[rh7,06/19] revert RH patch 9837-net-netfilter-nf_conntrack-don-t-resize-NULL-or-free.patch

Submitted by Konstantin Khorenko on May 22, 2020, 8:10 a.m.

Details

Message ID 20200522081056.28326-7-khorenko@virtuozzo.com
State New
Series "netfilter: conntrack: fix false-positive compiler warning in early_drop()"
Headers show

Commit Message

Konstantin Khorenko May 22, 2020, 8:10 a.m.
Original commit:
  Subject: [PATCH 09837/10555] [net] netfilter: nf_conntrack: don't resize NULL
   or freed hashtable
  Message-id: <b7df5ca78f8c8002d0ef509ec862c926426a18e1.1533642760.git.dcaratti@redhat.com>
  Patchwork-id: 226249
  O-Subject: [RHEL7.6 net] netfilter: nf_conntrack: don't resize NULL or freed hashtable
  Bugzilla: 1601662
  RH-Acked-by: Marcelo Leitner <mleitner@redhat.com>
  RH-Acked-by: Xin Long <lxin@redhat.com>
  RH-Acked-by: Stefano Brivio <sbrivio@redhat.com>
  Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1601662
  Upstream Status: RHEL-only, but it's functionally equivalent to net.git 2045cdfa1b40
  Brew: https://brewweb.engineering.redhat.com/brew/taskinfo?taskID=17639414
  Tested: as reported in the bugzilla reproducer, with the following command:
   # while true; do
   > modprobe -r iptable_nat nf_nat_ipv4 nf_nat nf_conntrack_ipv4 nf_conntrack
   > modprobe nf_conntrack hashsize=16384 hashsize=16384
   > done
  the reported problem was fixed upstream with commit 2045cdfa1b40 ("netfilter:
  nf_conntrack: Fix possible possible crash on module loading."). The backport
  is not trivial, because each namespace has its own conntrack hash table, as
  RHEL does not have upstream commit 56d52d4892d0 ("netfilter: conntrack: use
  a single hashtable for all namespaces"). Use a static copy of init_net.ct.hash
  to discriminate whether the kernel is allowed to resize the hash table, or
  simply store the future hashtable size.
  Signed-off-by: Davide Caratti <dcaratti@redhat.com>
  Signed-off-by: Timothy Redaelli <tredaelli@redhat.com>
  Signed-off-by: Bruno E. O. Meneguele <bmeneg@redhat.com>

We roll the patch back because we are going to backport ms commit
56d52d4892d0 ("netfilter: conntrack: use a single hashtable for all
namespaces")

After the backport we'll fix this issue with ms commit
2045cdfa1b40 ("netfilter: nf_conntrack: Fix possible possible crash on module
loading.")

https://jira.sw.ru/browse/PSBM-103515

Signed-off-by: Konstantin Khorenko <khorenko@virtuozzo.com>
---
 net/netfilter/nf_conntrack_core.c | 14 +-------------
 1 file changed, 1 insertion(+), 13 deletions(-)

Patch hide | download patch | download mbox

diff --git a/net/netfilter/nf_conntrack_core.c b/net/netfilter/nf_conntrack_core.c
index 86f6227369170..b69f673cdb6c5 100644
--- a/net/netfilter/nf_conntrack_core.c
+++ b/net/netfilter/nf_conntrack_core.c
@@ -75,9 +75,6 @@  EXPORT_SYMBOL_GPL(nf_conntrack_locks);
 __cacheline_aligned_in_smp DEFINE_SPINLOCK(nf_conntrack_expect_lock);
 EXPORT_SYMBOL_GPL(nf_conntrack_expect_lock);
 
-/* RHEL: local copy of init_net.ct.hash */
-static struct hlist_nulls_head *nf_conntrack_hash;
-
 static __read_mostly seqcount_t nf_conntrack_generation;
 
 static void nf_conntrack_double_unlock(unsigned int h1, unsigned int h2)
@@ -1594,10 +1591,6 @@  static int kill_all(struct nf_conn *i, void *data)
 
 void nf_ct_free_hashtable(void *hash, unsigned int size)
 {
-	/* RHEL: disallow resizing */
-	if (hash == nf_conntrack_hash)
-		nf_conntrack_hash = NULL;
-
 	if (is_vmalloc_addr(hash))
 		vfree(hash);
 	else
@@ -1742,7 +1735,7 @@  int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
 		return -EOPNOTSUPP;
 
 	/* On boot, we can set this without any fancy locking. */
-	if (!nf_conntrack_hash)
+	if (!nf_conntrack_htable_size)
 		return param_set_uint(val, kp);
 
 	rc = kstrtouint(val, 0, &hashsize);
@@ -1788,8 +1781,6 @@  int nf_conntrack_set_hashsize(const char *val, struct kernel_param *kp)
 
 	synchronize_net();
 	nf_ct_free_hashtable(old_hash, old_size);
-	/* RHEL: re-allow resizing */
-	nf_conntrack_hash = hash;
 	return 0;
 }
 EXPORT_SYMBOL_GPL(nf_conntrack_set_hashsize);
@@ -1979,9 +1970,6 @@  int nf_conntrack_init_net(struct net *net)
 	ret = nf_conntrack_proto_pernet_init(net);
 	if (ret < 0)
 		goto err_proto;
-	/* RHEL: allow resizing */
-	if (net == &init_net)
-		nf_conntrack_hash = net->ct.hash;
 	return 0;
 
 err_proto: