linux/net
YOSHIFUJI Hideaki / 吉藤英明 ecd9883724 ipv6: fix race condition regarding dst->expires and dst->from.
Eric Dumazet wrote:
| Some strange crashes happen in rt6_check_expired(), with access
| to random addresses.
|
| At first glance, it looks like the RTF_EXPIRES and
| stuff added in commit 1716a96101
| (ipv6: fix problem with expired dst cache)
| are racy : same dst could be manipulated at the same time
| on different cpus.
|
| At some point, our stack believes rt->dst.from contains a dst pointer,
| while its really a jiffie value (as rt->dst.expires shares the same area
| of memory)
|
| rt6_update_expires() should be fixed, or am I missing something ?
|
| CC Neil because of https://bugzilla.redhat.com/show_bug.cgi?id=892060

Because we do not have any locks for dst_entry, we cannot change
essential structure in the entry; e.g., we cannot change reference
to other entity.

To fix this issue, split 'from' and 'expires' field in dst_entry
out of union.  Once it is 'from' is assigned in the constructor,
keep the reference until the very last stage of the life time of
the object.

Of course, it is unsafe to change 'from', so make rt6_set_from simple
just for fresh entries.

Reported-by: Eric Dumazet <eric.dumazet@gmail.com>
Reported-by: Neil Horman <nhorman@tuxdriver.com>
CC: Gao Feng <gaofeng@cn.fujitsu.com>
Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reported-by: Steinar H. Gunderson <sesse@google.com>
Reviewed-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2013-02-20 15:11:45 -05:00
..
9p
802 mrp: make mrp_rcv static 2013-02-11 14:16:26 -05:00
8021q net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
appletalk
atm net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
ax25 net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net into net 2013-02-18 23:34:21 -05:00
bluetooth net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
bridge bridge: make ifla_br_policy and br_af_ops static 2013-02-14 13:27:45 -05:00
caif caif_usb: Make the driver name check more efficient 2012-12-09 00:34:02 -05:00
can net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2013-01-02 17:32:49 -08:00
core ipv6: fix race condition regarding dst->expires and dst->from. 2013-02-20 15:11:45 -05:00
dcb net: Allow DCBnl to use other namespaces besides init_net 2012-12-10 14:09:01 -05:00
dccp net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
decnet net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
dns_resolver Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2012-12-16 15:40:50 -08:00
dsa dsa: make dsa_switch_setup check for valid port names 2013-01-21 15:40:12 -05:00
ethernet net: split eth_mac_addr for better error handling 2013-01-21 14:07:44 -05:00
ieee802154 6lowpan: use stack buffer instead of heap 2013-02-06 15:56:17 -05:00
ipv4 ip_gre: remove an extra dst_release() 2013-02-19 22:24:04 -05:00
ipv6 ipv6: fix race condition regarding dst->expires and dst->from. 2013-02-20 15:11:45 -05:00
ipx
irda net: remove redundant check for timer pending state before del_timer 2013-02-04 13:26:49 -05:00
iucv s390/irq: remove split irq fields from /proc/stat 2013-01-08 10:57:07 +01:00
key net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
l2tp net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
lapb
llc net: Allow userns root to control llc, netfilter, netlink, packet, and xfrm 2012-11-18 20:32:45 -05:00
mac80211 mac80211: don't spam mesh probe response messages 2013-02-18 15:31:24 +01:00
mac802154 wpan: use stack buffer instead of heap 2013-02-06 15:56:17 -05:00
netfilter Merge branch 'master' of git://1984.lsi.us.es/nf-next 2013-02-18 23:42:09 -05:00
netlabel
netlink net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
netrom net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
nfc NFC: llcp: integer underflow in nfc_llcp_set_remote_gb() 2013-02-08 14:51:31 -05:00
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-02-08 18:02:14 -05:00
packet net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
phonet net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
rds IB/rds: suppress incompatible protocol when version is known 2012-12-26 15:17:37 -08:00
rfkill Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2012-12-13 12:00:02 -08:00
rose net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
rxrpc net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
sched net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
sctp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net into net 2013-02-18 23:34:21 -05:00
sunrpc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2013-02-09 07:55:24 +11:00
tipc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net into net 2013-02-18 23:34:21 -05:00
unix net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
vmw_vsock VSOCK: Don't reject PF_VSOCK protocol 2013-02-18 15:02:51 -05:00
wimax
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next into for-davem 2013-02-19 14:56:34 -05:00
x25
xfrm net: proc: change proc_net_remove to remove_proc_entry 2013-02-18 14:53:08 -05:00
compat.c
Kconfig VSOCK: Introduce VM Sockets 2013-02-10 19:41:08 -05:00
Makefile VSOCK: Introduce VM Sockets 2013-02-10 19:41:08 -05:00
nonet.c
socket.c ethtool: fix sparse warning 2013-02-11 14:16:26 -05:00
sysctl_net.c user_ns: get rid of duplicate code in net_ctl_permissions 2012-11-18 20:32:45 -05:00