On Thu, Oct 25, 2018 at 7:56 AM Taehee Yoo <ap420073@xxxxxxxxx> wrote:
>
> nf_conncount_tuple is an element of nft_connlimit and that is deleted by
> conn_free(). elements can be deleted by both GC routine and
> data path functions(nf_conncount_lookup, nf_conncount_add) and they
> calls conn_free() to free elements.
> But conn_free() only protects lists, not each element.
> So that list_del corruption could occurred.
>
> The conn_free() doesn't check whether element is already deleted.
> In order to protect elements, dead flag is added.
> If an element is deleted, dead flag is set.
> The only conn_free() can delete elements so that both list lock and
> dead flag are enough to protect it.
>
> test commands:
> %nft add table ip filter
> %nft add chain ip filter input { type filter hook input priority 0\; }
> %nft add rule filter input meter test { ip id ct count over 2 } counter
>
> [ ... ]
>
> Fixes: 5c789e131cbb ("netfilter: nf_conncount: Add list lock and gc worker, and RCU for init tree search")
> Signed-off-by: Taehee Yoo <ap420073@xxxxxxxxx>
> ---
LGTM.
Acked-by: Yi-Hung Wei <yihung.wei@xxxxxxxxx>
