Commit afbd961
ipvs: fixes for the new ip_vs_status info
Sashiko reports some problems for the recently added
/proc/net/ip_vs_status:
* ip_vs_status_show() as a table reader may run long after the
conn_tab and svc_table table are released. While ip_vs_conn_flush()
properly changes the conn_tab_changes counter when conn_tab is removed,
ip_vs_del_service() and ip_vs_flush() were missing such change for
the svc_table_changes counter. As result, readers like
ip_vs_dst_event() and ip_vs_status_show() may continue to use
a freed table after a cond_resched_rcu() call.
* While counting the buckets in ip_vs_status_show() make sure we
traverse only the needed number of entries in the chain. This also
prevents possible overflow of the 'count' variable.
* Add check for 'loops' to prevent infinite loops while restarting
the traversal on table change.
* While IP_VS_CONN_TAB_MAX_BITS is 20 on 32-bit platforms and
there is no risk to overflow when multiplying the number of
conn_tab buckets to 100, prefer the div_u64() helper to make
the following dividing safer.
* Use 0440 permissions for ip_vs_status to restrict the
info only to root due to the exported information for hash
distribution.
Link: https://sashiko.dev/#/patchset/20260410112352.23599-1-fw%40strlen.de
Fixes: 9a9ccef ("ipvs: add ip_vs_status info")
Signed-off-by: Julian Anastasov <ja@ssi.bg>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>1 parent bd3a479 commit afbd961
1 file changed
Lines changed: 36 additions & 15 deletions
| Original file line number | Diff line number | Diff line change | |
|---|---|---|---|
| |||
2032 | 2032 | | |
2033 | 2033 | | |
2034 | 2034 | | |
| 2035 | + | |
| 2036 | + | |
| 2037 | + | |
2035 | 2038 | | |
2036 | 2039 | | |
2037 | 2040 | | |
| |||
2078 | 2081 | | |
2079 | 2082 | | |
2080 | 2083 | | |
| 2084 | + | |
| 2085 | + | |
| 2086 | + | |
2081 | 2087 | | |
2082 | 2088 | | |
2083 | 2089 | | |
| |||
3004 | 3010 | | |
3005 | 3011 | | |
3006 | 3012 | | |
3007 | | - | |
| 3013 | + | |
| 3014 | + | |
3008 | 3015 | | |
3009 | 3016 | | |
3010 | 3017 | | |
| |||
3020 | 3027 | | |
3021 | 3028 | | |
3022 | 3029 | | |
| 3030 | + | |
3023 | 3031 | | |
3024 | 3032 | | |
3025 | 3033 | | |
| |||
3032 | 3040 | | |
3033 | 3041 | | |
3034 | 3042 | | |
3035 | | - | |
| 3043 | + | |
3036 | 3044 | | |
| 3045 | + | |
| 3046 | + | |
| 3047 | + | |
3037 | 3048 | | |
3038 | 3049 | | |
3039 | 3050 | | |
| |||
3042 | 3053 | | |
3043 | 3054 | | |
3044 | 3055 | | |
| 3056 | + | |
| 3057 | + | |
| 3058 | + | |
3045 | 3059 | | |
3046 | 3060 | | |
3047 | 3061 | | |
3048 | 3062 | | |
3049 | | - | |
| 3063 | + | |
3050 | 3064 | | |
3051 | 3065 | | |
3052 | 3066 | | |
3053 | 3067 | | |
3054 | 3068 | | |
3055 | | - | |
3056 | | - | |
| 3069 | + | |
| 3070 | + | |
3057 | 3071 | | |
3058 | 3072 | | |
3059 | 3073 | | |
3060 | | - | |
| 3074 | + | |
3061 | 3075 | | |
3062 | | - | |
| 3076 | + | |
3063 | 3077 | | |
3064 | 3078 | | |
3065 | 3079 | | |
3066 | 3080 | | |
3067 | 3081 | | |
3068 | 3082 | | |
3069 | | - | |
| 3083 | + | |
3070 | 3084 | | |
3071 | 3085 | | |
3072 | 3086 | | |
3073 | 3087 | | |
3074 | 3088 | | |
3075 | 3089 | | |
| 3090 | + | |
3076 | 3091 | | |
3077 | 3092 | | |
3078 | 3093 | | |
| |||
3086 | 3101 | | |
3087 | 3102 | | |
3088 | 3103 | | |
3089 | | - | |
| 3104 | + | |
3090 | 3105 | | |
| 3106 | + | |
| 3107 | + | |
| 3108 | + | |
3091 | 3109 | | |
3092 | 3110 | | |
3093 | 3111 | | |
| |||
3096 | 3114 | | |
3097 | 3115 | | |
3098 | 3116 | | |
| 3117 | + | |
| 3118 | + | |
| 3119 | + | |
3099 | 3120 | | |
3100 | 3121 | | |
3101 | 3122 | | |
3102 | 3123 | | |
3103 | | - | |
| 3124 | + | |
3104 | 3125 | | |
3105 | 3126 | | |
3106 | 3127 | | |
3107 | 3128 | | |
3108 | 3129 | | |
3109 | | - | |
3110 | | - | |
| 3130 | + | |
| 3131 | + | |
3111 | 3132 | | |
3112 | 3133 | | |
3113 | 3134 | | |
3114 | | - | |
| 3135 | + | |
3115 | 3136 | | |
3116 | | - | |
| 3137 | + | |
3117 | 3138 | | |
3118 | 3139 | | |
3119 | 3140 | | |
| |||
5039 | 5060 | | |
5040 | 5061 | | |
5041 | 5062 | | |
5042 | | - | |
| 5063 | + | |
5043 | 5064 | | |
5044 | 5065 | | |
5045 | 5066 | | |
| |||
0 commit comments