[PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.
@ 2008-04-21 13:05 Pavel Emelyanov
  2008-04-21 21:23 ` David Miller
  2008-04-23 16:14 ` YOSHIFUJI Hideaki / 吉藤英明
  0 siblings, 2 replies; 4+ messages in thread
From: Pavel Emelyanov @ 2008-04-21 13:05 UTC (permalink / raw)
  To: Linux Netdev List, David Miller

The del_timer() function doesn't guarantee, that the timer callback
is not active by the time it exits.

Thus, the fib6_net_exit() may kfree() all the data, that is required
by the fib6_run_gc(). The race window is tiny, but slab poisoning can
trigger this bug.

Using del_timer_sync() will cure this.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>

---

diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index 50f3f8f..1ee4fa1 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -1543,7 +1543,7 @@ out_timer:
 static void fib6_net_exit(struct net *net)
 {
 	rt6_ifdown(net, NULL);
-	del_timer(net->ipv6.ip6_fib_timer);
+	del_timer_sync(net->ipv6.ip6_fib_timer);
 	kfree(net->ipv6.ip6_fib_timer);
 #ifdef CONFIG_IPV6_MULTIPLE_TABLES
 	kfree(net->ipv6.fib6_local_tbl);

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.
  2008-04-21 13:05 [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop Pavel Emelyanov
@ 2008-04-21 21:23 ` David Miller
  2008-04-23 16:14 ` YOSHIFUJI Hideaki / 吉藤英明
  1 sibling, 0 replies; 4+ messages in thread
From: David Miller @ 2008-04-21 21:23 UTC (permalink / raw)
  To: xemul; +Cc: netdev

From: Pavel Emelyanov <xemul@openvz.org>
Date: Mon, 21 Apr 2008 17:05:50 +0400

> The del_timer() function doesn't guarantee, that the timer callback
> is not active by the time it exits.
> 
> Thus, the fib6_net_exit() may kfree() all the data, that is required
> by the fib6_run_gc(). The race window is tiny, but slab poisoning can
> trigger this bug.
> 
> Using del_timer_sync() will cure this.
> 
> Signed-off-by: Pavel Emelyanov <xemul@openvz.org>

Applied, thanks Pavel.

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.
  2008-04-21 13:05 [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop Pavel Emelyanov
  2008-04-21 21:23 ` David Miller
@ 2008-04-23 16:14 ` YOSHIFUJI Hideaki / 吉藤英明
  2008-04-24  8:03   ` David Miller
  1 sibling, 1 reply; 4+ messages in thread
From: YOSHIFUJI Hideaki / 吉藤英明 @ 2008-04-23 16:14 UTC (permalink / raw)
  To: xemul; +Cc: netdev, davem

In article <480C912E.70900@openvz.org> (at Mon, 21 Apr 2008 17:05:50 +0400), Pavel Emelyanov <xemul@openvz.org> says:

> The del_timer() function doesn't guarantee, that the timer callback
> is not active by the time it exits.
> 
> Thus, the fib6_net_exit() may kfree() all the data, that is required
> by the fib6_run_gc(). The race window is tiny, but slab poisoning can
> trigger this bug.
> 
> Using del_timer_sync() will cure this.
> 
> Signed-off-by: Pavel Emelyanov <xemul@openvz.org>

Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>

Also suitable for -stable.

--yoshfuji

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop.
  2008-04-23 16:14 ` YOSHIFUJI Hideaki / 吉藤英明
@ 2008-04-24  8:03   ` David Miller
  0 siblings, 0 replies; 4+ messages in thread
From: David Miller @ 2008-04-24  8:03 UTC (permalink / raw)
  To: yoshfuji; +Cc: xemul, netdev

From: YOSHIFUJI Hideaki / 吉藤英明 <yoshfuji@linux-ipv6.org>
Date: Thu, 24 Apr 2008 01:14:06 +0900 (JST)

> In article <480C912E.70900@openvz.org> (at Mon, 21 Apr 2008 17:05:50 +0400), Pavel Emelyanov <xemul@openvz.org> says:
> 
> > The del_timer() function doesn't guarantee, that the timer callback
> > is not active by the time it exits.
> > 
> > Thus, the fib6_net_exit() may kfree() all the data, that is required
> > by the fib6_run_gc(). The race window is tiny, but slab poisoning can
> > trigger this bug.
> > 
> > Using del_timer_sync() will cure this.
> > 
> > Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
> 
> Acked-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
> 
> Also suitable for -stable.

I will queue it, thanks.

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2008-04-24  8:03 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-04-21 13:05 [PATCH][NETNS]: The ip6_fib_timer can work with garbage on net namespace stop Pavel Emelyanov
2008-04-21 21:23 ` David Miller
2008-04-23 16:14 ` YOSHIFUJI Hideaki / 吉藤英明
2008-04-24  8:03   ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).