From: Ding Tianhong <dingtianhong@huawei.com>
To: Veaceslav Falico <vfalico@redhat.com>, <netdev@vger.kernel.org>
Cc: Jay Vosburgh <fubar@us.ibm.com>, Andy Gospodarek <andy@greyhouse.net>
Subject: Re: [PATCH net] bonding: fix bond_arp_rcv() race of curr_active_slave
Date: Thu, 20 Feb 2014 19:49:28 +0800 [thread overview]
Message-ID: <5305EBC8.3070207@huawei.com> (raw)
In-Reply-To: <1392894477-5477-1-git-send-email-vfalico@redhat.com>
On 2014/2/20 19:07, Veaceslav Falico wrote:
> bond->curr_active_slave can be changed between its deferences, even to
> NULL, and thus we might panic.
>
> We're always holding the rcu (rx_handler->bond_handle_frame()->bond_arp_rcv())
> so fix this by rcu_dereferencing() it and using the saved.
>
> Reported-by: Ding Tianhong <dingtianhong@huawei.com>
> Fixes: aeea64a ("bonding: don't trust arp requests unless active slave really works")
> CC: Jay Vosburgh <fubar@us.ibm.com>
> CC: Andy Gospodarek <andy@greyhouse.net>
> Signed-off-by: Veaceslav Falico <vfalico@redhat.com>
> ---
> drivers/net/bonding/bond_main.c | 10 +++++++---
> 1 file changed, 7 insertions(+), 3 deletions(-)
>
> diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
> index 71edf03..bd70bbc 100644
> --- a/drivers/net/bonding/bond_main.c
> +++ b/drivers/net/bonding/bond_main.c
> @@ -2254,6 +2254,7 @@ int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
> struct slave *slave)
> {
> struct arphdr *arp = (struct arphdr *)skb->data;
> + struct slave *curr_active_slave;
> unsigned char *arp_ptr;
> __be32 sip, tip;
> int alen, is_arp = skb->protocol == __cpu_to_be16(ETH_P_ARP);
> @@ -2299,6 +2300,8 @@ int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
> bond->params.arp_validate, slave_do_arp_validate(bond, slave),
> &sip, &tip);
>
> + curr_active_slave = rcu_dereference(bond->curr_active_slave);
> +
> /*
> * Backup slaves won't see the ARP reply, but do come through
> * here for each ARP probe (so we swap the sip/tip to validate
> @@ -2312,11 +2315,12 @@ int bond_arp_rcv(const struct sk_buff *skb, struct bonding *bond,
> * is done to avoid endless looping when we can't reach the
> * arp_ip_target and fool ourselves with our own arp requests.
> */
> +
> if (bond_is_active_slave(slave))
> bond_validate_arp(bond, slave, sip, tip);
> - else if (bond->curr_active_slave &&
> - time_after(slave_last_rx(bond, bond->curr_active_slave),
> - bond->curr_active_slave->last_link_up))
> + else if (curr_active_slave &&
> + time_after(slave_last_rx(bond, curr_active_slave),
> + curr_active_slave->last_link_up))
> bond_validate_arp(bond, slave, tip, sip);
>
> out_unlock:
>
Acked-by: Ding Tianhong <dingtianhong@huawei.com>
prev parent reply other threads:[~2014-02-20 11:49 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-02-20 11:07 [PATCH net] bonding: fix bond_arp_rcv() race of curr_active_slave Veaceslav Falico
2014-02-20 11:15 ` Veaceslav Falico
2014-02-20 18:21 ` David Miller
2014-02-20 11:49 ` Ding Tianhong [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5305EBC8.3070207@huawei.com \
--to=dingtianhong@huawei.com \
--cc=andy@greyhouse.net \
--cc=fubar@us.ibm.com \
--cc=netdev@vger.kernel.org \
--cc=vfalico@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.