diff options
| author | David Ahern | 2018-04-23 20:32:07 +0200 |
|---|---|---|
| committer | David S. Miller | 2018-04-23 22:12:55 +0200 |
| commit | 8a14e46f140230ca889c2b0a4753ae8ea45fd770 (patch) | |
| tree | a25f9508243656db0d31f15c1dde671845ba23e1 /net/ipv6/route.c | |
| parent | net/ipv6: add rcu locking to ip6_negative_advice (diff) | |
| download | kernel-qcow2-linux-8a14e46f140230ca889c2b0a4753ae8ea45fd770.tar.gz kernel-qcow2-linux-8a14e46f140230ca889c2b0a4753ae8ea45fd770.tar.xz kernel-qcow2-linux-8a14e46f140230ca889c2b0a4753ae8ea45fd770.zip | |
net/ipv6: Fix missing rcu dereferences on from
kbuild test robot reported 2 uses of rt->from not properly accessed
using rcu_dereference:
1. add rcu_dereference_protected to rt6_remove_exception_rt and make
sure it is always called with rcu lock held.
2. change rt6_do_redirect to take a reference on 'from' when accessed
the first time so it can be used the sceond time outside of the lock
Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
Reported-by: kbuild test robot <lkp@intel.com>
Signed-off-by: David Ahern <dsahern@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/route.c')
| -rw-r--r-- | net/ipv6/route.c | 15 |
1 files changed, 10 insertions, 5 deletions
diff --git a/net/ipv6/route.c b/net/ipv6/route.c index 354a5b8d016f..ac3e51631c65 100644 --- a/net/ipv6/route.c +++ b/net/ipv6/route.c @@ -1541,11 +1541,13 @@ static struct rt6_info *rt6_find_cached_rt(struct fib6_info *rt, static int rt6_remove_exception_rt(struct rt6_info *rt) { struct rt6_exception_bucket *bucket; - struct fib6_info *from = rt->from; struct in6_addr *src_key = NULL; struct rt6_exception *rt6_ex; + struct fib6_info *from; int err; + from = rcu_dereference_protected(rt->from, + lockdep_is_held(&rt6_exception_lock)); if (!from || !(rt->rt6i_flags & RTF_CACHE)) return -EINVAL; @@ -2223,6 +2225,7 @@ static void ip6_link_failure(struct sk_buff *skb) rt = (struct rt6_info *) skb_dst(skb); if (rt) { + rcu_read_lock(); if (rt->rt6i_flags & RTF_CACHE) { if (dst_hold_safe(&rt->dst)) rt6_remove_exception_rt(rt); @@ -2230,15 +2233,14 @@ static void ip6_link_failure(struct sk_buff *skb) struct fib6_info *from; struct fib6_node *fn; - rcu_read_lock(); from = rcu_dereference(rt->from); if (from) { fn = rcu_dereference(from->fib6_node); if (fn && (rt->rt6i_flags & RTF_DEFAULT)) fn->fn_sernum = -1; } - rcu_read_unlock(); } + rcu_read_unlock(); } } @@ -3340,8 +3342,10 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu rcu_read_lock(); from = rcu_dereference(rt->from); - nrt = ip6_rt_cache_alloc(from, &msg->dest, NULL); + fib6_info_hold(from); rcu_read_unlock(); + + nrt = ip6_rt_cache_alloc(from, &msg->dest, NULL); if (!nrt) goto out; @@ -3355,7 +3359,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu * a cached route because rt6_insert_exception() will * takes care of it */ - if (rt6_insert_exception(nrt, rt->from)) { + if (rt6_insert_exception(nrt, from)) { dst_release_immediate(&nrt->dst); goto out; } @@ -3367,6 +3371,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu call_netevent_notifiers(NETEVENT_REDIRECT, &netevent); out: + fib6_info_release(from); neigh_release(neigh); } |