netfilter: xt_hashlimit: fix race between htable_destroy and htable_gc

Deleting a timer with del_timer doesn't guarantee, that the timer function is not running at the moment of deletion. Thus in the xt_hashlimit case we can get into a ticklish situation when the htable_gc rearms the timer back and we'll actually delete an entry with a pending timer. Fix it with using del_timer_sync(). AFAIK del_timer_sync checks for the timer to be pending by itself, so I remove the check. Signed-off-by: N Pavel Emelyanov <xemul@openvz.org> Signed-off-by: N Patrick McHardy <kaber@trash.net> Signed-off-by: N David S. Miller <davem@davemloft.net>

netfilter: xt_hashlimit: fix race between htable_destroy and htable_gc
Deleting a timer with del_timer doesn't guarantee, that the timer function is not running at the moment of deletion. Thus in the xt_hashlimit case we can get into a ticklish situation when the htable_gc rearms the timer back and we'll actually delete an entry with a pending timer. Fix it with using del_timer_sync(). AFAIK del_timer_sync checks for the timer to be pending by itself, so I remove the check. Signed-off-by: N Pavel Emelyanov <xemul@openvz.org> Signed-off-by: N Patrick McHardy <kaber@trash.net> Signed-off-by: N David S. Miller <davem@davemloft.net>
967ab999 · Pavel Emelyanov · David S. Miller · a8ddc916 · 967ab999
隐藏空白更改
内联并排

Showing with 1 addition and 3 deletion

net/netfilter/xt_hashlimit.c net/netfilter/xt_hashlimit.c +1 -3

未找到文件。
--- a/net/netfilter/xt_hashlimit.c
+++ b/net/netfilter/xt_hashlimit.c
@@ -367,9 +367,7 @@ static void htable_gc(unsigned long htlong)
 static void htable_destroy(struct xt_hashlimit_htable *hinfo)
 {
-	/* remove timer, if it is pending */
+	del_timer_sync(&hinfo->timer);
-	if (timer_pending(&hinfo->timer))
-		del_timer(&hinfo->timer);
 	/* remove proc entry */
 	remove_proc_entry(hinfo->pde->name,