diff options
author | Neil Horman <nhorman@redhat.com> | 2005-06-28 18:40:02 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-06-28 18:40:02 -0400 |
commit | fb3d89498d268c8dedc1ab5b15fa64f536564577 (patch) | |
tree | 9617e380d284684dc3c8b7264377f67c024e9f92 | |
parent | 689be43945e9ca7dd704522e55af1b8a73a994d3 (diff) |
[IPVS]: Close race conditions on ip_vs_conn_tab list modification
In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.
Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.
The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.
Signed-off-by: Neil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/ipv4/ipvs/ip_vs_conn.c | 25 |
1 files changed, 4 insertions, 21 deletions
diff --git a/net/ipv4/ipvs/ip_vs_conn.c b/net/ipv4/ipvs/ip_vs_conn.c index fd6feb5499fe..9f16ab309106 100644 --- a/net/ipv4/ipvs/ip_vs_conn.c +++ b/net/ipv4/ipvs/ip_vs_conn.c | |||
@@ -548,7 +548,6 @@ void ip_vs_conn_expire_now(struct ip_vs_conn *cp) | |||
548 | { | 548 | { |
549 | if (del_timer(&cp->timer)) | 549 | if (del_timer(&cp->timer)) |
550 | mod_timer(&cp->timer, jiffies); | 550 | mod_timer(&cp->timer, jiffies); |
551 | __ip_vs_conn_put(cp); | ||
552 | } | 551 | } |
553 | 552 | ||
554 | 553 | ||
@@ -764,7 +763,6 @@ void ip_vs_random_dropentry(void) | |||
764 | { | 763 | { |
765 | int idx; | 764 | int idx; |
766 | struct ip_vs_conn *cp; | 765 | struct ip_vs_conn *cp; |
767 | struct ip_vs_conn *ct; | ||
768 | 766 | ||
769 | /* | 767 | /* |
770 | * Randomly scan 1/32 of the whole table every second | 768 | * Randomly scan 1/32 of the whole table every second |
@@ -801,21 +799,12 @@ void ip_vs_random_dropentry(void) | |||
801 | continue; | 799 | continue; |
802 | } | 800 | } |
803 | 801 | ||
804 | /* | ||
805 | * Drop the entry, and drop its ct if not referenced | ||
806 | */ | ||
807 | atomic_inc(&cp->refcnt); | ||
808 | ct_write_unlock(hash); | ||
809 | |||
810 | if ((ct = cp->control)) | ||
811 | atomic_inc(&ct->refcnt); | ||
812 | IP_VS_DBG(4, "del connection\n"); | 802 | IP_VS_DBG(4, "del connection\n"); |
813 | ip_vs_conn_expire_now(cp); | 803 | ip_vs_conn_expire_now(cp); |
814 | if (ct) { | 804 | if (cp->control) { |
815 | IP_VS_DBG(4, "del conn template\n"); | 805 | IP_VS_DBG(4, "del conn template\n"); |
816 | ip_vs_conn_expire_now(ct); | 806 | ip_vs_conn_expire_now(cp->control); |
817 | } | 807 | } |
818 | ct_write_lock(hash); | ||
819 | } | 808 | } |
820 | ct_write_unlock(hash); | 809 | ct_write_unlock(hash); |
821 | } | 810 | } |
@@ -829,7 +818,6 @@ static void ip_vs_conn_flush(void) | |||
829 | { | 818 | { |
830 | int idx; | 819 | int idx; |
831 | struct ip_vs_conn *cp; | 820 | struct ip_vs_conn *cp; |
832 | struct ip_vs_conn *ct; | ||
833 | 821 | ||
834 | flush_again: | 822 | flush_again: |
835 | for (idx=0; idx<IP_VS_CONN_TAB_SIZE; idx++) { | 823 | for (idx=0; idx<IP_VS_CONN_TAB_SIZE; idx++) { |
@@ -839,18 +827,13 @@ static void ip_vs_conn_flush(void) | |||
839 | ct_write_lock_bh(idx); | 827 | ct_write_lock_bh(idx); |
840 | 828 | ||
841 | list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) { | 829 | list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) { |
842 | atomic_inc(&cp->refcnt); | ||
843 | ct_write_unlock(idx); | ||
844 | 830 | ||
845 | if ((ct = cp->control)) | ||
846 | atomic_inc(&ct->refcnt); | ||
847 | IP_VS_DBG(4, "del connection\n"); | 831 | IP_VS_DBG(4, "del connection\n"); |
848 | ip_vs_conn_expire_now(cp); | 832 | ip_vs_conn_expire_now(cp); |
849 | if (ct) { | 833 | if (cp->control) { |
850 | IP_VS_DBG(4, "del conn template\n"); | 834 | IP_VS_DBG(4, "del conn template\n"); |
851 | ip_vs_conn_expire_now(ct); | 835 | ip_vs_conn_expire_now(cp->control); |
852 | } | 836 | } |
853 | ct_write_lock(idx); | ||
854 | } | 837 | } |
855 | ct_write_unlock_bh(idx); | 838 | ct_write_unlock_bh(idx); |
856 | } | 839 | } |