Hi. I am reporting a suspected race between htable_find_get()
and htable_put() in net/netfilter/xt_hashlimit.c.
I found this issue while I read the code so that it might not realistic.
But, please examine the code to check possibility of race condition.
htable_put() first updates hinfo->use and then unlink the object from the list.
But, htable_find_get() first searches an object from the list,
and then updates hinfo->use.
Therefore, race would be possible for the following situation.
hinfo->use == 1.
htable_put() | htable_find_get()
--------------------------------------------------------------------------------------------------------------
atomic_dec_and_test(&hinfo->use) ; |
|
spin_lock_bh(&hashlimit_lock) ;
|
hlist_for_each_entry(...) ;
| ...
|
atomic_inc(&hinfo->use) ;
|
spin_unlock_bh(&hashlimit_lock) ;
spin_lock_bh(&hashlimit_lock) ; |
hlist_del(&hinfo->node) ; |
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
