netfilter: xt_hashlimit: fix race between htable_destroy and htable_gc
authorPavel Emelyanov <xemul@openvz.org>
Thu, 31 Jul 2008 07:38:52 +0000 (00:38 -0700)
committerDavid S. Miller <davem@davemloft.net>
Thu, 31 Jul 2008 07:38:52 +0000 (00:38 -0700)
Deleting a timer with del_timer doesn't guarantee, that the
timer function is not running at the moment of deletion. Thus
in the xt_hashlimit case we can get into a ticklish situation
when the htable_gc rearms the timer back and we'll actually
delete an entry with a pending timer.

Fix it with using del_timer_sync().

AFAIK del_timer_sync checks for the timer to be pending by
itself, so I remove the check.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/netfilter/xt_hashlimit.c

index 6809af542a2c8e305054afa28a6f1008f8badb1f..d9418a26781202e5a2b927b211f9976a14375a10 100644 (file)
@@ -367,9 +367,7 @@ static void htable_gc(unsigned long htlong)
 
 static void htable_destroy(struct xt_hashlimit_htable *hinfo)
 {
-       /* remove timer, if it is pending */
-       if (timer_pending(&hinfo->timer))
-               del_timer(&hinfo->timer);
+       del_timer_sync(&hinfo->timer);
 
        /* remove proc entry */
        remove_proc_entry(hinfo->pde->name,