| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Mar 2008 16:24:39 +0300
From: Pavel Emelyanov <xemul@...nvz.org>
To: David Miller <davem@...emloft.net>
CC: Linux Netdev List <netdev@...r.kernel.org>
Subject: Re: [PATCH][NEIGH]: Fix race between pneigh deletion and ipv6's ndisc_recv_ns.
Hi, David.
You picked up the patch with /proc/net symlink, but skipped this
one, while it was sent earlier. Is it _that_ bad :) ?
Thanks,
Pavel
> Proxy neighbors do not have any reference counting, so any caller
> of pneigh_lookup (unless it's a netlink triggered add/del routine)
> should _not_ perform any actions on the found proxy entry.
>
> There's one exception from this rule - the ipv6's ndisc_recv_ns()
> uses found entry to check the flags for NTF_ROUTER.
>
> This creates a race between the ndisc and pneigh_delete - after
> the pneigh is returned to the caller, the nd_tbl.lock is dropped
> and the deleting procedure may proceed.
>
> One of the fixes would be to add a reference counting, but this
> problem exists for ndisc only. Besides such a patch would be too
> big for -rc4.
>
> So I propose to introduce a __pneigh_lookup() which is supposed
> to be called with the lock held and use it in ndisc code to check
> the flags on alive pneigh entry.
>
> If this is OK, is there a real need in proxy neighbors reference
> counting for 2.6.26 :) ?
>
> Signed-off-by: Pavel Emelyanov <xemul@...nvz.org>
>
> ---
>
> diff --git a/include/net/neighbour.h b/include/net/neighbour.h
> index ebbfb50..cca1904 100644
> --- a/include/net/neighbour.h
> +++ b/include/net/neighbour.h
> @@ -218,6 +218,8 @@ extern unsigned long neigh_rand_reach_time(unsigned long base);
> extern void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p,
> struct sk_buff *skb);
> extern struct pneigh_entry *pneigh_lookup(struct neigh_table *tbl, struct net *net, const void *key, struct net_device *dev, int creat);
> +extern struct pneigh_entry *__pneigh_lookup(struct neigh_table *tbl,
> + struct net *net, const void *key, struct net_device *dev);
> extern int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *key, struct net_device *dev);
>
> extern void neigh_app_ns(struct neighbour *n);
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index d9a02b2..c97bf5b 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -466,6 +466,28 @@ out_neigh_release:
> goto out;
> }
>
> +struct pneigh_entry *__pneigh_lookup(struct neigh_table *tbl,
> + struct net *net, const void *pkey, struct net_device *dev)
> +{
> + struct pneigh_entry *n;
> + int key_len = tbl->key_len;
> + u32 hash_val = *(u32 *)(pkey + key_len - 4);
> +
> + hash_val ^= (hash_val >> 16);
> + hash_val ^= hash_val >> 8;
> + hash_val ^= hash_val >> 4;
> + hash_val &= PNEIGH_HASHMASK;
> +
> + for (n = tbl->phash_buckets[hash_val]; n; n = n->next) {
> + if (!memcmp(n->key, pkey, key_len) &&
> + (n->net == net) &&
> + (n->dev == dev || !n->dev))
> + break;
> + }
> +
> + return n;
> +}
> +
> struct pneigh_entry * pneigh_lookup(struct neigh_table *tbl,
> struct net *net, const void *pkey,
> struct net_device *dev, int creat)
> diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c
> index 0d33a7d..bb72ef4 100644
> --- a/net/ipv6/ndisc.c
> +++ b/net/ipv6/ndisc.c
> @@ -676,6 +676,20 @@ static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb)
> }
> }
>
> +static struct pneigh_entry *neigh_check_router(struct net_device *dev,
> + struct in6_addr *addr, int *is_router)
> +{
> + struct pneigh_entry *n;
> +
> + read_lock_bh(&nd_tbl.lock);
> + n = __pneigh_lookup(&nd_tbl, &init_net, addr, dev);
> + if (n != NULL)
> + *is_router = (n->flags & NTF_ROUTER);
> + read_unlock_bh(&nd_tbl.lock);
> +
> + return n;
> +}
> +
> static void ndisc_recv_ns(struct sk_buff *skb)
> {
> struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb);
> @@ -790,8 +804,8 @@ static void ndisc_recv_ns(struct sk_buff *skb)
> if (ipv6_chk_acast_addr(dev, &msg->target) ||
> (idev->cnf.forwarding &&
> (ipv6_devconf.proxy_ndp || idev->cnf.proxy_ndp) &&
> - (pneigh = pneigh_lookup(&nd_tbl, &init_net,
> - &msg->target, dev, 0)) != NULL)) {
> + (pneigh = neigh_check_router(dev, &msg->target,
> + &is_router)) != NULL)) {
> if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) &&
> skb->pkt_type != PACKET_HOST &&
> inc != 0 &&
> @@ -812,7 +826,7 @@ static void ndisc_recv_ns(struct sk_buff *skb)
> goto out;
> }
>
> - is_router = !!(pneigh ? pneigh->flags & NTF_ROUTER : idev->cnf.forwarding);
> + is_router = !!(pneigh ? is_router : idev->cnf.forwarding);
>
> if (dad) {
> struct in6_addr maddr;
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists