Re: neigh_create/inetdev_destroy race?

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "David S. Miller" <davem@davemloft.net>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: shemminger@osdl.org, netdev@oss.sgi.com
Subject: Re: neigh_create/inetdev_destroy race?
Date: Sat, 28 Aug 2004 23:42:01 -0700	[thread overview]
Message-ID: <20040828234201.79556f6e.davem@davemloft.net> (raw)
In-Reply-To: <20040816105131.GA11299@gondor.apana.org.au>

On Mon, 16 Aug 2004 20:51:31 +1000
Herbert Xu <herbert@gondor.apana.org.au> wrote:

> > > CPU0					CPU1
> > > neigh_create
> > > 					inet_del_ifa
> > > 						notifier_call_chain
> > > 							neigh_ifdown
> > > 						inetdev_destroy
> > > 	arp_constructor
> > > 		neigh->parms =
> > > 			in_dev->arp_parms
> > > 							in_dev->dead = 1
> > > 							in_dev->dev->ip_ptr =
> > > 								NULL
> > > 							neigh_parms_release
> > > 	n->parms->neigh_setup => BUG
> > 
> > Is there anything other than hostess_sv11.c, sealevel.c, and shaper.c
> > which are using n->parms->neigh_setup at all?
> > 
> > This seems to be a very obscure special case hack, which perhaps we
> > can removee entirely.
> 
> That maybe the case, but the race has nothing to do with neigh_setup.
> 
> Even if you remove neigh_setup altogether, the very next line in
> neigh_create will dereference n->parms by looking up base_reachable_time.

Wait a second, how can neigh_ifdown() even find this thing?
Firstly, neigh_create() takes a reference to the device, which
in turn holds onto the inetdev preventing inetdev_destroy().

Secondly, until neigh_create() takes the tbl lock, it is not in
the hash tables and therefore neigh_ifdown() could not see it.

Thirdly, arp_constructor() does in_dev_get() and checks the
return value.  If it fails, by racing with inetdev_destroy(),
neigh_create() will return an error and not do bogus derefing.

I think that covers all the cases, right?
(please prove me wrong, this looks too easy :-)

next prev parent reply	other threads:[~2004-08-29  6:42 UTC|newest]

Thread overview: 46+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2004-08-12 23:59 [PATCH] Move inetdev/ifa over to RCU David S. Miller
2004-08-13  2:20 ` James Morris
2004-08-13 10:02 ` Herbert Xu
2004-08-13 16:03 ` Stephen Hemminger
2004-08-13 16:38   ` David S. Miller
2004-08-13 21:56     ` Herbert Xu
2004-08-13 22:19       ` David S. Miller
2004-08-14  0:34         ` Herbert Xu
2004-08-14  0:39           ` David S. Miller
2004-08-14  0:54             ` Herbert Xu
2004-08-14  1:25               ` Herbert Xu
2004-08-14  1:30                 ` Herbert Xu
2004-08-14  5:08                   ` Herbert Xu
2004-08-14  6:27                     ` neigh_create/inetdev_destroy race? Herbert Xu
2004-08-16  2:14                       ` David S. Miller
2004-08-16 10:51                         ` Herbert Xu
2004-08-29  6:42                           ` David S. Miller [this message]
2004-08-29  6:50                             ` Herbert Xu
2004-08-31  6:08                               ` David S. Miller
2004-08-31 10:41                                 ` Herbert Xu
2004-09-02  5:21                                   ` David S. Miller
2004-09-02 13:06                                     ` Herbert Xu
2004-09-03 13:36                                       ` Herbert Xu
2004-09-03 16:00                                         ` Stephen Hemminger
2004-09-03 23:49                                           ` Herbert Xu
2004-09-07 20:50                                             ` David S. Miller
2004-09-03 16:18                                         ` David S. Miller
2004-08-16  2:08                     ` [PATCH] Move inetdev/ifa over to RCU David S. Miller
2004-08-16  2:43                       ` Herbert Xu
2004-08-16  3:08                         ` David S. Miller
2004-08-16  3:14                           ` Herbert Xu
2004-08-16  6:23                             ` David S. Miller
2004-08-14  6:31                   ` Herbert Xu
2004-08-14  6:32                     ` Herbert Xu
2004-08-16  3:01                   ` David S. Miller
2004-08-14  1:40                 ` Herbert Xu
2004-08-16  3:03                   ` David S. Miller
2004-08-16  3:23                     ` Herbert Xu
2004-08-16  6:24                       ` David S. Miller
2004-08-14  4:30                 ` Stephen Hemminger
2004-08-14  4:36                   ` Herbert Xu
2004-08-16  2:59               ` David S. Miller
2004-08-16  2:58           ` David S. Miller
2004-08-16  3:08             ` Herbert Xu
2004-08-16  6:21               ` David S. Miller
2004-08-16  8:13                 ` Herbert Xu

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20040828234201.79556f6e.davem@davemloft.net \
    --to=davem@davemloft.net \
    --cc=herbert@gondor.apana.org.au \
    --cc=netdev@oss.sgi.com \
    --cc=shemminger@osdl.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).