On Fri, Apr 14, 2017 at 06:35:13AM +0800, Gao Feng wrote: > > -----Original Message----- > > From: Pablo Neira Ayuso [mailto:pablo@xxxxxxxxxxxxx] > > On Thu, Apr 06, 2017 at 07:09:09PM +0800, gfree.wind@xxxxxxxxxxx wrote: > > > > > > The function ctnl_untimeout is used to untimeout every conntrack which > > > is using the timeout. But it is necessary to add one barrier > > > synchronize_rcu because of racing. Maybe one conntrack has already > > > owned this timeout, but it is not inserted into unconfirmed list or > > > the hash list, when ctnl_untimeout untimeout the conntracks > > > > This object is released via kfree_rcu(). > > > > You have to describe better the race scenario. > > Let me describe it with a call path > CPU1 CPU2 > alloc new conn > add timeout ext > > ctnl_timeout_try_del > untimeout all conns in list > > kfree_rcu. > conn is confirmed. > > As the show above, when cpu2 untimeout all conns in list, the new conn of > cpu1 > is not confirmed. The new conn still owns the timeout pointer. After the > timeout > mem is freed really, it points to one invalid mem. You add this to your patch description and resubmit. Please, send me one patch or two maximum at a time. Until I don't apply one, you don't send me a new one. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
