[IPV4]: severe locking bug in fib_semantics.c

Found in 2.4 by Yixin Pan <yxpan@hotmail.com>. > When I read fib_semantics.c of Linux-2.4.32, write_lock(&fib_info_lock) = > is used in fib_release_info() instead of write_lock_bh(&fib_info_lock). = > Is the following case possible: a BH interrupts fib_release_info() while = > holding the write lock, and calls ip_check_fib_default() which calls = > read_lock(&fib_info_lock), and spin forever. Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru> 2006-08-17 19:44:46 -0400
committer: David S. Miller <davem@davemloft.net> 2006-08-17 19:44:46 -0400
commit: 6e8fcbf64024f9056ba122abbb66554aa76bae5d (patch)
tree: 61fec2bd4815d30110dc2ba7da3b7578fb08a0d8 /net/ipv4/fib_semantics.c
parent: acd6e00b8e4db542cb6bc9ddfbb4e18bbe29ce4d (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 9be53a8e72c3..51738000f3dc 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -159,7 +159,7 @@ void free_fib_info(struct fib_info *fi)
 void fib_release_info(struct fib_info *fi)
 {
-        write_lock(&fib_info_lock);
+        write_lock_bh(&fib_info_lock);
        if (fi && --fi->fib_treeref == 0) {
                hlist_del(&fi->fib_hash);
                if (fi->fib_prefsrc)
@@ -172,7 +172,7 @@ void fib_release_info(struct fib_info *fi)
                fi->fib_dead = 1;
                fib_info_put(fi);
        }
-        write_unlock(&fib_info_lock);
+        write_unlock_bh(&fib_info_lock);
 }
 static __inline__ int nh_comp(const struct fib_info *fi, const struct fib_info *ofi)
@@ -598,7 +598,7 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
        unsigned int old_size = fib_hash_size;
        unsigned int i, bytes;
-        write_lock(&fib_info_lock);
+        write_lock_bh(&fib_info_lock);
        old_info_hash = fib_info_hash;
        old_laddrhash = fib_info_laddrhash;
        fib_hash_size = new_size;
@@ -639,7 +639,7 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
        }
        fib_info_laddrhash = new_laddrhash;
-        write_unlock(&fib_info_lock);
+        write_unlock_bh(&fib_info_lock);
        bytes = old_size * sizeof(struct hlist_head *);
        fib_hash_free(old_info_hash, bytes);
@@ -820,7 +820,7 @@ link_it:
        fi->fib_treeref++;
        atomic_inc(&fi->fib_clntref);
-        write_lock(&fib_info_lock);
+        write_lock_bh(&fib_info_lock);
        hlist_add_head(&fi->fib_hash,
                       &fib_info_hash[fib_info_hashfn(fi)]);
        if (fi->fib_prefsrc) {
@@ -839,7 +839,7 @@ link_it:
                head = &fib_info_devhash[hash];
                hlist_add_head(&nh->nh_hash, head);
        } endfor_nexthops(fi)
-        write_unlock(&fib_info_lock);
+        write_unlock_bh(&fib_info_lock);
        return fi;
 err_inval:
author	Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>	2006-08-17 19:44:46 -0400
committer	David S. Miller <davem@davemloft.net>	2006-08-17 19:44:46 -0400
commit	6e8fcbf64024f9056ba122abbb66554aa76bae5d (patch)
tree	61fec2bd4815d30110dc2ba7da3b7578fb08a0d8 /net/ipv4/fib_semantics.c
parent	acd6e00b8e4db542cb6bc9ddfbb4e18bbe29ce4d (diff)

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index 9be53a8e72c3..51738000f3dc 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c
@@ -159,7 +159,7 @@ void free_fib_info(struct fib_info *fi)
159		159
160	void fib_release_info(struct fib_info *fi)	160	void fib_release_info(struct fib_info *fi)
161	{	161	{
162	write_lock(&fib_info_lock);	162	write_lock_bh(&fib_info_lock);
163	if (fi && --fi->fib_treeref == 0) {	163	if (fi && --fi->fib_treeref == 0) {
164	hlist_del(&fi->fib_hash);	164	hlist_del(&fi->fib_hash);
165	if (fi->fib_prefsrc)	165	if (fi->fib_prefsrc)
@@ -172,7 +172,7 @@ void fib_release_info(struct fib_info *fi)
172	fi->fib_dead = 1;	172	fi->fib_dead = 1;
173	fib_info_put(fi);	173	fib_info_put(fi);
174	}	174	}
175	write_unlock(&fib_info_lock);	175	write_unlock_bh(&fib_info_lock);
176	}	176	}
177		177
178	static __inline__ int nh_comp(const struct fib_info fi, const struct fib_info ofi)	178	static __inline__ int nh_comp(const struct fib_info fi, const struct fib_info ofi)
@@ -598,7 +598,7 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
598	unsigned int old_size = fib_hash_size;	598	unsigned int old_size = fib_hash_size;
599	unsigned int i, bytes;	599	unsigned int i, bytes;
600		600
601	write_lock(&fib_info_lock);	601	write_lock_bh(&fib_info_lock);
602	old_info_hash = fib_info_hash;	602	old_info_hash = fib_info_hash;
603	old_laddrhash = fib_info_laddrhash;	603	old_laddrhash = fib_info_laddrhash;
604	fib_hash_size = new_size;	604	fib_hash_size = new_size;
@@ -639,7 +639,7 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
639	}	639	}
640	fib_info_laddrhash = new_laddrhash;	640	fib_info_laddrhash = new_laddrhash;
641		641
642	write_unlock(&fib_info_lock);	642	write_unlock_bh(&fib_info_lock);
643		643
644	bytes = old_size * sizeof(struct hlist_head *);	644	bytes = old_size * sizeof(struct hlist_head *);
645	fib_hash_free(old_info_hash, bytes);	645	fib_hash_free(old_info_hash, bytes);
@@ -820,7 +820,7 @@ link_it:
820		820
821	fi->fib_treeref++;	821	fi->fib_treeref++;
822	atomic_inc(&fi->fib_clntref);	822	atomic_inc(&fi->fib_clntref);
823	write_lock(&fib_info_lock);	823	write_lock_bh(&fib_info_lock);
824	hlist_add_head(&fi->fib_hash,	824	hlist_add_head(&fi->fib_hash,
825	&fib_info_hash[fib_info_hashfn(fi)]);	825	&fib_info_hash[fib_info_hashfn(fi)]);
826	if (fi->fib_prefsrc) {	826	if (fi->fib_prefsrc) {
@@ -839,7 +839,7 @@ link_it:
839	head = &fib_info_devhash[hash];	839	head = &fib_info_devhash[hash];
840	hlist_add_head(&nh->nh_hash, head);	840	hlist_add_head(&nh->nh_hash, head);
841	} endfor_nexthops(fi)	841	} endfor_nexthops(fi)
842	write_unlock(&fib_info_lock);	842	write_unlock_bh(&fib_info_lock);
843	return fi;	843	return fi;
844		844
845	err_inval:	845	err_inval: