Connections leaving the established state (due to RST / FIN TCP packets)
set the flow table teardown flag. The packet path continues to set lower
timeout value as per the new TCP state but the offload flag remains set.
Hence, the conntrack garbage collector may race to undo the timeout
adjustment of the packet path, leaving the conntrack entry in place with
the internal offload timeout (one day).
Return the connection's ownership to conntrack upon teardown by clearing
the offload flag and fixing the established timeout value. The flow table
GC thread will asynchonrnously free the flow table and hardware offload
entries.
Fixes: 1e5b2471bcc4 ("netfilter: nf_flow_table: teardown flow timeout race")
Signed-off-by: Oz Shlomo <ozsh@xxxxxxxxxx>
Reviewed-by: Paul Blakey <paulb@xxxxxxxxxx>
---
net/netfilter/nf_flow_table_core.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/netfilter/nf_flow_table_core.c b/net/netfilter/nf_flow_table_core.c
index 3db256da919b..ef080dbd4fd0 100644
--- a/net/netfilter/nf_flow_table_core.c
+++ b/net/netfilter/nf_flow_table_core.c
@@ -375,6 +375,9 @@ void flow_offload_teardown(struct flow_offload *flow)
set_bit(NF_FLOW_TEARDOWN, &flow->flags);
flow_offload_fixup_ct_state(flow->ct);
+ flow_offload_fixup_ct_timeout(flow->ct);
+
+ clear_bit(IPS_OFFLOAD_BIT, &flow->ct->status);
}
EXPORT_SYMBOL_GPL(flow_offload_teardown);
--
1.8.3.1
