diff options
author | Eric Dumazet <eric.dumazet@gmail.com> | 2010-10-23 05:44:25 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2010-10-26 14:42:38 -0400 |
commit | ebb9fed2defa55f2ca91c8be582c59612e9940d1 (patch) | |
tree | 00c749fb425cc1c30222d9911017849861ed2627 /net | |
parent | 1941bf8c8d9392b18cd9bfed8050a2d78850aede (diff) |
fib: fix fib_nl_newrule()
Some panic reports in fib_rules_lookup() show a rule could have a NULL
pointer as a next pointer in the rules_list.
This can actually happen because of a bug in fib_nl_newrule() : It
checks if current rule is the destination of unresolved gotos. (Other
rules have gotos to this about to be inserted rule)
Problem is it does the resolution of the gotos before the rule is
inserted in the rules_list (and has a valid next pointer)
Fix this by moving the rules_list insertion before the changes on gotos.
A lockless reader can not any more follow a ctarget pointer, unless
destination is ready (has a valid next pointer)
Reported-by: Oleg A. Arkhangelsky <sysoleg@yandex.ru>
Reported-by: Joe Buehler <aspam@cox.net>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/core/fib_rules.c | 10 |
1 files changed, 5 insertions, 5 deletions
diff --git a/net/core/fib_rules.c b/net/core/fib_rules.c index 1bc3f253ba6c..12b43cc2f889 100644 --- a/net/core/fib_rules.c +++ b/net/core/fib_rules.c | |||
@@ -373,6 +373,11 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | |||
373 | 373 | ||
374 | fib_rule_get(rule); | 374 | fib_rule_get(rule); |
375 | 375 | ||
376 | if (last) | ||
377 | list_add_rcu(&rule->list, &last->list); | ||
378 | else | ||
379 | list_add_rcu(&rule->list, &ops->rules_list); | ||
380 | |||
376 | if (ops->unresolved_rules) { | 381 | if (ops->unresolved_rules) { |
377 | /* | 382 | /* |
378 | * There are unresolved goto rules in the list, check if | 383 | * There are unresolved goto rules in the list, check if |
@@ -395,11 +400,6 @@ static int fib_nl_newrule(struct sk_buff *skb, struct nlmsghdr* nlh, void *arg) | |||
395 | if (unresolved) | 400 | if (unresolved) |
396 | ops->unresolved_rules++; | 401 | ops->unresolved_rules++; |
397 | 402 | ||
398 | if (last) | ||
399 | list_add_rcu(&rule->list, &last->list); | ||
400 | else | ||
401 | list_add_rcu(&rule->list, &ops->rules_list); | ||
402 | |||
403 | notify_rule_change(RTM_NEWRULE, rule, ops, nlh, NETLINK_CB(skb).pid); | 403 | notify_rule_change(RTM_NEWRULE, rule, ops, nlh, NETLINK_CB(skb).pid); |
404 | flush_route_cache(ops); | 404 | flush_route_cache(ops); |
405 | rules_ops_put(ops); | 405 | rules_ops_put(ops); |