Commit dd9e5773 authored by Harald Welte's avatar Harald Welte Committed by David S. Miller

[NETFILTER]: ipt_hashlimit rule load time race condition

This is the best we've got: We cannot release and re-grab lock,
since checkentry() is called before ip_tables.c grabs ipt_mutex.  
We also cannot grab the hashtable spinlock, since htable_create will 
call vmalloc, and that can sleep.  And we cannot just re-search
the list of htable's in htable_create(), since then we would
create duplicate proc files.
Signed-off-by: default avatarHarald Welte <laforge@netfilter.org>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 320d00c5
...@@ -98,6 +98,7 @@ struct ipt_hashlimit_htable { ...@@ -98,6 +98,7 @@ struct ipt_hashlimit_htable {
}; };
static DECLARE_RWLOCK(hashlimit_lock); /* protects htables list */ static DECLARE_RWLOCK(hashlimit_lock); /* protects htables list */
static DECLARE_MUTEX(hlimit_mutex); /* additional checkentry protection */
static LIST_HEAD(hashlimit_htables); static LIST_HEAD(hashlimit_htables);
static kmem_cache_t *hashlimit_cachep; static kmem_cache_t *hashlimit_cachep;
...@@ -531,10 +532,19 @@ hashlimit_checkentry(const char *tablename, ...@@ -531,10 +532,19 @@ hashlimit_checkentry(const char *tablename,
if (!r->cfg.expire) if (!r->cfg.expire)
return 0; return 0;
/* This is the best we've got: We cannot release and re-grab lock,
* since checkentry() is called before ip_tables.c grabs ipt_mutex.
* We also cannot grab the hashtable spinlock, since htable_create will
* call vmalloc, and that can sleep. And we cannot just re-search
* the list of htable's in htable_create(), since then we would
* create duplicate proc files. -HW */
down(&hlimit_mutex);
r->hinfo = htable_find_get(r->name); r->hinfo = htable_find_get(r->name);
if (!r->hinfo && (htable_create(r) != 0)) { if (!r->hinfo && (htable_create(r) != 0)) {
up(&hlimit_mutex);
return 0; return 0;
} }
up(&hlimit_mutex);
/* Ugly hack: For SMP, we only want to use one set */ /* Ugly hack: For SMP, we only want to use one set */
r->u.master = r; r->u.master = r;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment