releases/4.9.94/netfilter-ctnetlink-fix-incorrect-nf_ct_put-during-hash-resize.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From foo@baz Mon Apr  9 17:09:24 CEST 2018
 From: Liping Zhang <zlpnobody@gmail.com>
 Date: Sun, 21 May 2017 07:22:49 +0800
 Subject: netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize

 From: Liping Zhang <zlpnobody@gmail.com>


 [ Upstream commit fefa92679dbe0c613e62b6c27235dcfbe9640ad1 ]

 If nf_conntrack_htable_size was adjusted by the user during the ct
 dump operation, we may invoke nf_ct_put twice for the same ct, i.e.
 the "last" ct. This will cause the ct will be freed but still linked
 in hash buckets.

 It's very easy to reproduce the problem by the following commands:
   # while : ; do
   echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets
   done
   # while : ; do
   conntrack -L
   done
   # iperf -s 127.0.0.1 &
   # iperf -c 127.0.0.1 -P 60 -t 36000

 After a while, the system will hang like this:
   NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [bash:20184]
   NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [iperf:20382]
   ...

 So at last if we find cb->args[1] is equal to "last", this means hash
 resize happened, then we can set cb->args[1] to 0 to fix the above
 issue.

 Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping")
 Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
 Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/netfilter/nf_conntrack_netlink.c |    7 ++++++-
  1 file changed, 6 insertions(+), 1 deletion(-)

 --- a/net/netfilter/nf_conntrack_netlink.c
 +++ b/net/netfilter/nf_conntrack_netlink.c
 @@ -890,8 +890,13 @@ restart:
  	}
  out:
  	local_bh_enable();
 -	if (last)
 +	if (last) {
 +		/* nf ct hash resize happened, now clear the leftover. */
 +		if ((struct nf_conn *)cb->args[1] == last)
 +			cb->args[1] = 0;
 +
  		nf_ct_put(last);
 +	}

  	while (i) {
  		i--;
	From foo@baz Mon Apr 9 17:09:24 CEST 2018
	From: Liping Zhang <zlpnobody@gmail.com>
	Date: Sun, 21 May 2017 07:22:49 +0800
	Subject: netfilter: ctnetlink: fix incorrect nf_ct_put during hash resize

	From: Liping Zhang <zlpnobody@gmail.com>


	[ Upstream commit fefa92679dbe0c613e62b6c27235dcfbe9640ad1 ]

	If nf_conntrack_htable_size was adjusted by the user during the ct
	dump operation, we may invoke nf_ct_put twice for the same ct, i.e.
	the "last" ct. This will cause the ct will be freed but still linked
	in hash buckets.

	It's very easy to reproduce the problem by the following commands:
	# while : ; do
	echo $RANDOM > /proc/sys/net/netfilter/nf_conntrack_buckets
	done
	# while : ; do
	conntrack -L
	done
	# iperf -s 127.0.0.1 &
	# iperf -c 127.0.0.1 -P 60 -t 36000

	After a while, the system will hang like this:
	NMI watchdog: BUG: soft lockup - CPU#1 stuck for 22s! [bash:20184]
	NMI watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [iperf:20382]
	...

	So at last if we find cb->args[1] is equal to "last", this means hash
	resize happened, then we can set cb->args[1] to 0 to fix the above
	issue.

	Fixes: d205dc40798d ("[NETFILTER]: ctnetlink: fix deadlock in table dumping")
	Signed-off-by: Liping Zhang <zlpnobody@gmail.com>
	Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
	Signed-off-by: Sasha Levin <alexander.levin@microsoft.com>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/netfilter/nf_conntrack_netlink.c \| 7 ++++++-
	1 file changed, 6 insertions(+), 1 deletion(-)

	--- a/net/netfilter/nf_conntrack_netlink.c
	+++ b/net/netfilter/nf_conntrack_netlink.c
	@@ -890,8 +890,13 @@ restart:
	}
	out:
	local_bh_enable();
	- if (last)
	+ if (last) {
	+ /* nf ct hash resize happened, now clear the leftover. */
	+ if ((struct nf_conn *)cb->args[1] == last)
	+ cb->args[1] = 0;
	+
	nf_ct_put(last);
	+ }

	while (i) {
	i--;