From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, David Barroso <dbarroso@fastly.com>,
Lennert Buytenhek <lbuytenhek@fastly.com>,
David Ahern <dsa@cumulusnetworks.com>,
Robert Shearman <rshearma@brocade.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.6 12/31] neigh: Explicitly declare RCU-bh read side critical section in neigh_xmit()
Date: Wed, 6 Jul 2016 18:19:02 -0700 [thread overview]
Message-ID: <20160707011558.016811348@linuxfoundation.org> (raw)
In-Reply-To: <20160707011557.518104444@linuxfoundation.org>
4.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Barroso <dbarroso@fastly.com>
[ Upstream commit b560f03ddfb072bca65e9440ff0dc4f9b1d1f056 ]
neigh_xmit() expects to be called inside an RCU-bh read side critical
section, and while one of its two current callers gets this right, the
other one doesn't.
More specifically, neigh_xmit() has two callers, mpls_forward() and
mpls_output(), and while both callers call neigh_xmit() under
rcu_read_lock(), this provides sufficient protection for neigh_xmit()
only in the case of mpls_forward(), as that is always called from
softirq context and therefore doesn't need explicit BH protection,
while mpls_output() can be called from process context with softirqs
enabled.
When mpls_output() is called from process context, with softirqs
enabled, we can be preempted by a softirq at any time, and RCU-bh
considers the completion of a softirq as signaling the end of any
pending read-side critical sections, so if we do get a softirq
while we are in the part of neigh_xmit() that expects to be run inside
an RCU-bh read side critical section, we can end up with an unexpected
RCU grace period running right in the middle of that critical section,
making things go boom.
This patch fixes this impedance mismatch in the callee, by making
neigh_xmit() always take rcu_read_{,un}lock_bh() around the code that
expects to be treated as an RCU-bh read side critical section, as this
seems a safer option than fixing it in the callers.
Fixes: 4fd3d7d9e868f ("neigh: Add helper function neigh_xmit")
Signed-off-by: David Barroso <dbarroso@fastly.com>
Signed-off-by: Lennert Buytenhek <lbuytenhek@fastly.com>
Acked-by: David Ahern <dsa@cumulusnetworks.com>
Acked-by: Robert Shearman <rshearma@brocade.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/neighbour.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -2467,13 +2467,17 @@ int neigh_xmit(int index, struct net_dev
tbl = neigh_tables[index];
if (!tbl)
goto out;
+ rcu_read_lock_bh();
neigh = __neigh_lookup_noref(tbl, addr, dev);
if (!neigh)
neigh = __neigh_create(tbl, addr, dev, false);
err = PTR_ERR(neigh);
- if (IS_ERR(neigh))
+ if (IS_ERR(neigh)) {
+ rcu_read_unlock_bh();
goto out_kfree_skb;
+ }
err = neigh->output(neigh, skb);
+ rcu_read_unlock_bh();
}
else if (index == NEIGH_LINK_TABLE) {
err = dev_hard_header(skb, dev, ntohs(skb->protocol),
next prev parent reply other threads:[~2016-07-07 1:19 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-07-07 1:18 [PATCH 4.6 00/31] 4.6.4-stable review Greg Kroah-Hartman
2016-07-07 1:18 ` [PATCH 4.6 01/31] net_sched: fix pfifo_head_drop behavior vs backlog Greg Kroah-Hartman
2016-07-07 1:18 ` [PATCH 4.6 02/31] act_ipt: fix a bind refcnt leak Greg Kroah-Hartman
2016-07-07 1:18 ` [PATCH 4.6 03/31] net: Dont forget pr_fmt on net_dbg_ratelimited for CONFIG_DYNAMIC_DEBUG Greg Kroah-Hartman
2016-07-07 1:18 ` [PATCH 4.6 04/31] sit: correct IP protocol used in ipip6_err Greg Kroah-Hartman
2016-07-07 1:18 ` [PATCH 4.6 05/31] kcm: fix /proc memory leak Greg Kroah-Hartman
2016-07-07 1:18 ` [PATCH 4.6 06/31] esp: Fix ESN generation under UDP encapsulation Greg Kroah-Hartman
2016-07-07 1:18 ` [PATCH 4.6 07/31] netem: fix a use after free Greg Kroah-Hartman
2016-07-07 1:18 ` [PATCH 4.6 08/31] ipmr/ip6mr: Initialize the last assert time of mfc entries Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 10/31] sock_diag: do not broadcast raw socket destruction Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 11/31] bpf, perf: delay release of BPF prog after grace period Greg Kroah-Hartman
2016-07-07 1:19 ` Greg Kroah-Hartman [this message]
2016-07-07 1:19 ` [PATCH 4.6 13/31] AX.25: Close socket connection on session completion Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 14/31] crypto: vmx - Increase priority of aes-cbc cipher Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 15/31] crypto: ux500 - memmove the right size Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 16/31] crypto: user - re-add size check for CRYPTO_MSG_GETALG Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 17/31] USB: uas: Fix slave queue_depth not being set Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 18/31] usb: quirks: Fix sorting Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 19/31] usb: quirks: Add no-lpm quirk for Acer C120 LED Projector Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 20/31] usb: musb: only restore devctl when session was set in backup Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 21/31] usb: musb: Stop bulk endpoint while queue is rotated Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 22/31] usb: musb: Ensure rx reinit occurs for shared_fifo endpoints Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 23/31] usb: musb: host: correct cppi dma channel for isoch transfer Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 24/31] xhci: Cleanup only when releasing primary hcd Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 25/31] usb: xhci-plat: properly handle probe deferral for devm_clk_get() Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 26/31] USB: xhci: Add broken streams quirk for Frescologic device id 1009 Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 27/31] xhci: Fix handling timeouted commands on hosts in weird states Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 28/31] USB: mos7720: delete parport Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 29/31] usb: gadget: fix spinlock dead lock in gadgetfs Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 30/31] usb: host: ehci-tegra: Grab the correct UTMI pads reset Greg Kroah-Hartman
2016-07-07 1:19 ` [PATCH 4.6 31/31] usb: dwc3: exynos: Fix deferred probing storm Greg Kroah-Hartman
2016-07-07 12:39 ` [PATCH 4.6 00/31] 4.6.4-stable review Heinz Diehl
2016-07-07 19:13 ` Greg Kroah-Hartman
2016-07-07 13:31 ` Guenter Roeck
2016-07-08 3:45 ` Shuah Khan
2016-07-09 5:13 ` Greg Kroah-Hartman
[not found] ` <577ffc00.48371c0a.49d2e.ffff82fc@mx.google.com>
[not found] ` <7hwpks6iwc.fsf@baylibre.com>
2016-07-11 20:29 ` Guenter Roeck
2016-07-12 4:16 ` Kevin Hilman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20160707011558.016811348@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=dbarroso@fastly.com \
--cc=dsa@cumulusnetworks.com \
--cc=lbuytenhek@fastly.com \
--cc=linux-kernel@vger.kernel.org \
--cc=rshearma@brocade.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).