Patrick McHardy wrote: > Pablo Neira Ayuso wrote: >> Patrick McHardy wrote: >>> Pablo, do you recall the reason why the lock isn't held in >>> ctnetlink_create_conntrack()? >> >> The creation is done under the nfnl_mutex so that requests to create >> identical entries cannot race. Of course, this is not enough to avoid >> the race with the timer if we set a very small timer for a conntrack :(. > > Its also not enough to avoid the race against packet processing, > which takes nf_conntrack_lock. > >> AFAICS, we don't need to enclose the whole conntrack creation path. >> Would you prefer the patch attached? This patch should apply fine to >> 2.6.28-rc. > > That fixes the timer race, but the race between lookup and creation > remains. We really need to either hold the lock the entire time or > redo the lookup before inserting the entry into the hash tables. I see, I forgot about that case. Your patch should be fine then. -- "Los honestos son inadaptados sociales" -- Les Luthiers -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
