;
static void nf_conntrack_double_unlock(unsigned int h1, unsigned int h2)
@@ -1594,10 +1591,6 @@ static int kill_all(struct nf_conn *i, void *data)
void nf_ct_free_hashtable(void *hash, unsigned int size)
{
- /* RHEL: disallow resizing */
- if (hash == nf_conntrack_hash)
- nf_conntrack_hash = NULL;
-
if (is_vmalloc_addr(hash))
vfree(hash);
else
@@ -1742,7 +1735,7 @@ int nf_conntrack_set_hashsize(const char *val, struct
kernel_param *kp)
return -EOPNOTSUPP;
/* On boot, we can set this without any fancy locking. */
- if (!nf_conntrack_hash)
+ if (!nf_conntrack_htable_size)
return param_set_uint(val, kp);
rc = kstrtouint(val, 0, &hashsize);
@@ -1788,8 +1781,6 @@ int nf_conntrack_set_hashsize(const char *val, struct
kernel_param *kp)
synchronize_net();
nf_ct_free_hashtable(old_hash, old_size);
- /* RHEL: re-allow resizing */
- nf_conntrack_hash = hash;
return 0;
}
EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
@@ -1979,9 +1970,6 @@ int nf_conntrack_init_net(struct net *net)
ret = nf_conntrack_proto_pernet_init(net);
if (ret < 0)
goto err_proto;
- /* RHEL: allow resizing */
- if (net == &init_net)
- nf_conntrack_hash = net->ct.hash;
return 0;
err_proto:
--
2.15.1
_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel
