git.ipfire.org Git - thirdparty/kernel/linux.git/commit

author	Julian Anastasov <ja@ssi.bg>
	Thu, 30 Apr 2026 07:44:13 +0000 (10:44 +0300)
committer	Pablo Neira Ayuso <pablo@netfilter.org>
	Mon, 4 May 2026 23:52:55 +0000 (01:52 +0200)
commit	afbd961305eb483515650ccfcb7743608e7add78
tree	b23174b7123d7014fa1a4a1f187ffea9f31ea56c	tree \| snapshot
parent	bd3a4795d5744f59a1f485379f1303e5e606f377	commit \| diff

ipvs: fixes for the new ip_vs_status info

Sashiko reports some problems for the recently added
/proc/net/ip_vs_status:

* ip_vs_status_show() as a table reader may run long after the
conn_tab and svc_table table are released. While ip_vs_conn_flush()
properly changes the conn_tab_changes counter when conn_tab is removed,
ip_vs_del_service() and ip_vs_flush() were missing such change for
the svc_table_changes counter. As result, readers like
ip_vs_dst_event() and ip_vs_status_show() may continue to use
a freed table after a cond_resched_rcu() call.

* While counting the buckets in ip_vs_status_show() make sure we
traverse only the needed number of entries in the chain. This also
prevents possible overflow of the 'count' variable.

* Add check for 'loops' to prevent infinite loops while restarting
the traversal on table change.

* While IP_VS_CONN_TAB_MAX_BITS is 20 on 32-bit platforms and
there is no risk to overflow when multiplying the number of
conn_tab buckets to 100, prefer the div_u64() helper to make
the following dividing safer.

* Use 0440 permissions for ip_vs_status to restrict the
info only to root due to the exported information for hash
distribution.

Link: https://sashiko.dev/#/patchset/20260410112352.23599-1-fw%40strlen.de
Fixes: 9a9ccef907a7 ("ipvs: add ip_vs_status info")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>