evie/android_kernel_oneplus_msm8998
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[IPVS]: Close race conditions on ip_vs_conn_tab list modification

Browse source 
In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.

Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.

The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.

Signed-off-by: Neil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Neil Horman 2005-06-28 15:40:02 -07:00 committed by David S. Miller
parent 689be43945
commit fb3d89498d
1 changed files with 4 additions and 21 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

25
net/ipv4/ipvs/ip_vs_conn.c
View file

@ -548,7 +548,6 @@ void ip_vs_conn_expire_now(struct ip_vs_conn *cp)
{ {
if (del_timer(&cp->timer)) if (del_timer(&cp->timer))
mod_timer(&cp->timer, jiffies); mod_timer(&cp->timer, jiffies);
__ip_vs_conn_put(cp);
} }
@ -764,7 +763,6 @@ void ip_vs_random_dropentry(void)
{ {
int idx; int idx;
struct ip_vs_conn *cp; struct ip_vs_conn *cp;
struct ip_vs_conn *ct;
/* /*
* Randomly scan 1/32 of the whole table every second * Randomly scan 1/32 of the whole table every second
@ -801,21 +799,12 @@ void ip_vs_random_dropentry(void)
continue; continue;
} }
/*
* Drop the entry, and drop its ct if not referenced
*/
atomic_inc(&cp->refcnt);
ct_write_unlock(hash);
if ((ct = cp->control))
atomic_inc(&ct->refcnt);
IP_VS_DBG(4, "del connection\n"); IP_VS_DBG(4, "del connection\n");
ip_vs_conn_expire_now(cp); ip_vs_conn_expire_now(cp);
if (ct) { if (cp->control) {
IP_VS_DBG(4, "del conn template\n"); IP_VS_DBG(4, "del conn template\n");
ip_vs_conn_expire_now(ct); ip_vs_conn_expire_now(cp->control);
} }
ct_write_lock(hash);
} }
ct_write_unlock(hash); ct_write_unlock(hash);
} }
@ -829,7 +818,6 @@ static void ip_vs_conn_flush(void)
{ {
int idx; int idx;
struct ip_vs_conn *cp; struct ip_vs_conn *cp;
struct ip_vs_conn *ct;
flush_again: flush_again:
for (idx=0; idx<IP_VS_CONN_TAB_SIZE; idx++) { for (idx=0; idx<IP_VS_CONN_TAB_SIZE; idx++) {
@ -839,18 +827,13 @@ static void ip_vs_conn_flush(void)
ct_write_lock_bh(idx); ct_write_lock_bh(idx);
list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) { list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) {
atomic_inc(&cp->refcnt);
ct_write_unlock(idx);
if ((ct = cp->control))
atomic_inc(&ct->refcnt);
IP_VS_DBG(4, "del connection\n"); IP_VS_DBG(4, "del connection\n");
ip_vs_conn_expire_now(cp); ip_vs_conn_expire_now(cp);
if (ct) { if (cp->control) {
IP_VS_DBG(4, "del conn template\n"); IP_VS_DBG(4, "del conn template\n");
ip_vs_conn_expire_now(ct); ip_vs_conn_expire_now(cp->control);
} }
ct_write_lock(idx);
} }
ct_write_unlock_bh(idx); ct_write_unlock_bh(idx);
} }