]> git.ipfire.org Git - thirdparty/ipset.git/commitdiff
projects / thirdparty / ipset.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 3dcf2f1)
treewide: Convert del_timer*() to timer_shutdown*()
authorSteven Rostedt (Google) <rostedt@goodmis.org>
Mon, 29 Jan 2024 12:12:31 +0000 (13:12 +0100)
committerJozsef Kadlecsik <kadlec@netfilter.org>
Mon, 29 Jan 2024 12:19:04 +0000 (13:19 +0100)
Due to several bugs caused by timers being re-armed after they are
shutdown and just before they are freed, a new state of timers was added
called "shutdown".  After a timer is set to this state, then it can no
longer be re-armed.

The following script was run to find all the trivial locations where
del_timer() or del_timer_sync() is called in the same function that the
object holding the timer is freed.  It also ignores any locations where
the timer->function is modified between the del_timer*() and the free(),
as that is not considered a "trivial" case.

This was created by using a coccinelle script and the following
commands:

       $ cat timer.cocci
        @@
        expression ptr, slab;
        identifier timer, rfield;
        @@
        (
        -       del_timer(&ptr->timer);
        +       timer_shutdown(&ptr->timer);
        |
        -       del_timer_sync(&ptr->timer);
        +       timer_shutdown_sync(&ptr->timer);
        )
          ... when strict
              when != ptr->timer
        (
                kfree_rcu(ptr, rfield);
        |
                kmem_cache_free(slab, ptr);
        |
                kfree(ptr);
        )

        $ spatch timer.cocci . > /tmp/t.patch
        $ patch -p1 < /tmp/t.patch

Link: https://lore.kernel.org/lkml/20221123201306.823305113@linutronix.de/
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Acked-by: Pavel Machek <pavel@ucw.cz> [ LED ]
Acked-by: Kalle Valo <kvalo@kernel.org> [ wireless ]
Acked-by: Paolo Abeni <pabeni@redhat.com> [ networking ]
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
kernel/net/netfilter/ipset/ip_set_list_set.c patch | blob | blame | history

diff --git a/kernel/net/netfilter/ipset/ip_set_list_set.c b/kernel/net/netfilter/ipset/ip_set_list_set.c
index d7d487c97d2eb5df8e4c5a2dabd349cc8fdc4277..cc2e5b9be291e69e89aa2e8a4f91e1e15145a10b 100644 (file)
--- a/kernel/net/netfilter/ipset/ip_set_list_set.c
+++ b/kernel/net/netfilter/ipset/ip_set_list_set.c
@@ -551,7 +551,7 @@ list_set_cancel_gc(struct ip_set *set)
        struct list_set *map = set->data;
 
        if (SET_WITH_TIMEOUT(set))
-               del_timer_sync(&map->gc);
+               timer_shutdown_sync(&map->gc);
 }
 
 static const struct ip_set_type_variant set_variant = {
Mirror of git://git.netfilter.org/ipset