Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit a16a1647 authored by Pablo Neira Ayuso's avatar Pablo Neira Ayuso Committed by David S. Miller
Browse files

netfilter: ctnetlink: fix race between delete and timeout expiration 



Kerin Millar reported hardlockups while running `conntrackd -c'
in a busy firewall. That system (with several processors) was
acting as backup in a primary-backup setup.

After several tries, I found a race condition between the deletion
operation of ctnetlink and timeout expiration. This patch fixes
this problem.

Tested-by: default avatarKerin Millar <kerframil@gmail.com>
Reported-by: default avatarKerin Millar <kerframil@gmail.com>
Signed-off-by: default avatarPablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c5779237

net/netfilter/nf_conntrack_netlink.c

+12 −11
Original line number Original line Diff line number Diff line
@@ -943,6 +943,7 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 
		}

		}

	}

	}





	if (del_timer(&ct->timeout)) {

		if (nf_conntrack_event_report(IPCT_DESTROY, ct,

		if (nf_conntrack_event_report(IPCT_DESTROY, ct,

					      NETLINK_CB(skb).pid,

					      NETLINK_CB(skb).pid,

					      nlmsg_report(nlh)) < 0) {

					      nlmsg_report(nlh)) < 0) {
@@ -952,11 +953,11 @@ ctnetlink_del_conntrack(struct sock *ctnl, struct sk_buff *skb, 
			nf_ct_put(ct);

			nf_ct_put(ct);

			return 0;

			return 0;

		}

		}



		/* death_by_timeout would report the event again */

		/* death_by_timeout would report the event again */

		set_bit(IPS_DYING_BIT, &ct->status);

		set_bit(IPS_DYING_BIT, &ct->status);



		nf_ct_delete_from_lists(ct);

	nf_ct_kill(ct);

		nf_ct_put(ct);

	}

	nf_ct_put(ct);

	nf_ct_put(ct);





	return 0;

	return 0;