Hi Pablo,
On Tue, 21 Feb 2012, Pablo Neira Ayuso wrote:
[...]
> Still one issue, see below.
>
> > @@ -1512,25 +1513,22 @@ ctnetlink_new_conntrack(struct sock *ctnl, struct sk_buff *skb,
> >
> > spin_lock_bh(&nf_conntrack_lock);
> > if (cda[CTA_TUPLE_ORIG])
> > - h = __nf_conntrack_find(net, zone, &otuple);
> > + h = nf_conntrack_find_get(net, zone, &otuple);
> > else if (cda[CTA_TUPLE_REPLY])
> > - h = __nf_conntrack_find(net, zone, &rtuple);
> > + h = nf_conntrack_find_get(net, zone, &rtuple);
> > + spin_unlock_bh(&nf_conntrack_lock);
>
> We still have to keep the lock for the update case. Otherwise we may
> clash with one update from the kernel.
By calling nf_conntrack_find_get we are safe to release the lock, because
the conntack entry won't be removed behind us. Later in the patch the lock
is re-acquired to serialize the updates:
+ spin_lock_bh(&nf_conntrack_lock);
err = ctnetlink_change_conntrack(ct, cda);
+ spin_unlock_bh(&nf_conntrack_lock);
Or do I miss something else here?
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
