Commit b768b16d authored by Jarno Rajahalme's avatar Jarno Rajahalme Committed by David S. Miller

openvswitch: Fix refcount leak on force commit.

The reference count held for skb needs to be released when the skb's
nfct pointer is cleared regardless of if nf_ct_delete() is called or
not.

Failing to release the skb's reference cound led to deferred conntrack
cleanup spinning forever within nf_conntrack_cleanup_net_list() when
cleaning up a network namespace:

   kworker/u16:0-19025 [004] 45981067.173642: sched_switch: kworker/u16:0:19025 [120] R ==> rcu_preempt:7 [120]
   kworker/u16:0-19025 [004] 45981067.173651: kernel_stack: <stack trace>
=> ___preempt_schedule (ffffffffa001ed36)
=> _raw_spin_unlock_bh (ffffffffa0713290)
=> nf_ct_iterate_cleanup (ffffffffc00a4454)
=> nf_conntrack_cleanup_net_list (ffffffffc00a5e1e)
=> nf_conntrack_pernet_exit (ffffffffc00a63dd)
=> ops_exit_list.isra.1 (ffffffffa06075f3)
=> cleanup_net (ffffffffa0607df0)
=> process_one_work (ffffffffa0084c31)
=> worker_thread (ffffffffa008592b)
=> kthread (ffffffffa008bee2)
=> ret_from_fork (ffffffffa071b67c)

Fixes: dd41d33f ("openvswitch: Add force commit.")
Reported-by: default avatarYang Song <yangsong@vmware.com>
Signed-off-by: default avatarJarno Rajahalme <jarno@ovn.org>
Acked-by: default avatarJoe Stringer <joe@ovn.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 16b8b6de
...@@ -643,8 +643,8 @@ static bool skb_nfct_cached(struct net *net, ...@@ -643,8 +643,8 @@ static bool skb_nfct_cached(struct net *net,
*/ */
if (nf_ct_is_confirmed(ct)) if (nf_ct_is_confirmed(ct))
nf_ct_delete(ct, 0, 0); nf_ct_delete(ct, 0, 0);
else
nf_conntrack_put(&ct->ct_general); nf_conntrack_put(&ct->ct_general);
nf_ct_set(skb, NULL, 0); nf_ct_set(skb, NULL, 0);
return false; return false;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment