inet fragments: fix race between inet_frag_find and inet_frag_secret_rebuild

The problem is that while we work w/o the inet_frags.lock even
read-locked the secret rebuild timer may occur (on another CPU, since
BHs are still disabled in the inet_frag_find) and change the rnd seed
for ipv4/6 fragments.

It was caused by my patch fd9e63544cac30a34c951f0ec958038f0529e244
([INET]: Omit double hash calculations in xxx_frag_intern) late 
in the 2.6.24 kernel, so this should probably be queued to -stable.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

2 files changed, 4 insertions, 1 deletions

diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index e65e26e210ee..cf20bc4fd60d 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -207,9 +207,10 @@ fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst)
         arg.id = id;
         arg.src = src;
         arg.dst = dst;
+
+        read_lock_bh(&nf_frags.lock);
         hash = ip6qhashfn(id, src, dst);
 
-        local_bh_disable();
         q = inet_frag_find(&nf_init_frags, &nf_frags, &arg, hash);
         local_bh_enable();
         if (q == NULL)
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 798cabc7535b..a60d7d129713 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -247,6 +247,8 @@ fq_find(struct net *net, __be32 id, struct in6_addr *src, struct in6_addr *dst,
         arg.id = id;
         arg.src = src;
         arg.dst = dst;
+
+        read_lock(&ip6_frags.lock);
         hash = ip6qhashfn(id, src, dst);
 
         q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash);