[NETFILTER]: ctnetlink: fix deadlock in table dumping
Patrick McHardy [Fri, 18 Aug 2006 01:12:38 +0000 (18:12 -0700)]
ip_conntrack_put must not be called while holding ip_conntrack_lock
since destroy_conntrack takes it again.

Signed-off-by: Patrick McHardy <kaber@trash.net>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv4/netfilter/ip_conntrack_netlink.c
net/netfilter/nf_conntrack_netlink.c

index 33891bb..0d4cc92 100644 (file)
@@ -415,21 +415,18 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
                        cb->args[0], *id);
 
        read_lock_bh(&ip_conntrack_lock);
+       last = (struct ip_conntrack *)cb->args[1];
        for (; cb->args[0] < ip_conntrack_htable_size; cb->args[0]++) {
 restart:
-               last = (struct ip_conntrack *)cb->args[1];
                list_for_each_prev(i, &ip_conntrack_hash[cb->args[0]]) {
                        h = (struct ip_conntrack_tuple_hash *) i;
                        if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
                                continue;
                        ct = tuplehash_to_ctrack(h);
-                       if (last != NULL) {
-                               if (ct == last) {
-                                       ip_conntrack_put(last);
-                                       cb->args[1] = 0;
-                                       last = NULL;
-                               } else
+                       if (cb->args[1]) {
+                               if (ct != last)
                                        continue;
+                               cb->args[1] = 0;
                        }
                        if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
                                                cb->nlh->nlmsg_seq,
@@ -440,17 +437,17 @@ restart:
                                goto out;
                        }
                }
-               if (last != NULL) {
-                       ip_conntrack_put(last);
+               if (cb->args[1]) {
                        cb->args[1] = 0;
                        goto restart;
                }
        }
 out:
        read_unlock_bh(&ip_conntrack_lock);
+       if (last)
+               ip_conntrack_put(last);
 
        DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
-
        return skb->len;
 }
 
index af48459..6527d4e 100644 (file)
@@ -429,9 +429,9 @@ ctnetlink_dump_table(struct sk_buff *skb, struct netlink_callback *cb)
                        cb->args[0], *id);
 
        read_lock_bh(&nf_conntrack_lock);
+       last = (struct nf_conn *)cb->args[1];
        for (; cb->args[0] < nf_conntrack_htable_size; cb->args[0]++) {
 restart:
-               last = (struct nf_conn *)cb->args[1];
                list_for_each_prev(i, &nf_conntrack_hash[cb->args[0]]) {
                        h = (struct nf_conntrack_tuple_hash *) i;
                        if (DIRECTION(h) != IP_CT_DIR_ORIGINAL)
@@ -442,13 +442,10 @@ restart:
                         * then dump everything. */
                        if (l3proto && L3PROTO(ct) != l3proto)
                                continue;
-                       if (last != NULL) {
-                               if (ct == last) {
-                                       nf_ct_put(last);
-                                       cb->args[1] = 0;
-                                       last = NULL;
-                               } else
+                       if (cb->args[1]) {
+                               if (ct != last)
                                        continue;
+                               cb->args[1] = 0;
                        }
                        if (ctnetlink_fill_info(skb, NETLINK_CB(cb->skb).pid,
                                                cb->nlh->nlmsg_seq,
@@ -459,17 +456,17 @@ restart:
                                goto out;
                        }
                }
-               if (last != NULL) {
-                       nf_ct_put(last);
+               if (cb->args[1]) {
                        cb->args[1] = 0;
                        goto restart;
                }
        }
 out:
        read_unlock_bh(&nf_conntrack_lock);
+       if (last)
+               nf_ct_put(last);
 
        DEBUGP("leaving, last bucket=%lu id=%u\n", cb->args[0], *id);
-
        return skb->len;
 }