diff options
| author | Pavel Emelyanov <xemul@openvz.org> | 2008-03-24 17:48:59 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-03-24 17:48:59 -0400 |
| commit | fa86d322d89995fef1bfb5cc768b89d8c22ea0d9 (patch) | |
| tree | e657b8adc9ccd2e13b2e2276fab4733a273ded09 | |
| parent | 8f3ea33a5078a09eba12bfe57424507809367756 (diff) | |
[NEIGH]: Fix race between pneigh deletion and ipv6's ndisc_recv_ns (v3).
Proxy neighbors do not have any reference counting, so any caller
of pneigh_lookup (unless it's a netlink triggered add/del routine)
should _not_ perform any actions on the found proxy entry.
There's one exception from this rule - the ipv6's ndisc_recv_ns()
uses found entry to check the flags for NTF_ROUTER.
This creates a race between the ndisc and pneigh_delete - after
the pneigh is returned to the caller, the nd_tbl.lock is dropped
and the deleting procedure may proceed.
One of the fixes would be to add a reference counting, but this
problem exists for ndisc only. Besides such a patch would be too
big for -rc4.
So I propose to introduce a __pneigh_lookup() which is supposed
to be called with the lock held and use it in ndisc code to check
the flags on alive pneigh entry.
Changes from v2:
As David noticed, Exported the __pneigh_lookup() to ipv6 module.
The checkpatch generates a warning on it, since the EXPORT_SYMBOL
does not follow the symbol itself, but in this file all the
exports come at the end, so I decided no to break this harmony.
Changes from v1:
Fixed comments from YOSHIFUJI - indentation of prototype in header
and the pndisc_check_router() name - and a compilation fix, pointed
by Daniel - the is_routed was (falsely) considered as uninitialized
by gcc.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | include/net/neighbour.h | 4 | ||||
| -rw-r--r-- | net/core/neighbour.c | 23 | ||||
| -rw-r--r-- | net/ipv6/ndisc.c | 22 |
3 files changed, 45 insertions, 4 deletions
diff --git a/include/net/neighbour.h b/include/net/neighbour.h index ebbfb509822e..64a5f0120b52 100644 --- a/include/net/neighbour.h +++ b/include/net/neighbour.h | |||
| @@ -218,6 +218,10 @@ extern unsigned long neigh_rand_reach_time(unsigned long base); | |||
| 218 | extern void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p, | 218 | extern void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p, |
| 219 | struct sk_buff *skb); | 219 | struct sk_buff *skb); |
| 220 | extern struct pneigh_entry *pneigh_lookup(struct neigh_table *tbl, struct net *net, const void *key, struct net_device *dev, int creat); | 220 | extern struct pneigh_entry *pneigh_lookup(struct neigh_table *tbl, struct net *net, const void *key, struct net_device *dev, int creat); |
| 221 | extern struct pneigh_entry *__pneigh_lookup(struct neigh_table *tbl, | ||
| 222 | struct net *net, | ||
| 223 | const void *key, | ||
| 224 | struct net_device *dev); | ||
| 221 | extern int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *key, struct net_device *dev); | 225 | extern int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *key, struct net_device *dev); |
| 222 | 226 | ||
| 223 | extern void neigh_app_ns(struct neighbour *n); | 227 | extern void neigh_app_ns(struct neighbour *n); |
diff --git a/net/core/neighbour.c b/net/core/neighbour.c index d9a02b2cc289..19b8e003f150 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c | |||
| @@ -466,6 +466,28 @@ out_neigh_release: | |||
| 466 | goto out; | 466 | goto out; |
| 467 | } | 467 | } |
| 468 | 468 | ||
| 469 | struct pneigh_entry *__pneigh_lookup(struct neigh_table *tbl, | ||
| 470 | struct net *net, const void *pkey, struct net_device *dev) | ||
| 471 | { | ||
| 472 | struct pneigh_entry *n; | ||
| 473 | int key_len = tbl->key_len; | ||
| 474 | u32 hash_val = *(u32 *)(pkey + key_len - 4); | ||
| 475 | |||
| 476 | hash_val ^= (hash_val >> 16); | ||
| 477 | hash_val ^= hash_val >> 8; | ||
| 478 | hash_val ^= hash_val >> 4; | ||
| 479 | hash_val &= PNEIGH_HASHMASK; | ||
| 480 | |||
| 481 | for (n = tbl->phash_buckets[hash_val]; n; n = n->next) { | ||
| 482 | if (!memcmp(n->key, pkey, key_len) && | ||
| 483 | (n->net == net) && | ||
| 484 | (n->dev == dev || !n->dev)) | ||
| 485 | break; | ||
| 486 | } | ||
| 487 | |||
| 488 | return n; | ||
| 489 | } | ||
| 490 | |||
| 469 | struct pneigh_entry * pneigh_lookup(struct neigh_table *tbl, | 491 | struct pneigh_entry * pneigh_lookup(struct neigh_table *tbl, |
| 470 | struct net *net, const void *pkey, | 492 | struct net *net, const void *pkey, |
| 471 | struct net_device *dev, int creat) | 493 | struct net_device *dev, int creat) |
| @@ -2803,6 +2825,7 @@ EXPORT_SYMBOL(neigh_table_init_no_netlink); | |||
| 2803 | EXPORT_SYMBOL(neigh_update); | 2825 | EXPORT_SYMBOL(neigh_update); |
| 2804 | EXPORT_SYMBOL(pneigh_enqueue); | 2826 | EXPORT_SYMBOL(pneigh_enqueue); |
| 2805 | EXPORT_SYMBOL(pneigh_lookup); | 2827 | EXPORT_SYMBOL(pneigh_lookup); |
| 2828 | EXPORT_SYMBOL_GPL(__pneigh_lookup); | ||
| 2806 | 2829 | ||
| 2807 | #ifdef CONFIG_ARPD | 2830 | #ifdef CONFIG_ARPD |
| 2808 | EXPORT_SYMBOL(neigh_app_ns); | 2831 | EXPORT_SYMBOL(neigh_app_ns); |
diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c index 51557c27a0cd..452a2ac4eec8 100644 --- a/net/ipv6/ndisc.c +++ b/net/ipv6/ndisc.c | |||
| @@ -676,6 +676,20 @@ static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb) | |||
| 676 | } | 676 | } |
| 677 | } | 677 | } |
| 678 | 678 | ||
| 679 | static struct pneigh_entry *pndisc_check_router(struct net_device *dev, | ||
| 680 | struct in6_addr *addr, int *is_router) | ||
| 681 | { | ||
| 682 | struct pneigh_entry *n; | ||
| 683 | |||
| 684 | read_lock_bh(&nd_tbl.lock); | ||
| 685 | n = __pneigh_lookup(&nd_tbl, &init_net, addr, dev); | ||
| 686 | if (n != NULL) | ||
| 687 | *is_router = (n->flags & NTF_ROUTER); | ||
| 688 | read_unlock_bh(&nd_tbl.lock); | ||
| 689 | |||
| 690 | return n; | ||
| 691 | } | ||
| 692 | |||
| 679 | static void ndisc_recv_ns(struct sk_buff *skb) | 693 | static void ndisc_recv_ns(struct sk_buff *skb) |
| 680 | { | 694 | { |
| 681 | struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb); | 695 | struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb); |
| @@ -692,7 +706,7 @@ static void ndisc_recv_ns(struct sk_buff *skb) | |||
| 692 | struct pneigh_entry *pneigh = NULL; | 706 | struct pneigh_entry *pneigh = NULL; |
| 693 | int dad = ipv6_addr_any(saddr); | 707 | int dad = ipv6_addr_any(saddr); |
| 694 | int inc; | 708 | int inc; |
| 695 | int is_router; | 709 | int is_router = 0; |
| 696 | 710 | ||
| 697 | if (ipv6_addr_is_multicast(&msg->target)) { | 711 | if (ipv6_addr_is_multicast(&msg->target)) { |
| 698 | ND_PRINTK2(KERN_WARNING | 712 | ND_PRINTK2(KERN_WARNING |
| @@ -790,8 +804,8 @@ static void ndisc_recv_ns(struct sk_buff *skb) | |||
| 790 | if (ipv6_chk_acast_addr(dev, &msg->target) || | 804 | if (ipv6_chk_acast_addr(dev, &msg->target) || |
| 791 | (idev->cnf.forwarding && | 805 | (idev->cnf.forwarding && |
| 792 | (ipv6_devconf.proxy_ndp || idev->cnf.proxy_ndp) && | 806 | (ipv6_devconf.proxy_ndp || idev->cnf.proxy_ndp) && |
| 793 | (pneigh = pneigh_lookup(&nd_tbl, &init_net, | 807 | (pneigh = pndisc_check_router(dev, &msg->target, |
| 794 | &msg->target, dev, 0)) != NULL)) { | 808 | &is_router)) != NULL)) { |
| 795 | if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) && | 809 | if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) && |
| 796 | skb->pkt_type != PACKET_HOST && | 810 | skb->pkt_type != PACKET_HOST && |
| 797 | inc != 0 && | 811 | inc != 0 && |
| @@ -812,7 +826,7 @@ static void ndisc_recv_ns(struct sk_buff *skb) | |||
| 812 | goto out; | 826 | goto out; |
| 813 | } | 827 | } |
| 814 | 828 | ||
| 815 | is_router = !!(pneigh ? pneigh->flags & NTF_ROUTER : idev->cnf.forwarding); | 829 | is_router = !!(pneigh ? is_router : idev->cnf.forwarding); |
| 816 | 830 | ||
| 817 | if (dad) { | 831 | if (dad) { |
| 818 | struct in6_addr maddr; | 832 | struct in6_addr maddr; |