From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Joe Jin <joe.jin@oracle.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 17/45] neighbour: fix a race in neigh_destroy()
Date: Fri, 26 Jul 2013 13:57:37 -0700 [thread overview]
Message-ID: <20130726205656.799260528@linuxfoundation.org> (raw)
In-Reply-To: <20130726205654.896050165@linuxfoundation.org>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <eric.dumazet@gmail.com>
[ Upstream commit c9ab4d85de222f3390c67aedc9c18a50e767531e ]
There is a race in neighbour code, because neigh_destroy() uses
skb_queue_purge(&neigh->arp_queue) without holding neighbour lock,
while other parts of the code assume neighbour rwlock is what
protects arp_queue
Convert all skb_queue_purge() calls to the __skb_queue_purge() variant
Use __skb_queue_head_init() instead of skb_queue_head_init()
to make clear we do not use arp_queue.lock
And hold neigh->lock in neigh_destroy() to close the race.
Reported-by: Joe Jin <joe.jin@oracle.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/neighbour.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -237,7 +237,7 @@ static void neigh_flush_dev(struct neigh
we must kill timers etc. and move
it to safe state.
*/
- skb_queue_purge(&n->arp_queue);
+ __skb_queue_purge(&n->arp_queue);
n->output = neigh_blackhole;
if (n->nud_state & NUD_VALID)
n->nud_state = NUD_NOARP;
@@ -291,7 +291,7 @@ static struct neighbour *neigh_alloc(str
if (!n)
goto out_entries;
- skb_queue_head_init(&n->arp_queue);
+ __skb_queue_head_init(&n->arp_queue);
rwlock_init(&n->lock);
seqlock_init(&n->ha_lock);
n->updated = n->used = now;
@@ -712,7 +712,9 @@ void neigh_destroy(struct neighbour *nei
hh_cache_put(hh);
}
- skb_queue_purge(&neigh->arp_queue);
+ write_lock_bh(&neigh->lock);
+ __skb_queue_purge(&neigh->arp_queue);
+ write_unlock_bh(&neigh->lock);
dev_put(neigh->dev);
neigh_parms_put(neigh->parms);
@@ -864,7 +866,7 @@ static void neigh_invalidate(struct neig
neigh->ops->error_report(neigh, skb);
write_lock(&neigh->lock);
}
- skb_queue_purge(&neigh->arp_queue);
+ __skb_queue_purge(&neigh->arp_queue);
}
/* Called when a timer expires for a neighbour entry. */
@@ -1188,7 +1190,7 @@ int neigh_update(struct neighbour *neigh
write_lock_bh(&neigh->lock);
}
- skb_queue_purge(&neigh->arp_queue);
+ __skb_queue_purge(&neigh->arp_queue);
}
out:
if (update_isrouter) {
next prev parent reply other threads:[~2013-07-26 20:58 UTC|newest]
Thread overview: 50+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-07-26 20:57 [ 00/45] 3.0.88-stable review Greg Kroah-Hartman
2013-07-26 20:57 ` [ 01/45] tick: Prevent uncontrolled switch to oneshot mode Greg Kroah-Hartman
2013-07-26 20:57 ` [ 02/45] ASoC: sglt5000: Fix SGTL5000_PLL_FRAC_DIV_MASK Greg Kroah-Hartman
2013-07-26 20:57 ` [ 03/45] rt2x00: read 5GHz TX power values from the correct offset Greg Kroah-Hartman
2013-07-26 20:57 ` [ 04/45] SCSI: zfcp: fix adapter (re)open recovery while link to SAN is down Greg Kroah-Hartman
2013-07-26 20:57 ` [ 05/45] SCSI: mpt2sas: fix firmware failure with wrong task attribute Greg Kroah-Hartman
2013-07-26 20:57 ` [ 06/45] tracing: Use current_uid() for critical time tracing Greg Kroah-Hartman
2013-07-26 20:57 ` [ 07/45] perf: Clone child context from parent context pmu Greg Kroah-Hartman
2013-07-26 20:57 ` [ 08/45] perf: Remove WARN_ON_ONCE() check in __perf_event_enable() for valid scenario Greg Kroah-Hartman
2013-07-26 20:57 ` [ 09/45] perf: Fix perf_lock_task_context() vs RCU Greg Kroah-Hartman
2013-07-26 20:57 ` [ 10/45] sparc32: vm_area_struct access for old Sun SPARCs Greg Kroah-Hartman
2013-07-26 20:57 ` [ 11/45] sparc64 address-congruence property Greg Kroah-Hartman
2013-07-26 20:57 ` [ 12/45] sparc: tsb must be flushed before tlb Greg Kroah-Hartman
2013-07-26 20:57 ` [ 13/45] bridge: fix switched interval for MLD Query types Greg Kroah-Hartman
2013-07-26 20:57 ` [ 14/45] ipv6: dont call addrconf_dst_alloc again when enable lo Greg Kroah-Hartman
2013-07-26 20:57 ` [ 15/45] ipv6: ip6_sk_dst_check() must not assume ipv6 dst Greg Kroah-Hartman
2013-07-26 20:57 ` [ 16/45] af_key: fix info leaks in notify messages Greg Kroah-Hartman
2013-07-26 20:57 ` Greg Kroah-Hartman [this message]
2013-07-26 20:57 ` [ 18/45] x25: Fix broken locking in ioctl error paths Greg Kroah-Hartman
2013-07-26 20:57 ` [ 19/45] net: Swap ver and type in pppoe_hdr Greg Kroah-Hartman
2013-07-26 20:57 ` [ 20/45] ipv6,mcast: always hold idev->lock before mca_lock Greg Kroah-Hartman
2013-07-26 20:57 ` [ 21/45] l2tp: add missing .owner to struct pppox_proto Greg Kroah-Hartman
2013-07-26 20:57 ` [ 22/45] ipv6: call udp_push_pending_frames when uncorking a socket with AF_INET pending data Greg Kroah-Hartman
2013-07-26 20:57 ` [ 23/45] sunvnet: vnet_port_remove must call unregister_netdev Greg Kroah-Hartman
2013-07-26 20:57 ` [ 24/45] ifb: fix rcu_sched self-detected stalls Greg Kroah-Hartman
2013-07-26 20:57 ` [ 25/45] dummy: fix oops when loading the dummy failed Greg Kroah-Hartman
2013-07-26 20:57 ` [ 26/45] ifb: fix oops when loading the ifb failed Greg Kroah-Hartman
2013-07-26 20:57 ` [ 27/45] vlan: fix a race in egress prio management Greg Kroah-Hartman
2013-07-26 20:57 ` [ 28/45] writeback: Fix periodic writeback after fs mount Greg Kroah-Hartman
2013-07-26 20:57 ` [ 29/45] SCSI: megaraid_sas: fix memory leak if SGL has zero length entries Greg Kroah-Hartman
2013-07-26 20:57 ` [ 30/45] SCSI: Fix incorrect memset in bnx2fc_parse_fcp_rsp Greg Kroah-Hartman
2013-07-26 20:57 ` [ 31/45] usb: serial: option: blacklist ONDA MT689DC QMI interface Greg Kroah-Hartman
2013-07-26 20:57 ` [ 32/45] usb: option: add TP-LINK MA260 Greg Kroah-Hartman
2013-07-26 20:57 ` [ 33/45] usb: serial: option: add Olivetti Olicard 200 Greg Kroah-Hartman
2013-07-26 20:57 ` [ 34/45] usb: serial: option.c: remove ONDA MT825UP product ID fromdriver Greg Kroah-Hartman
2013-07-26 20:57 ` [ 35/45] USB: option: append Petatel NP10T device to GSM modems list Greg Kroah-Hartman
2013-07-26 20:57 ` [ 36/45] USB: option: add D-Link DWM-152/C1 and DWM-156/C1 Greg Kroah-Hartman
2013-07-26 20:57 ` [ 37/45] usb: serial: option: Add ONYX 3G device support Greg Kroah-Hartman
2013-07-26 20:57 ` [ 38/45] usb: serial: cp210x: Add USB ID for Netgear Switches embedded serial adapter Greg Kroah-Hartman
2013-07-26 20:57 ` [ 39/45] USB: cp210x: add MMB and PI ZigBee USB Device Support Greg Kroah-Hartman
2013-07-26 20:58 ` [ 40/45] usb: cp210x support SEL C662 Vendor/Device Greg Kroah-Hartman
2013-07-26 20:58 ` [ 41/45] lockd: protect nlm_blocked access in nlmsvc_retry_blocked Greg Kroah-Hartman
2013-07-26 20:58 ` [ 42/45] tracing: Fix irqs-off tag display in syscall tracing Greg Kroah-Hartman
2013-07-26 20:58 ` [ 43/45] hrtimers: Move SMP function call to thread context Greg Kroah-Hartman
2013-07-26 20:58 ` [ 44/45] [SCSI] zfcp: status read buffers on first adapter open with link down Greg Kroah-Hartman
2013-07-26 20:58 ` [ 45/45] ALSA: usb-audio: 6fire: return correct XRUN indication Greg Kroah-Hartman
2013-07-27 11:22 ` [ 00/45] 3.0.88-stable review linux
2013-07-27 23:30 ` Ben Hutchings
2013-07-28 1:31 ` Guenter Roeck
2013-07-28 18:39 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130726205656.799260528@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=joe.jin@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox