diff options
author | Neil Horman <nhorman@redhat.com> | 2005-06-29 00:40:02 +0200 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2005-06-29 00:40:02 +0200 |
commit | fb3d89498d268c8dedc1ab5b15fa64f536564577 (patch) | |
tree | 9617e380d284684dc3c8b7264377f67c024e9f92 /net/ipv6/ip6_flowlabel.c | |
parent | [NET]: Remove gratuitous use of skb->tail in network drivers. (diff) | |
download | linux-fb3d89498d268c8dedc1ab5b15fa64f536564577.tar.xz linux-fb3d89498d268c8dedc1ab5b15fa64f536564577.zip |
[IPVS]: Close race conditions on ip_vs_conn_tab list modification
In an smp system, it is possible for an connection timer to expire, calling
ip_vs_conn_expire while the connection table is being flushed, before
ct_write_lock_bh is acquired.
Since the list iterator loop in ip_vs_con_flush releases and re-acquires the
spinlock (even though it doesn't re-enable softirqs), it is possible for the
expiration function to modify the connection list, while it is being traversed
in ip_vs_conn_flush.
The result is that the next pointer gets set to NULL, and subsequently
dereferenced, resulting in an oops.
Signed-off-by: Neil Horman <nhorman@redhat.com>
Acked-by: JulianAnastasov
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/ip6_flowlabel.c')
0 files changed, 0 insertions, 0 deletions