From: ebied...@xmission.com (Eric W. Biederman)
Date: Fri, 22 May 2015 04:58:12 -0500
> ip_error does not check if in_dev is NULL before dereferencing it.
>
> IThe following sequence of calls is possible:
> CPU A CPU B
> ip_rcv_finish
> ip_route_input_noref()
> ip_route_input_slow()
> inetdev_destroy()
> dst_input()
>
> With the result that a network device can be destroyed while processing
> an input packet.
>
> A crash was triggered with only unicast packets in flight, and
> forwarding enabled on the only network device. The error condition
> was created by the removal of the network device.
>
> As such it is likely the that error code was -EHOSTUNREACH, and the
> action taken by ip_error (if in_dev had been accessible) would have
> been to not increment any counters and to have tried and likely failed
> to send an icmp error as the network device is going away.
>
> Therefore handle this weird case by just dropping the packet if
> !in_dev. It will result in dropping the packet sooner, and will not
> result in an actual change of behavior.
>
> Fixes: 251da4130115b ("ipv4: Cache ip_error() routes even when not
> forwarding.")
> Reported-by: "Vittorio G (VittGam)" <linuxb...@vittgam.net>
> Tested-by: "Vittorio G (VittGam)" <linuxb...@vittgam.net>
> Signed-off-by: "Eric W. Biederman" <ebied...@xmission.com>
Looks good, applied and queued up for -stable, thanks!
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
