Commit 8f37ada5 authored by stephen hemminger's avatar stephen hemminger Committed by David S. Miller

IPv6: fix race between cleanup and add/delete address

This solves a potential race problem during the cleanup process.
The issue is that addrconf_ifdown() needs to traverse address list,
but then drop lock to call the notifier. The version in -next
could get confused if add/delete happened during this window.
Original code (2.6.32 and earlier) was okay because all addresses
were always deleted.
Signed-off-by: default avatarStephen Hemminger <shemminger@vyatta.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 84e8b803
...@@ -2615,7 +2615,7 @@ static void addrconf_bonding_change(struct net_device *dev, unsigned long event) ...@@ -2615,7 +2615,7 @@ static void addrconf_bonding_change(struct net_device *dev, unsigned long event)
static int addrconf_ifdown(struct net_device *dev, int how) static int addrconf_ifdown(struct net_device *dev, int how)
{ {
struct inet6_dev *idev; struct inet6_dev *idev;
struct inet6_ifaddr *ifa, **bifa; struct inet6_ifaddr *ifa, *keep_list, **bifa;
struct net *net = dev_net(dev); struct net *net = dev_net(dev);
int i; int i;
...@@ -2689,8 +2689,12 @@ static int addrconf_ifdown(struct net_device *dev, int how) ...@@ -2689,8 +2689,12 @@ static int addrconf_ifdown(struct net_device *dev, int how)
write_lock_bh(&idev->lock); write_lock_bh(&idev->lock);
} }
#endif #endif
bifa = &idev->addr_list; keep_list = NULL;
while ((ifa = *bifa) != NULL) { bifa = &keep_list;
while ((ifa = idev->addr_list) != NULL) {
idev->addr_list = ifa->if_next;
ifa->if_next = NULL;
addrconf_del_timer(ifa); addrconf_del_timer(ifa);
/* If just doing link down, and address is permanent /* If just doing link down, and address is permanent
...@@ -2698,6 +2702,9 @@ static int addrconf_ifdown(struct net_device *dev, int how) ...@@ -2698,6 +2702,9 @@ static int addrconf_ifdown(struct net_device *dev, int how)
if (how == 0 && if (how == 0 &&
(ifa->flags&IFA_F_PERMANENT) && (ifa->flags&IFA_F_PERMANENT) &&
!(ipv6_addr_type(&ifa->addr) & IPV6_ADDR_LINKLOCAL)) { !(ipv6_addr_type(&ifa->addr) & IPV6_ADDR_LINKLOCAL)) {
/* Move to holding list */
*bifa = ifa;
bifa = &ifa->if_next; bifa = &ifa->if_next;
/* If not doing DAD on this address, just keep it. */ /* If not doing DAD on this address, just keep it. */
...@@ -2714,8 +2721,6 @@ static int addrconf_ifdown(struct net_device *dev, int how) ...@@ -2714,8 +2721,6 @@ static int addrconf_ifdown(struct net_device *dev, int how)
ifa->flags |= IFA_F_TENTATIVE; ifa->flags |= IFA_F_TENTATIVE;
in6_ifa_hold(ifa); in6_ifa_hold(ifa);
} else { } else {
*bifa = ifa->if_next;
ifa->if_next = NULL;
ifa->dead = 1; ifa->dead = 1;
} }
write_unlock_bh(&idev->lock); write_unlock_bh(&idev->lock);
...@@ -2726,6 +2731,9 @@ static int addrconf_ifdown(struct net_device *dev, int how) ...@@ -2726,6 +2731,9 @@ static int addrconf_ifdown(struct net_device *dev, int how)
write_lock_bh(&idev->lock); write_lock_bh(&idev->lock);
} }
idev->addr_list = keep_list;
write_unlock_bh(&idev->lock); write_unlock_bh(&idev->lock);
/* Step 5: Discard multicast list */ /* Step 5: Discard multicast list */
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment