billbonaparte <programme110@xxxxxxxxx> wrote: > In function __nf_conntrack_confirm, we check the conntrack if it was > alreay dead, before insert it into hash-table. > we do this because if we insert an already 'dead' hash, it will > block further use of that particular connection. > but we don't do that right. Correct. This is broken since the central spin lock removal, since nf_conntrack_lock no longer protects both get_next_corpse and conntrack_confirm. Please send a patch, moving dying check after removal of conntrack from the percpu list, and add Fixes: 93bb0ceb75be2 (netfilter: conntrack: remove central spinlock nf_conntrack_lock) tag to patch. > The above case reveal two problems: > 1. we may insert a dead conntrack to hash-table, it will block > further use of that particular connection. Yes. > 2. operation on ct->status should be atomic, because it race aginst > get_next_corpse. Alternatively we could also get rid of the unconfirmed list handling in get_next_corpse, it looks to me as if its simply not worth the trouble to also caring about unconfirmed lists. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
