[netfilter-cvslog] r3739 - trunk/patch-o-matic-ng/hashlimit/linux-2.6/net/ipv4/netfilter

laforge at netfilter.org laforge at netfilter.org
Tue Feb 22 12:36:08 CET 2005 

Author: laforge at netfilter.org
Date: 2005-02-22 12:36:07 +0100 (Tue, 22 Feb 2005)
New Revision: 3739

Modified:
   trunk/patch-o-matic-ng/hashlimit/linux-2.6/net/ipv4/netfilter/ipt_hashlimit.c
Log:
Add an explicit mutex to prevent race with ip_tables core checkentry()

This is the best we've got: We cannot release and re-grab lock,
since checkentry() is called before ip_tables.c grabs ipt_mutex.  
We also cannot grab the hashtable spinlock, since htable_create will 
call vmalloc, and that can sleep.  And we cannot just re-search
the list of htable's in htable_create(), since then we would
create duplicate proc files.



Modified: trunk/patch-o-matic-ng/hashlimit/linux-2.6/net/ipv4/netfilter/ipt_hashlimit.c
===================================================================
--- trunk/patch-o-matic-ng/hashlimit/linux-2.6/net/ipv4/netfilter/ipt_hashlimit.c	2005-02-22 11:26:22 UTC (rev 3738)
+++ trunk/patch-o-matic-ng/hashlimit/linux-2.6/net/ipv4/netfilter/ipt_hashlimit.c	2005-02-22 11:36:07 UTC (rev 3739)
@@ -98,6 +98,7 @@
 };
 
 static DECLARE_RWLOCK(hashlimit_lock);	/* protects htables list */
+static DECLARE_MUTEX(hlimit_mutex);	/* additional checkentry protection */
 static LIST_HEAD(hashlimit_htables);
 static kmem_cache_t *hashlimit_cachep;
 
@@ -531,10 +532,19 @@
 	if (!r->cfg.expire)
 		return 0;
 
+	/* This is the best we've got: We cannot release and re-grab lock,
+	 * since checkentry() is called before ip_tables.c grabs ipt_mutex.  
+	 * We also cannot grab the hashtable spinlock, since htable_create will 
+	 * call vmalloc, and that can sleep.  And we cannot just re-search
+	 * the list of htable's in htable_create(), since then we would
+	 * create duplicate proc files. -HW */
+	down(&hlimit_mutex);
 	r->hinfo = htable_find_get(r->name);
 	if (!r->hinfo && (htable_create(r) != 0)) {
+		up(&hlimit_mutex);
 		return 0;
 	}
+	up(&hlimit_mutex);
 
 	/* Ugly hack: For SMP, we only want to use one set */
 	r->u.master = r;

More information about the netfilter-cvslog mailing list