summaryrefslogtreecommitdiffstats
path: root/include/net
diff options
context:
space:
mode:
authorJoerg Marx <joerg.marx@secunet.com>2010-05-20 15:55:30 +0200
committerPatrick McHardy <kaber@trash.net>2010-05-20 15:55:30 +0200
commitfc350777c705a39a312728ac5e8a6f164a828f5d (patch)
tree62aa121cd62e416a505d35de9b5d77ab8ae89f66 /include/net
parenta1d7c1b4b8dfbc5ecadcff9284d64bb6ad4c0196 (diff)
downloadlinux-fc350777c705a39a312728ac5e8a6f164a828f5d.tar.gz
linux-fc350777c705a39a312728ac5e8a6f164a828f5d.tar.bz2
linux-fc350777c705a39a312728ac5e8a6f164a828f5d.zip
netfilter: nf_conntrack: fix a race in __nf_conntrack_confirm against nf_ct_get_next_corpse()
This race was triggered by a 'conntrack -F' command running in parallel to the insertion of a hash for a new connection. Losing this race led to a dead conntrack entry effectively blocking traffic for a particular connection until timeout or flushing the conntrack hashes again. Now the check for an already dying connection is done inside the lock. Signed-off-by: Joerg Marx <joerg.marx@secunet.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
Diffstat (limited to 'include/net')
-rw-r--r--include/net/netfilter/nf_conntrack_core.h2
1 files changed, 1 insertions, 1 deletions
diff --git a/include/net/netfilter/nf_conntrack_core.h b/include/net/netfilter/nf_conntrack_core.h
index dffde8e6920e..3d7524fba194 100644
--- a/include/net/netfilter/nf_conntrack_core.h
+++ b/include/net/netfilter/nf_conntrack_core.h
@@ -61,7 +61,7 @@ static inline int nf_conntrack_confirm(struct sk_buff *skb)
int ret = NF_ACCEPT;
if (ct && ct != &nf_conntrack_untracked) {
- if (!nf_ct_is_confirmed(ct) && !nf_ct_is_dying(ct))
+ if (!nf_ct_is_confirmed(ct))
ret = __nf_conntrack_confirm(skb);
if (likely(ret == NF_ACCEPT))
nf_ct_deliver_cached_events(ct);