[PATCH net-2.6.25][NET_NS][IPV6] fix ip6_frags.ctl oops

[Daniel Lezcano <dlezcano@fr.ibm.com>]

[-- Attachment #1: Type: text/plain, Size: 1 bytes --]



[-- Attachment #2: fix-ip6frag-sysctl-oops.patch --]
[-- Type: text/x-patch, Size: 1402 bytes --]

Subject: fix ip6_frag ctl
From: Daniel Lezcano <dlezcano@fr.ibm.com>

Alexey Dobriyan reported an oops when unsharing the network
indefinitely inside a loop. This is because the ip6_frag is not per
namespace while the ctls are.

That happens at the fragment timer expiration: inet_frag_secret_rebuild 
function is called and this one restarts the timer using the value stored
inside the sysctl field.

        "mod_timer(&f->secret_timer, now + f->ctl->secret_interval);"

When the network is unshared, ip6_frag.ctl is initialized with the new
sysctl instances, but ip6_frag has only one instance. A race in this case
will appear because f->ctl can be modified during the read access in the 
timer callback.

Until the ip6_frag is not per namespace, I discard the assignation to the 
ctl field of ip6_frags in ip6_frag_sysctl_init when the network namespace
is not the init net.

Signed-off-by: Daniel Lezcano <dlezcano@fr.ibm.com>
---
 net/ipv6/reassembly.c |    3 +++
 1 file changed, 3 insertions(+)

Index: net-2.6.25-misc/net/ipv6/reassembly.c
===================================================================
--- net-2.6.25-misc.orig/net/ipv6/reassembly.c
+++ net-2.6.25-misc/net/ipv6/reassembly.c
@@ -627,6 +627,9 @@ static struct inet6_protocol frag_protoc
 
 void ipv6_frag_sysctl_init(struct net *net)
 {
+	if (net != &init_net)
+		return;
+
 	ip6_frags.ctl = &net->ipv6.sysctl.frags;
 }