On Tue, 2015-12-01 at 10:44 +0900, YOSHIFUJI Hideaki wrote:
> Hi,
>
> Eric Dumazet wrote:
> > diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h
> > index 2bfb2ad2fab1..877f682989b8 100644
> > --- a/include/net/ip6_route.h
> > +++ b/include/net/ip6_route.h
> > @@ -133,27 +133,18 @@ void rt6_clean_tohost(struct net *net, struct
> > in6_addr *gateway);
> > /*
> > * Store a destination cache entry in a socket
> > */
> > -static inline void __ip6_dst_store(struct sock *sk, struct dst_entry *dst,
> > - const struct in6_addr *daddr,
> > - const struct in6_addr *saddr)
> > +static inline void ip6_dst_store(struct sock *sk, struct dst_entry *dst,
> > + const struct in6_addr *daddr,
> > + const struct in6_addr *saddr)
> > {
> > struct ipv6_pinfo *np = inet6_sk(sk);
> > - struct rt6_info *rt = (struct rt6_info *) dst;
> >
> > + np->dst_cookie = rt6_get_cookie((struct rt6_info *)dst);
> > sk_setup_caps(sk, dst);
> > np->daddr_cache = daddr;
> > #ifdef CONFIG_IPV6_SUBTREES
> > np->saddr_cache = saddr;
> > #endif
> > - np->dst_cookie = rt6_get_cookie(rt);
> > -}
> > -
>
> I believe you do not have to change function inside, right?
I knew I forgot something in my changelog :
ip6_dst_store() can be called from process context.
As soon as the dst is installed in sk->sk_dst_cache, dst can be freed
from another cpu doing a concurrent ip6_dst_store()
Doing the dst dereference before doing the install is safer.
Otherwise, we need to add rcu_read_lock() extra sections.
I believe we have other bugs like this one (deref dst after
sk_setup_caps() calls) that need an audit.
But I prefer making smaller patches addressing one problem at a time...
Thanks !
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
