提交 d205dc40 编写于 作者: P Patrick McHardy 提交者: David S. Miller

[NETFILTER]: ctnetlink: fix deadlock in table dumping

ip_conntrack_put must not be called while holding ip_conntrack_lock
since destroy_conntrack takes it again.
Signed-off-by: NPatrick McHardy <kaber@trash.net>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 6e8fcbf6
...@@ -415,21 +415,18 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -415,21 +415,18 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
cb->args[0], *id); cb->args[0], *id);
read_lock_bh(&ip_conntrack_lock); read_lock_bh(&ip_conntrack_lock);
last = (struct ip_conntrack *)cb->args[1];
for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++) { for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++) {
restart: restart:
last = (struct ip_conntrack *)cb->args[1];
list_for_each_prev(i, &ip_conntrack_hash[cb->args[0]]) { list_for_each_prev(i, &ip_conntrack_hash[cb->args[0]]) {
h = (struct ip_conntrack_tuple_hash *) i; h = (struct ip_conntrack_tuple_hash *) i;
if (DIRECTION(h) != IP_CT_DIR_ORIGINAL) if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
continue; continue;
ct = tuplehash_to_ctrack(h); ct = tuplehash_to_ctrack(h);
if (last != NULL) { if (cb->args[1]) {
if (ct == last) { if (ct != last)
ip_conntrack_put(last);
cb->args[1] = 0;
last = NULL;
} else
continue; continue;
cb->args[1] = 0;
} }
if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid, if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
cb->nlh->nlmsg_seq, cb->nlh->nlmsg_seq,
...@@ -440,17 +437,17 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -440,17 +437,17 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
goto out; goto out;
} }
} }
if (last != NULL) { if (cb->args[1]) {
ip_conntrack_put(last);
cb->args[1] = 0; cb->args[1] = 0;
goto restart; goto restart;
} }
} }
out: out:
read_unlock_bh(&ip_conntrack_lock); read_unlock_bh(&ip_conntrack_lock);
if (last)
ip_conntrack_put(last);
DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id); DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
return skb->len; return skb->len;
} }
......
...@@ -429,9 +429,9 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -429,9 +429,9 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
cb->args[0], *id); cb->args[0], *id);
read_lock_bh(&nf_conntrack_lock); read_lock_bh(&nf_conntrack_lock);
last = (struct nf_conn *)cb->args[1];
for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) { for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
restart: restart:
last = (struct nf_conn *)cb->args[1];
list_for_each_prev(i, &nf_conntrack_hash[cb->args[0]]) { list_for_each_prev(i, &nf_conntrack_hash[cb->args[0]]) {
h = (struct nf_conntrack_tuple_hash *) i; h = (struct nf_conntrack_tuple_hash *) i;
if (DIRECTION(h) != IP_CT_DIR_ORIGINAL) if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
...@@ -442,13 +442,10 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -442,13 +442,10 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
* then dump everything. */ * then dump everything. */
if (l3proto && L3PROTO(ct) != l3proto) if (l3proto && L3PROTO(ct) != l3proto)
continue; continue;
if (last != NULL) { if (cb->args[1]) {
if (ct == last) { if (ct != last)
nf_ct_put(last);
cb->args[1] = 0;
last = NULL;
} else
continue; continue;
cb->args[1] = 0;
} }
if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid, if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
cb->nlh->nlmsg_seq, cb->nlh->nlmsg_seq,
...@@ -459,17 +456,17 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb) ...@@ -459,17 +456,17 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
goto out; goto out;
} }
} }
if (last != NULL) { if (cb->args[1]) {
nf_ct_put(last);
cb->args[1] = 0; cb->args[1] = 0;
goto restart; goto restart;
} }
} }
out: out:
read_unlock_bh(&nf_conntrack_lock); read_unlock_bh(&nf_conntrack_lock);
if (last)
nf_ct_put(last);
DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id); DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
return skb->len; return skb->len;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册