releases/4.15.10/netfilter-ipt_clusterip-fix-a-race-condition-of-proc-file-creation.patch

   1 From b3e456fce9f51d6276e576d00271e2813c1b8b67 Mon Sep 17 00:00:00 2001
   2 From: Cong Wang <xiyou.wangcong@gmail.com>
   3 Date: Wed, 7 Feb 2018 21:59:17 -0800
   4 Subject: netfilter: ipt_CLUSTERIP: fix a race condition of proc file creation
   5
   6 From: Cong Wang <xiyou.wangcong@gmail.com>
   7
   8 commit b3e456fce9f51d6276e576d00271e2813c1b8b67 upstream.
   9
  10 There is a race condition between clusterip_config_entry_put()
  11 and clusterip_config_init(), after we release the spinlock in
  12 clusterip_config_entry_put(), a new proc file with a same IP could
  13 be created immediately since it is already removed from the configs
  14 list, therefore it triggers this warning:
  15
  16 ------------[ cut here ]------------
  17 proc_dir_entry 'ipt_CLUSTERIP/172.20.0.170' already registered
  18 WARNING: CPU: 1 PID: 4152 at fs/proc/generic.c:330 proc_register+0x2a4/0x370 fs/proc/generic.c:329
  19 Kernel panic - not syncing: panic_on_warn set ...
  20
  21 As a quick fix, just move the proc_remove() inside the spinlock.
  22
  23 Reported-by: <syzbot+03218bcdba6aa76441a3@syzkaller.appspotmail.com>
  24 Fixes: 6c5d5cfbe3c5 ("netfilter: ipt_CLUSTERIP: check duplicate config when initializing")
  25 Tested-by: Paolo Abeni <pabeni@redhat.com>
  26 Cc: Xin Long <lucien.xin@gmail.com>
  27 Cc: Pablo Neira Ayuso <pablo@netfilter.org>
  28 Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
  29 Reviewed-by: Xin Long <lucien.xin@gmail.com>
  30 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  31 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  32
  33 ---
  34  net/ipv4/netfilter/ipt_CLUSTERIP.c |   12 ++++++------
  35  1 file changed, 6 insertions(+), 6 deletions(-)
  36
  37 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
  38 +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
  39 @@ -107,12 +107,6 @@ clusterip_config_entry_put(struct net *n
  40
  41         local_bh_disable();
  42         if (refcount_dec_and_lock(&c->entries, &cn->lock)) {
  43 -               list_del_rcu(&c->list);
  44 -               spin_unlock(&cn->lock);
  45 -               local_bh_enable();
  46 -
  47 -               unregister_netdevice_notifier(&c->notifier);
  48 -
  49                 /* In case anyone still accesses the file, the open/close
  50                  * functions are also incrementing the refcount on their own,
  51                  * so it's safe to remove the entry even if it's in use. */
  52 @@ -120,6 +114,12 @@ clusterip_config_entry_put(struct net *n
  53                 if (cn->procdir)
  54                         proc_remove(c->pde);
  55  #endif
  56 +               list_del_rcu(&c->list);
  57 +               spin_unlock(&cn->lock);
  58 +               local_bh_enable();
  59 +
  60 +               unregister_netdevice_notifier(&c->notifier);
  61 +
  62                 return;
  63         }
  64         local_bh_enable();