* [PATCH net-next] 802: fix a possible race condition
2013-03-23 5:14 ` [PATCH net-next] 8021q: fix a potential use-after-free Cong Wang
@ 2013-03-23 5:14 ` Cong Wang
2013-03-24 21:24 ` David Miller
0 siblings, 1 reply; 7+ messages in thread
From: Cong Wang @ 2013-03-23 5:14 UTC (permalink / raw)
To: netdev; +Cc: David S. Miller, David Ward, Jorge Boncompte [DTI2], Cong Wang
From: Cong Wang <amwang@redhat.com>
garp_pdu_queue() should ways be called with this spin lock.
garp_uninit_applicant() only holds rtnl lock which is not
enough here.
Found by code inspection.
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Ward <david.ward@ll.mit.edu>
Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
---
net/802/garp.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/net/802/garp.c b/net/802/garp.c
index 8456f5d..5d9630a 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -609,8 +609,12 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl
/* Delete timer and generate a final TRANSMIT_PDU event to flush out
* all pending messages before the applicant is gone. */
del_timer_sync(&app->join_timer);
+
+ spin_lock_bh(&app->lock);
garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU);
garp_pdu_queue(app);
+ spin_unlock_bh(&app->lock);
+
garp_queue_xmit(app);
dev_mc_del(dev, appl->proto.group_address);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] 802: fix a possible race condition
2013-03-23 5:14 ` [PATCH net-next] 802: fix a possible race condition Cong Wang
@ 2013-03-24 21:24 ` David Miller
2013-03-25 13:32 ` Cong Wang
0 siblings, 1 reply; 7+ messages in thread
From: David Miller @ 2013-03-24 21:24 UTC (permalink / raw)
To: amwang; +Cc: netdev, david.ward, jorge
From: Cong Wang <amwang@redhat.com>
Date: Sat, 23 Mar 2013 13:14:08 +0800
> From: Cong Wang <amwang@redhat.com>
>
> garp_pdu_queue() should ways be called with this spin lock.
> garp_uninit_applicant() only holds rtnl lock which is not
> enough here.
>
> Found by code inspection.
>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: David Ward <david.ward@ll.mit.edu>
> Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net>
> Signed-off-by: Cong Wang <amwang@redhat.com>
Under what conditions can entries be removed or added to
these RB-trees without the RTNL being held?
If such events cannot happen, then no locking is needed.
Even if your change is correct and necessary, the answer to my
needs to be added to your commit message.
Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] 802: fix a possible race condition
2013-03-24 21:24 ` David Miller
@ 2013-03-25 13:32 ` Cong Wang
2013-03-25 14:08 ` Eric Dumazet
0 siblings, 1 reply; 7+ messages in thread
From: Cong Wang @ 2013-03-25 13:32 UTC (permalink / raw)
To: David Miller; +Cc: netdev, david.ward, jorge
On Sun, 2013-03-24 at 17:24 -0400, David Miller wrote:
> From: Cong Wang <amwang@redhat.com>
> Date: Sat, 23 Mar 2013 13:14:08 +0800
>
> > From: Cong Wang <amwang@redhat.com>
> >
> > garp_pdu_queue() should ways be called with this spin lock.
> > garp_uninit_applicant() only holds rtnl lock which is not
> > enough here.
> >
> > Found by code inspection.
> >
> > Cc: "David S. Miller" <davem@davemloft.net>
> > Cc: David Ward <david.ward@ll.mit.edu>
> > Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net>
> > Signed-off-by: Cong Wang <amwang@redhat.com>
>
> Under what conditions can entries be removed or added to
> these RB-trees without the RTNL being held?
At least garp_join_timer() calls garp_pdu_queue() in a timer:
static void garp_join_timer(unsigned long data)
{
struct garp_applicant *app = (struct garp_applicant *)data;
spin_lock(&app->lock);
garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU);
garp_pdu_queue(app);
spin_unlock(&app->lock);
garp_queue_xmit(app);
garp_join_timer_arm(app);
}
which I don't think can hold RTNL lock possibly.
>
> If such events cannot happen, then no locking is needed.
>
> Even if your change is correct and necessary, the answer to my
> needs to be added to your commit message.
Ok, I will.
Thanks.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] 802: fix a possible race condition
2013-03-25 13:32 ` Cong Wang
@ 2013-03-25 14:08 ` Eric Dumazet
2013-03-26 3:01 ` Cong Wang
0 siblings, 1 reply; 7+ messages in thread
From: Eric Dumazet @ 2013-03-25 14:08 UTC (permalink / raw)
To: Cong Wang; +Cc: David Miller, netdev, david.ward, jorge
On Mon, 2013-03-25 at 21:32 +0800, Cong Wang wrote:
> At least garp_join_timer() calls garp_pdu_queue() in a timer:
>
> static void garp_join_timer(unsigned long data)
> {
> struct garp_applicant *app = (struct garp_applicant *)data;
>
> spin_lock(&app->lock);
> garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU);
> garp_pdu_queue(app);
> spin_unlock(&app->lock);
>
> garp_queue_xmit(app);
> garp_join_timer_arm(app);
> }
>
> which I don't think can hold RTNL lock possibly.
>
But timer wont possibly run because of the previous :
del_timer_sync(&app->join_timer);
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] 802: fix a possible race condition
2013-03-25 14:08 ` Eric Dumazet
@ 2013-03-26 3:01 ` Cong Wang
0 siblings, 0 replies; 7+ messages in thread
From: Cong Wang @ 2013-03-26 3:01 UTC (permalink / raw)
To: Eric Dumazet; +Cc: David Miller, netdev, david.ward, jorge
On Mon, 2013-03-25 at 07:08 -0700, Eric Dumazet wrote:
> On Mon, 2013-03-25 at 21:32 +0800, Cong Wang wrote:
>
> > At least garp_join_timer() calls garp_pdu_queue() in a timer:
> >
> > static void garp_join_timer(unsigned long data)
> > {
> > struct garp_applicant *app = (struct garp_applicant *)data;
> >
> > spin_lock(&app->lock);
> > garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU);
> > garp_pdu_queue(app);
> > spin_unlock(&app->lock);
> >
> > garp_queue_xmit(app);
> > garp_join_timer_arm(app);
> > }
> >
> > which I don't think can hold RTNL lock possibly.
> >
>
> But timer wont possibly run because of the previous :
>
> del_timer_sync(&app->join_timer);
Yeah, but in the following callchain:
garp_pdu_rcv() -> garp_pdu_parse_msg() -> garp_pdu_parse_attr() ->
garp_gid_event()
the race can happen too as garp_pdu_rcv() is called in BH context.
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH net-next] 802: fix a possible race condition
@ 2013-04-03 7:52 Cong Wang
2013-04-07 21:04 ` David Miller
0 siblings, 1 reply; 7+ messages in thread
From: Cong Wang @ 2013-04-03 7:52 UTC (permalink / raw)
To: netdev
Cc: Eric Dumazet, David S. Miller, David Ward, Jorge Boncompte [DTI2],
Cong Wang
From: Cong Wang <amwang@redhat.com>
(Resend with a better changelog)
garp_pdu_queue() should ways be called with this spin lock.
garp_uninit_applicant() only holds rtnl lock which is not
enough here. A possible race can happen as garp_pdu_rcv()
is called in BH context:
garp_pdu_rcv()
|->garp_pdu_parse_msg()
|->garp_pdu_parse_attr()
|-> garp_gid_event()
Found by code inspection.
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Ward <david.ward@ll.mit.edu>
Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
---
net/802/garp.c | 4 ++++
1 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/net/802/garp.c b/net/802/garp.c
index 8456f5d..5d9630a 100644
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -609,8 +609,12 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl
/* Delete timer and generate a final TRANSMIT_PDU event to flush out
* all pending messages before the applicant is gone. */
del_timer_sync(&app->join_timer);
+
+ spin_lock_bh(&app->lock);
garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU);
garp_pdu_queue(app);
+ spin_unlock_bh(&app->lock);
+
garp_queue_xmit(app);
dev_mc_del(dev, appl->proto.group_address);
--
1.7.7.6
^ permalink raw reply related [flat|nested] 7+ messages in thread
* Re: [PATCH net-next] 802: fix a possible race condition
2013-04-03 7:52 [PATCH net-next] 802: fix a possible race condition Cong Wang
@ 2013-04-07 21:04 ` David Miller
0 siblings, 0 replies; 7+ messages in thread
From: David Miller @ 2013-04-07 21:04 UTC (permalink / raw)
To: amwang; +Cc: netdev, eric.dumazet, david.ward, jorge
From: Cong Wang <amwang@redhat.com>
Date: Wed, 3 Apr 2013 15:52:40 +0800
> From: Cong Wang <amwang@redhat.com>
>
> (Resend with a better changelog)
>
> garp_pdu_queue() should ways be called with this spin lock.
> garp_uninit_applicant() only holds rtnl lock which is not
> enough here. A possible race can happen as garp_pdu_rcv()
> is called in BH context:
>
> garp_pdu_rcv()
> |->garp_pdu_parse_msg()
> |->garp_pdu_parse_attr()
> |-> garp_gid_event()
>
> Found by code inspection.
>
> Cc: Eric Dumazet <eric.dumazet@gmail.com>
> Cc: "David S. Miller" <davem@davemloft.net>
> Cc: David Ward <david.ward@ll.mit.edu>
> Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net>
> Signed-off-by: Cong Wang <amwang@redhat.com>
Applied.
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2013-04-07 21:04 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-04-03 7:52 [PATCH net-next] 802: fix a possible race condition Cong Wang
2013-04-07 21:04 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2013-03-22 7:50 [Patch net-next] ip_gre: increase inner ip header ID during segmentation Cong Wang
2013-03-23 5:14 ` [PATCH net-next] 8021q: fix a potential use-after-free Cong Wang
2013-03-23 5:14 ` [PATCH net-next] 802: fix a possible race condition Cong Wang
2013-03-24 21:24 ` David Miller
2013-03-25 13:32 ` Cong Wang
2013-03-25 14:08 ` Eric Dumazet
2013-03-26 3:01 ` Cong Wang
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).