[SCTP]: Add RCU synchronization around sctp_localaddr_list

sctp_localaddr_list is modified dynamically via NETDEV_UP and NETDEV_DOWN events, but there is not synchronization between writer (even handler) and readers. As a result, the readers can access an entry that has been freed and crash the sytem. Signed-off-by: Vlad Yasevich <vladislav.yasevich@hp.com> Acked-by: Paul E. McKenney <paulmck@linux.vnet.ibm.com> Acked-by: Sridhar Samdurala <sri@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Vlad Yasevich <vladislav.yasevich@hp.com> 2007-09-16 19:02:12 -0400
committer: David S. Miller <davem@davemloft.net> 2007-09-16 19:02:12 -0400
commit: 293035479942400a7fe8e4f72465d4e4e466b91a (patch)
tree: af9890403a554b4cf8389a9116080a0d1aa187fb /net/sctp/ipv6.c
parent: ddeee3ce7fbf0e800f2a26a76d6018b42b337cc2 (diff)
1 files changed, 24 insertions, 10 deletions
diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c
index f8aa23dda1c1..e12fa0a91da4 100644
--- a/net/sctp/ipv6.c
+++ b/net/sctp/ipv6.c
@@ -77,13 +77,18 @@
 #include <asm/uaccess.h>
-/* Event handler for inet6 address addition/deletion events.  */
+/* Event handler for inet6 address addition/deletion events.
+ * The sctp_local_addr_list needs to be protocted by a spin lock since
+ * multiple notifiers (say IPv4 and IPv6) may be running at the same
+ * time and thus corrupt the list.
+ * The reader side is protected with RCU.
+ */
 static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
                                void *ptr)
 {
        struct inet6_ifaddr *ifa = (struct inet6_ifaddr *)ptr;
-        struct sctp_sockaddr_entry *addr;
+        struct sctp_sockaddr_entry *addr = NULL;
-        struct list_head *pos, *temp;
+        struct sctp_sockaddr_entry *temp;
        switch (ev) {
        case NETDEV_UP:
@@ -94,19 +99,26 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
                        memcpy(&addr->a.v6.sin6_addr, &ifa->addr,
                                 sizeof(struct in6_addr));
                        addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
-                        list_add_tail(&addr->list, &sctp_local_addr_list);
+                        addr->valid = 1;
+                        spin_lock_bh(&sctp_local_addr_lock);
+                        list_add_tail_rcu(&addr->list, &sctp_local_addr_list);
+                        spin_unlock_bh(&sctp_local_addr_lock);
                }
                break;
        case NETDEV_DOWN:
-                list_for_each_safe(pos, temp, &sctp_local_addr_list) {
+                spin_lock_bh(&sctp_local_addr_lock);
-                        addr = list_entry(pos, struct sctp_sockaddr_entry, list);
+                list_for_each_entry_safe(addr, temp,
-                        if (ipv6_addr_equal(&addr->a.v6.sin6_addr, &ifa->addr)) {
+                                        &sctp_local_addr_list, list) {
-                                list_del(pos);
+                        if (ipv6_addr_equal(&addr->a.v6.sin6_addr,
-                                kfree(addr);
+                                             &ifa->addr)) {
+                                addr->valid = 0;
+                                list_del_rcu(&addr->list);
                                break;
                        }
                }
+                spin_unlock_bh(&sctp_local_addr_lock);
+                if (addr && !addr->valid)
+                        call_rcu(&addr->rcu, sctp_local_addr_free);
                break;
        }
@@ -367,7 +379,9 @@ static void sctp_v6_copy_addrlist(struct list_head *addrlist,
                        addr->a.v6.sin6_port = 0;
                        addr->a.v6.sin6_addr = ifp->addr;
                        addr->a.v6.sin6_scope_id = dev->ifindex;
+                        addr->valid = 1;
                        INIT_LIST_HEAD(&addr->list);
+                        INIT_RCU_HEAD(&addr->rcu);
                        list_add_tail(&addr->list, addrlist);
                }
        }
author	Vlad Yasevich <vladislav.yasevich@hp.com>	2007-09-16 19:02:12 -0400
committer	David S. Miller <davem@davemloft.net>	2007-09-16 19:02:12 -0400
commit	293035479942400a7fe8e4f72465d4e4e466b91a (patch)
tree	af9890403a554b4cf8389a9116080a0d1aa187fb /net/sctp/ipv6.c
parent	ddeee3ce7fbf0e800f2a26a76d6018b42b337cc2 (diff)

diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c index f8aa23dda1c1..e12fa0a91da4 100644 --- a/net/sctp/ipv6.c +++ b/net/sctp/ipv6.c
@@ -77,13 +77,18 @@
77		77
78	#include <asm/uaccess.h>	78	#include <asm/uaccess.h>
79		79
80	/* Event handler for inet6 address addition/deletion events. */	80	/* Event handler for inet6 address addition/deletion events.
		81	* The sctp_local_addr_list needs to be protocted by a spin lock since
		82	* multiple notifiers (say IPv4 and IPv6) may be running at the same
		83	* time and thus corrupt the list.
		84	* The reader side is protected with RCU.
		85	*/
81	static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,	86	static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
82	void *ptr)	87	void *ptr)
83	{	88	{
84	struct inet6_ifaddr ifa = (struct inet6_ifaddr )ptr;	89	struct inet6_ifaddr ifa = (struct inet6_ifaddr )ptr;
85	struct sctp_sockaddr_entry *addr;	90	struct sctp_sockaddr_entry *addr = NULL;
86	struct list_head pos, temp;	91	struct sctp_sockaddr_entry *temp;
87		92
88	switch (ev) {	93	switch (ev) {
89	case NETDEV_UP:	94	case NETDEV_UP:
@@ -94,19 +99,26 @@ static int sctp_inet6addr_event(struct notifier_block *this, unsigned long ev,
94	memcpy(&addr->a.v6.sin6_addr, &ifa->addr,	99	memcpy(&addr->a.v6.sin6_addr, &ifa->addr,
95	sizeof(struct in6_addr));	100	sizeof(struct in6_addr));
96	addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;	101	addr->a.v6.sin6_scope_id = ifa->idev->dev->ifindex;
97	list_add_tail(&addr->list, &sctp_local_addr_list);	102	addr->valid = 1;
		103	spin_lock_bh(&sctp_local_addr_lock);
		104	list_add_tail_rcu(&addr->list, &sctp_local_addr_list);
		105	spin_unlock_bh(&sctp_local_addr_lock);
98	}	106	}
99	break;	107	break;
100	case NETDEV_DOWN:	108	case NETDEV_DOWN:
101	list_for_each_safe(pos, temp, &sctp_local_addr_list) {	109	spin_lock_bh(&sctp_local_addr_lock);
102	addr = list_entry(pos, struct sctp_sockaddr_entry, list);	110	list_for_each_entry_safe(addr, temp,
103	if (ipv6_addr_equal(&addr->a.v6.sin6_addr, &ifa->addr)) {	111	&sctp_local_addr_list, list) {
104	list_del(pos);	112	if (ipv6_addr_equal(&addr->a.v6.sin6_addr,
105	kfree(addr);	113	&ifa->addr)) {
		114	addr->valid = 0;
		115	list_del_rcu(&addr->list);
106	break;	116	break;
107	}	117	}
108	}	118	}
109		119	spin_unlock_bh(&sctp_local_addr_lock);
		120	if (addr && !addr->valid)
		121	call_rcu(&addr->rcu, sctp_local_addr_free);
110	break;	122	break;
111	}	123	}
112		124
@@ -367,7 +379,9 @@ static void sctp_v6_copy_addrlist(struct list_head *addrlist,
367	addr->a.v6.sin6_port = 0;	379	addr->a.v6.sin6_port = 0;
368	addr->a.v6.sin6_addr = ifp->addr;	380	addr->a.v6.sin6_addr = ifp->addr;
369	addr->a.v6.sin6_scope_id = dev->ifindex;	381	addr->a.v6.sin6_scope_id = dev->ifindex;
		382	addr->valid = 1;
370	INIT_LIST_HEAD(&addr->list);	383	INIT_LIST_HEAD(&addr->list);
		384	INIT_RCU_HEAD(&addr->rcu);
371	list_add_tail(&addr->list, addrlist);	385	list_add_tail(&addr->list, addrlist);
372	}	386	}
373	}	387	}