ipvs: Fix possible deadlock in estimator code

There is a slight chance for a deadlock in the estimator code. We can't call
del_timer_sync() while holding our lock, as the timer might be active and
spinning for the lock on another cpu. Work around this issue by using
try_to_del_timer_sync() and releasing the lock. We could actually delete the
timer outside of our lock, as the add and kill functions are only every called
from userspace via [gs]etsockopt() and are serialized by a mutex, but better
make this explicit.

Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
Cc: stable <stable@kernel.org>
Acked-by: Simon Horman <horms@verge.net.au>

diff --git a/net/ipv4/ipvs/ip_vs_est.c b/net/ipv4/ipvs/ip_vs_est.c
index bc04eedd6dbb45b26853f3c39e9323c9a41900c4..1d6e58e502fd8f22cdbdf72d1e6657bb63888291 100644 (file)
--- a/net/ipv4/ipvs/ip_vs_est.c
+++ b/net/ipv4/ipvs/ip_vs_est.c
@@ -170,8 +170,11 @@ void ip_vs_kill_estimator(struct ip_vs_stats *stats)
                kfree(est);
                killed++;
        }
-       if (killed && est_list == NULL)
-               del_timer_sync(&est_timer);
+       while (killed && !est_list && try_to_del_timer_sync(&est_timer) < 0) {
+               write_unlock_bh(&est_lock);
+               cpu_relax();
+               write_lock_bh(&est_lock);
+       }
        write_unlock_bh(&est_lock);
 }