[Patch] ipvs: close race conditions on ip_vs_conn_tab list modification
From: Neil Horman
Date: Thu Jun 23 2005 - 13:58:19 EST
Hello there-
Patch to close a race condition in ip_vs_conn_flush. In an smp system,
it is possible for an connection timer to expire, calling ip_vs_conn_expire
while the connection table is being flushed, before ct_write_lock_bh is
acquired. Since the list iterator loop in ip_vs_con_flush releases and
re-acquires the spinlock (even though it doesn't re-enable softirqs), it is
possible for the expiration function to modify the connection list, while it is
being traversed in ip_vs_conn_flush. The result is that the next pointer gets
set to NULL, and subsequently dereferenced, resulting in an oops. This patch
removes the lock release and re-aquisition from the loop, closing the race
window. Tested by myself, and those who origionally experienced the crash and
reported it to me, with successful results.
Signed-off-by: Neil Horman <nhorman@xxxxxxxxxx>
ip_vs_conn.c | 2 --
1 files changed, 2 deletions(-)
--- linux-2.6.git/net/ipv4/ipvs/ip_vs_conn.c.orig 2005-06-23 13:11:00.910372471 -0400
+++ linux-2.6.git/net/ipv4/ipvs/ip_vs_conn.c 2005-06-23 13:15:54.459852393 -0400
@@ -840,7 +838,6 @@
list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) {
atomic_inc(&cp->refcnt);
- ct_write_unlock(idx);
if ((ct = cp->control))
atomic_inc(&ct->refcnt);
@@ -850,7 +847,6 @@
IP_VS_DBG(4, "del conn template\n");
ip_vs_conn_expire_now(ct);
}
- ct_write_lock(idx);
}
ct_write_unlock_bh(idx);
}
--
/***************************************************
*Neil Horman
*Software Engineer
*Red Hat, Inc.
*nhorman@xxxxxxxxxx
*gpg keyid: 1024D / 0x92A74FA1
*http://pgp.mit.edu
***************************************************/
Attachment:
pgp00000.pgp
Description: PGP signature