netfilter: xt_hashlimit: fix race between htable_destroy and htable_gc
Deleting a timer with del_timer doesn't guarantee, that the
timer function is not running at the moment of deletion. Thus
in the xt_hashlimit case we can get into a ticklish situation
when the htable_gc rearms the timer back and we'll actually
delete an entry with a pending timer.
Fix it with using del_timer_sync().
AFAIK del_timer_sync checks for the timer to be pending by
itself, so I remove the check.
Signed-off-by: Pavel Emelyanov <xemul@xxxxxxxxxx>
Signed-off-by: Patrick McHardy <kaber@xxxxxxxxx>
---
commit d97740075c062dc888ecb4d710e6aafd2a253383
tree d20ba6ebf2b48f7c45014c9d4f6bf8eb208f18d5
parent 728845f8c11ec11be4a3725a70389a3013cd4e48
author Pavel Emelyanov <xemul@xxxxxxxxxx> Wed, 30 Jul 2008 12:53:30 +0200
committer Patrick McHardy <kaber@xxxxxxxxx> Wed, 30 Jul 2008 12:53:30 +0200
net/netfilter/xt_hashlimit.c | 4 +---
1 files changed, 1 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/xt_hashlimit.c b/net/netfilter/xt_hashlimit.c
index 6809af5..d9418a2 100644
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -367,9 +367,7 @@ static void htable_gc(unsigned long htlong)
static void htable_destroy(struct xt_hashlimit_htable *hinfo)
{
- /* remove timer, if it is pending */
- if (timer_pending(&hinfo->timer))
- del_timer(&hinfo->timer);
+ del_timer_sync(&hinfo->timer);
/* remove proc entry */
remove_proc_entry(hinfo->pde->name,
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
