aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2014-02-03 15:52:14 -0500
committerDavid S. Miller <davem@davemloft.net>2014-02-03 16:01:48 -0500
commitb045d37bd68c20ca88123c2b363cac5e3dae815f (patch)
tree2a623d5d9a5c3e8a7465a069ce8664897eae53fe /net
parent4fe46b9a4d0b5eef96867e6d5134159e5a65d2a5 (diff)
ip_tunnel: fix panic in ip_tunnel_xmit()
Setting rt variable to NULL at the beginning of ip_tunnel_xmit() missed possible use of this variable as a scratch value. Also fixes a possible dst leak in tunnel_dst_check() : If we had to call tunnel_dst_reset(), we forgot to release the reference on dst. Merges tunnel_dst_get()/tunnel_dst_check() into a single tunnel_rtable_get() function for clarity. Many thanks to Tommi for his report and tests. Fixes: 7d442fab0a67 ("ipv4: Cache dst in tunnels") Reported-by: Tommi Rantala <tt.rantala@gmail.com> Signed-off-by: Eric Dumazet <edumazet@google.com> Tested-by: Tommi Rantala <tt.rantala@gmail.com> Cc: Tom Herbert <therbert@google.com> Cc: Maciej Żenczykowski <maze@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/ip_tunnel.c29
1 files changed, 11 insertions, 18 deletions
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c
index bd28f386bd02..50228be5c17b 100644
--- a/net/ipv4/ip_tunnel.c
+++ b/net/ipv4/ip_tunnel.c
@@ -101,28 +101,22 @@ static void tunnel_dst_reset_all(struct ip_tunnel *t)
101 __tunnel_dst_set(per_cpu_ptr(t->dst_cache, i), NULL); 101 __tunnel_dst_set(per_cpu_ptr(t->dst_cache, i), NULL);
102} 102}
103 103
104static struct dst_entry *tunnel_dst_get(struct ip_tunnel *t) 104static struct rtable *tunnel_rtable_get(struct ip_tunnel *t, u32 cookie)
105{ 105{
106 struct dst_entry *dst; 106 struct dst_entry *dst;
107 107
108 rcu_read_lock(); 108 rcu_read_lock();
109 dst = rcu_dereference(this_cpu_ptr(t->dst_cache)->dst); 109 dst = rcu_dereference(this_cpu_ptr(t->dst_cache)->dst);
110 if (dst) 110 if (dst) {
111 if (dst->obsolete && dst->ops->check(dst, cookie) == NULL) {
112 rcu_read_unlock();
113 tunnel_dst_reset(t);
114 return NULL;
115 }
111 dst_hold(dst); 116 dst_hold(dst);
112 rcu_read_unlock();
113 return dst;
114}
115
116static struct dst_entry *tunnel_dst_check(struct ip_tunnel *t, u32 cookie)
117{
118 struct dst_entry *dst = tunnel_dst_get(t);
119
120 if (dst && dst->obsolete && dst->ops->check(dst, cookie) == NULL) {
121 tunnel_dst_reset(t);
122 return NULL;
123 } 117 }
124 118 rcu_read_unlock();
125 return dst; 119 return (struct rtable *)dst;
126} 120}
127 121
128/* Often modified stats are per cpu, other are shared (netdev->stats) */ 122/* Often modified stats are per cpu, other are shared (netdev->stats) */
@@ -584,7 +578,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
584 struct flowi4 fl4; 578 struct flowi4 fl4;
585 u8 tos, ttl; 579 u8 tos, ttl;
586 __be16 df; 580 __be16 df;
587 struct rtable *rt = NULL; /* Route to the other host */ 581 struct rtable *rt; /* Route to the other host */
588 unsigned int max_headroom; /* The extra header space needed */ 582 unsigned int max_headroom; /* The extra header space needed */
589 __be32 dst; 583 __be32 dst;
590 int err; 584 int err;
@@ -657,8 +651,7 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev,
657 init_tunnel_flow(&fl4, protocol, dst, tnl_params->saddr, 651 init_tunnel_flow(&fl4, protocol, dst, tnl_params->saddr,
658 tunnel->parms.o_key, RT_TOS(tos), tunnel->parms.link); 652 tunnel->parms.o_key, RT_TOS(tos), tunnel->parms.link);
659 653
660 if (connected) 654 rt = connected ? tunnel_rtable_get(tunnel, 0) : NULL;
661 rt = (struct rtable *)tunnel_dst_check(tunnel, 0);
662 655
663 if (!rt) { 656 if (!rt) {
664 rt = ip_route_output_key(tunnel->net, &fl4); 657 rt = ip_route_output_key(tunnel->net, &fl4);
generated by cgit v1.2.2 (git 2.25.0) at 2025-03-29 14:49:06 -0400