Pablo Neira Ayuso wrote:
Patrick McHardy wrote:
Pablo, do you recall the reason why the lock isn't held in
ctnetlink_create_conntrack()?
The creation is done under the nfnl_mutex so that requests to create
identical entries cannot race. Of course, this is not enough to avoid
the race with the timer if we set a very small timer for a conntrack :(.
Its also not enough to avoid the race against packet processing,
which takes nf_conntrack_lock.
AFAICS, we don't need to enclose the whole conntrack creation path.
Would you prefer the patch attached? This patch should apply fine to
2.6.28-rc.
That fixes the timer race, but the race between lookup and creation
remains. We really need to either hold the lock the entire time or
redo the lookup before inserting the entry into the hash tables.
I can send this patch to -stable. BTW, this patch may conflict with my
patch enqueued for 2.6.29 that adds userspace reporting, let me know if
I can give you a hand in some way (like sending it on top of this one or
yours again, whatever).
I'll take care of any merge issues.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html