From 7401a862f80b5a9c8de0e9e61e71e97818b72458 Mon Sep 17 00:00:00 2001 From: Patrick McHardy Date: Mon, 22 Jun 2009 14:14:16 +0200 Subject: [PATCH] --- yaml --- r: 154100 b: refs/heads/master c: 5c8ec910e789a92229978d8fd1fce7b62e8ac711 h: refs/heads/master v: v3 --- [refs] | 2 +- trunk/net/netfilter/nf_conntrack_core.c | 9 ++++++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/[refs] b/[refs] index 4e5b10766028..1e34c7f914a3 100644 --- a/[refs] +++ b/[refs] @@ -1,2 +1,2 @@ --- -refs/heads/master: 8cc20198cfccd06cef705c14fd50bde603e2e306 +refs/heads/master: 5c8ec910e789a92229978d8fd1fce7b62e8ac711 diff --git a/trunk/net/netfilter/nf_conntrack_core.c b/trunk/net/netfilter/nf_conntrack_core.c index 5276a2dd56fe..b0b06c7a9483 100644 --- a/trunk/net/netfilter/nf_conntrack_core.c +++ b/trunk/net/netfilter/nf_conntrack_core.c @@ -425,7 +425,6 @@ __nf_conntrack_confirm(struct sk_buff *skb) /* Remove from unconfirmed list */ hlist_nulls_del_rcu(&ct->tuplehash[IP_CT_DIR_ORIGINAL].hnnode); - __nf_conntrack_hash_insert(ct, hash, repl_hash); /* Timer relative to confirmation time, not original setting time, otherwise we'd get timer wrap in weird delay cases. */ @@ -433,8 +432,16 @@ __nf_conntrack_confirm(struct sk_buff *skb) add_timer(&ct->timeout); atomic_inc(&ct->ct_general.use); set_bit(IPS_CONFIRMED_BIT, &ct->status); + + /* Since the lookup is lockless, hash insertion must be done after + * starting the timer and setting the CONFIRMED bit. The RCU barriers + * guarantee that no other CPU can find the conntrack before the above + * stores are visible. + */ + __nf_conntrack_hash_insert(ct, hash, repl_hash); NF_CT_STAT_INC(net, insert); spin_unlock_bh(&nf_conntrack_lock); + help = nfct_help(ct); if (help && help->helper) nf_conntrack_event_cache(IPCT_HELPER, ct);