Commit fb3d8949 authored by Neil Horman's avatar Neil Horman Committed by David S. Miller

[IPVS]: Close race conditions on ip_vs_conn_tab list modification

In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.

Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.

The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.
Signed-off-by: default avatarNeil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 689be439
...@@ -548,7 +548,6 @@ void ip_vs_conn_expire_now(struct ip_vs_conn *cp) ...@@ -548,7 +548,6 @@ void ip_vs_conn_expire_now(struct ip_vs_conn *cp)
{ {
if (del_timer(&cp->timer)) if (del_timer(&cp->timer))
mod_timer(&cp->timer, jiffies); mod_timer(&cp->timer, jiffies);
__ip_vs_conn_put(cp);
} }
...@@ -764,7 +763,6 @@ void ip_vs_random_dropentry(void) ...@@ -764,7 +763,6 @@ void ip_vs_random_dropentry(void)
{ {
int idx; int idx;
struct ip_vs_conn *cp; struct ip_vs_conn *cp;
struct ip_vs_conn *ct;
/* /*
* Randomly scan 1/32 of the whole table every second * Randomly scan 1/32 of the whole table every second
...@@ -801,21 +799,12 @@ void ip_vs_random_dropentry(void) ...@@ -801,21 +799,12 @@ void ip_vs_random_dropentry(void)
continue; continue;
} }
/*
* Drop the entry, and drop its ct if not referenced
*/
atomic_inc(&cp->refcnt);
ct_write_unlock(hash);
if ((ct = cp->control))
atomic_inc(&ct->refcnt);
IP_VS_DBG(4, "del connection\n"); IP_VS_DBG(4, "del connection\n");
ip_vs_conn_expire_now(cp); ip_vs_conn_expire_now(cp);
if (ct) { if (cp->control) {
IP_VS_DBG(4, "del conn template\n"); IP_VS_DBG(4, "del conn template\n");
ip_vs_conn_expire_now(ct); ip_vs_conn_expire_now(cp->control);
} }
ct_write_lock(hash);
} }
ct_write_unlock(hash); ct_write_unlock(hash);
} }
...@@ -829,7 +818,6 @@ static void ip_vs_conn_flush(void) ...@@ -829,7 +818,6 @@ static void ip_vs_conn_flush(void)
{ {
int idx; int idx;
struct ip_vs_conn *cp; struct ip_vs_conn *cp;
struct ip_vs_conn *ct;
flush_again: flush_again:
for (idx=0; idx<IP_VS_CONN_TAB_SIZE; idx++) { for (idx=0; idx<IP_VS_CONN_TAB_SIZE; idx++) {
...@@ -839,18 +827,13 @@ static void ip_vs_conn_flush(void) ...@@ -839,18 +827,13 @@ static void ip_vs_conn_flush(void)
ct_write_lock_bh(idx); ct_write_lock_bh(idx);
list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) { list_for_each_entry(cp, &ip_vs_conn_tab[idx], c_list) {
atomic_inc(&cp->refcnt);
ct_write_unlock(idx);
if ((ct = cp->control))
atomic_inc(&ct->refcnt);
IP_VS_DBG(4, "del connection\n"); IP_VS_DBG(4, "del connection\n");
ip_vs_conn_expire_now(cp); ip_vs_conn_expire_now(cp);
if (ct) { if (cp->control) {
IP_VS_DBG(4, "del conn template\n"); IP_VS_DBG(4, "del conn template\n");
ip_vs_conn_expire_now(ct); ip_vs_conn_expire_now(cp->control);
} }
ct_write_lock(idx);
} }
ct_write_unlock_bh(idx); ct_write_unlock_bh(idx);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment