diff options
author | Neil Horman <nhorman@redhat.com> | 2005-06-28 15:40:02 -0700 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-06-28 15:40:02 -0700 |
commit | fb3d89498d268c8dedc1ab5b15fa64f536564577 (patch) | |
tree | 9617e380d284684dc3c8b7264377f67c024e9f92 /security | |
parent | 689be43945e9ca7dd704522e55af1b8a73a994d3 (diff) |
[IPVS]: Close race conditions on ip_vs_conn_tab list modification
In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.
Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.
The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.
Signed-off-by: Neil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'security')
0 files changed, 0 insertions, 0 deletions