[IPVS]: Close race conditions on ip_vs_conn_tab list modification
authorNeil Horman <nhorman@redhat.com>
Tue, 28 Jun 2005 22:40:02 +0000 (15:40 -0700)
committerDavid S. Miller <davem@davemloft.net>
Tue, 28 Jun 2005 22:40:02 +0000 (15:40 -0700)
commitfb3d89498d268c8dedc1ab5b15fa64f536564577
tree9617e380d284684dc3c8b7264377f67c024e9f92
parent689be43945e9ca7dd704522e55af1b8a73a994d3
[IPVS]: Close race conditions on ip_vs_conn_tab list modification

In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.

Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.

The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.

Signed-off-by: Neil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/ipvs/ip_vs_conn.c