Tree - rpms/kernel - CentOS Git server

rpms / kernel

Files

Commit: a95145a328fcb1853e400e89b26d22d23f3f3117

Blob Blame History Raw

 Jon Masters correctly points out that conntrack hash sizes
(nf_conntrack_htable_size) are global (not per-netns) and
modifiable at runtime via /sys/module/nf_conntrack/hashsize .
 
Steps to reproduce:
	clone(CLONE_NEWNET)
	[grow /sys/module/nf_conntrack/hashsize]
	exit()
 
At netns exit we are going to scan random memory for conntracks to be killed.
 
Apparently there is a code which deals with hashtable resize for
init_net (and it was there befode netns conntrack code), so prohibit
hashsize modification if there is more than one netns exists.
 
To change hashtable sizes, you need to reload module.
 
Expectation hashtable size was simply glued to a variable with no code
to rehash expectations, so it was a bug to allow writing to it.
Make "expect_hashsize" readonly.
 
This is temporarily until we figure out what to do.
 
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Cc: stable@kernel.org
---
 
 net/netfilter/nf_conntrack_core.c   |   15 +++++++++++++++
 net/netfilter/nf_conntrack_expect.c |    2 +-
 2 files changed, 16 insertions(+), 1 deletion(-)
 
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -21,6 +21,7 @@
 #include <linux/stddef.h>
 #include <linux/slab.h>
 #include <linux/random.h>
+#include <linux/rtnetlink.h>
 #include <linux/jhash.h>
 #include <linux/err.h>
 #include <linux/percpu.h>
@@ -1198,6 +1199,20 @@ int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
 	if (!nf_conntrack_htable_size)
 		return param_set_uint(val, kp);
 
+	{
+		struct net *net;
+		unsigned int nr;
+
+		nr = 0;
+		rtnl_lock();
+		for_each_net(net)
+			nr++;
+		rtnl_unlock();
+		/* init_net always exists */
+		if (nr != 1)
+			return -EINVAL;
+	}
+
 	hashsize = simple_strtoul(val, NULL, 0);
 	if (!hashsize)
 		return -EINVAL;
--- a/net/netfilter/nf_conntrack_expect.c
+++ b/net/netfilter/nf_conntrack_expect.c
@@ -569,7 +569,7 @@ static void exp_proc_remove(struct net *net)
 #endif /* CONFIG_PROC_FS */
 }
 
-module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600);
+module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);
 
 int nf_conntrack_expect_init(struct net *net)
 {

	Jon Masters correctly points out that conntrack hash sizes
	(nf_conntrack_htable_size) are global (not per-netns) and
	modifiable at runtime via /sys/module/nf_conntrack/hashsize .

	Steps to reproduce:
	clone(CLONE_NEWNET)
	[grow /sys/module/nf_conntrack/hashsize]
	exit()

	At netns exit we are going to scan random memory for conntracks to be killed.

	Apparently there is a code which deals with hashtable resize for
	init_net (and it was there befode netns conntrack code), so prohibit
	hashsize modification if there is more than one netns exists.

	To change hashtable sizes, you need to reload module.

	Expectation hashtable size was simply glued to a variable with no code
	to rehash expectations, so it was a bug to allow writing to it.
	Make "expect_hashsize" readonly.

	This is temporarily until we figure out what to do.

	Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
	Cc: stable@kernel.org
	---

	net/netfilter/nf_conntrack_core.c \| 15 +++++++++++++++
	net/netfilter/nf_conntrack_expect.c \| 2 +-
	2 files changed, 16 insertions(+), 1 deletion(-)

	--- a/net/netfilter/nf_conntrack_core.c
	+++ b/net/netfilter/nf_conntrack_core.c
	@@ -21,6 +21,7 @@
	#include <linux/stddef.h>
	#include <linux/slab.h>
	#include <linux/random.h>
	+#include <linux/rtnetlink.h>
	#include <linux/jhash.h>
	#include <linux/err.h>
	#include <linux/percpu.h>
	@@ -1198,6 +1199,20 @@ int nf_conntrack_set_hashsize(const char val, struct kernel_param kp)
	if (!nf_conntrack_htable_size)
	return param_set_uint(val, kp);

	+ {
	+ struct net *net;
	+ unsigned int nr;
	+
	+ nr = 0;
	+ rtnl_lock();
	+ for_each_net(net)
	+ nr++;
	+ rtnl_unlock();
	+ /* init_net always exists */
	+ if (nr != 1)
	+ return -EINVAL;
	+ }
	+
	hashsize = simple_strtoul(val, NULL, 0);
	if (!hashsize)
	return -EINVAL;
	--- a/net/netfilter/nf_conntrack_expect.c
	+++ b/net/netfilter/nf_conntrack_expect.c
	@@ -569,7 +569,7 @@ static void exp_proc_remove(struct net *net)
	#endif /* CONFIG_PROC_FS */
	}

	-module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0600);
	+module_param_named(expect_hashsize, nf_ct_expect_hsize, uint, 0400);

	int nf_conntrack_expect_init(struct net *net)
	{

rpms / kernel

Source Code

Files