Re: neigh_create/inetdev_destroy race?

All of lore.kernel.org
 help / color / mirror / Atom feed

From: "David S. Miller" <davem@davemloft.net>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: shemminger@osdl.org, netdev@oss.sgi.com
Subject: Re: neigh_create/inetdev_destroy race?
Date: Sat, 28 Aug 2004 23:42:01 -0700	[thread overview]
Message-ID: <20040828234201.79556f6e.davem@davemloft.net> (raw)
In-Reply-To: <20040816105131.GA11299@gondor.apana.org.au>

On Mon, 16 Aug 2004 20:51:31 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:

> > > CPU0					CPU1
> > > neigh_create
> > > 					inet_del_ifa
> > > 						notifier_call_chain
> > > 							neigh_ifdown
> > > 						inetdev_destroy
> > > 	arp_constructor
> > > 		neigh->parms =
> > > 			in_dev->arp_parms
> > > 							in_dev->dead = 1
> > > 							in_dev->dev->ip_ptr =
> > > 								NULL
> > > 							neigh_parms_release
> > > 	n->parms->neigh_setup => BUG
> > 
> > Is there anything other than hostess_sv11.c, sealevel.c, and shaper.c
> > which are using n->parms->neigh_setup at all?
> > 
> > This seems to be a very obscure special case hack, which perhaps we
> > can removee entirely.
> 
> That maybe the case, but the race has nothing to do with neigh_setup.
> 
> Even if you remove neigh_setup altogether, the very next line in
> neigh_create will dereference n->parms by looking up base_reachable_time.

Wait a second, how can neigh_ifdown() even find this thing?
Firstly, neigh_create() takes a reference to the device, which
in turn holds onto the inetdev preventing inetdev_destroy().

Secondly, until neigh_create() takes the tbl lock, it is not in
the hash tables and therefore neigh_ifdown() could not see it.

Thirdly, arp_constructor() does in_dev_get() and checks the
return value.  If it fails, by racing with inetdev_destroy(),
neigh_create() will return an error and not do bogus derefing.

I think that covers all the cases, right?
(please prove me wrong, this looks too easy :-)

next prev parent reply	other threads:[~2004-08-29  6:42 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-12 23:59 [PATCH] Move inetdev/ifa over to RCU David S. Miller
2004-08-13  2:20 ` James Morris
2004-08-13 10:02 ` Herbert Xu
2004-08-13 16:03 ` Stephen Hemminger
2004-08-13 16:38   ` David S. Miller
2004-08-13 21:56     ` Herbert Xu
2004-08-13 22:19       ` David S. Miller
2004-08-14  0:34         ` Herbert Xu
2004-08-14  0:39           ` David S. Miller
2004-08-14  0:54             ` Herbert Xu
2004-08-14  1:25               ` Herbert Xu
2004-08-14  1:30                 ` Herbert Xu
2004-08-14  5:08                   ` Herbert Xu
2004-08-14  6:27                     ` neigh_create/inetdev_destroy race? Herbert Xu
2004-08-16  2:14                       ` David S. Miller
2004-08-16 10:51                         ` Herbert Xu
2004-08-29  6:42                           ` David S. Miller [this message]
2004-08-29  6:50                             ` Herbert Xu
2004-08-31  6:08                               ` David S. Miller
2004-08-31 10:41                                 ` Herbert Xu
2004-09-02  5:21                                   ` David S. Miller
2004-09-02 13:06                                     ` Herbert Xu
2004-09-03 13:36                                       ` Herbert Xu
2004-09-03 16:00                                         ` Stephen Hemminger
2004-09-03 23:49                                           ` Herbert Xu
2004-09-07 20:50                                             ` David S. Miller
2004-09-03 16:18                                         ` David S. Miller
2004-08-16  2:08                     ` [PATCH] Move inetdev/ifa over to RCU David S. Miller
2004-08-16  2:43                       ` Herbert Xu
2004-08-16  3:08                         ` David S. Miller
2004-08-16  3:14                           ` Herbert Xu
2004-08-16  6:23                             ` David S. Miller
2004-08-14  6:31                   ` Herbert Xu
2004-08-14  6:32                     ` Herbert Xu
2004-08-16  3:01                   ` David S. Miller
2004-08-14  1:40                 ` Herbert Xu
2004-08-16  3:03                   ` David S. Miller
2004-08-16  3:23                     ` Herbert Xu
2004-08-16  6:24                       ` David S. Miller
2004-08-14  4:30                 ` Stephen Hemminger
2004-08-14  4:36                   ` Herbert Xu
2004-08-16  2:59               ` David S. Miller
2004-08-16  2:58           ` David S. Miller
2004-08-16  3:08             ` Herbert Xu
2004-08-16  6:21               ` David S. Miller
2004-08-16  8:13                 ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040828234201.79556f6e.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@oss.sgi.com \
    --cc=shemminger@osdl.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.