lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Tue, 11 Mar 2008 16:24:39 +0300 From: Pavel Emelyanov <xemul@...nvz.org> To: David Miller <davem@...emloft.net> CC: Linux Netdev List <netdev@...r.kernel.org> Subject: Re: [PATCH][NEIGH]: Fix race between pneigh deletion and ipv6's ndisc_recv_ns. Hi, David. You picked up the patch with /proc/net symlink, but skipped this one, while it was sent earlier. Is it _that_ bad :) ? Thanks, Pavel > Proxy neighbors do not have any reference counting, so any caller > of pneigh_lookup (unless it's a netlink triggered add/del routine) > should _not_ perform any actions on the found proxy entry. > > There's one exception from this rule - the ipv6's ndisc_recv_ns() > uses found entry to check the flags for NTF_ROUTER. > > This creates a race between the ndisc and pneigh_delete - after > the pneigh is returned to the caller, the nd_tbl.lock is dropped > and the deleting procedure may proceed. > > One of the fixes would be to add a reference counting, but this > problem exists for ndisc only. Besides such a patch would be too > big for -rc4. > > So I propose to introduce a __pneigh_lookup() which is supposed > to be called with the lock held and use it in ndisc code to check > the flags on alive pneigh entry. > > If this is OK, is there a real need in proxy neighbors reference > counting for 2.6.26 :) ? > > Signed-off-by: Pavel Emelyanov <xemul@...nvz.org> > > --- > > diff --git a/include/net/neighbour.h b/include/net/neighbour.h > index ebbfb50..cca1904 100644 > --- a/include/net/neighbour.h > +++ b/include/net/neighbour.h > @@ -218,6 +218,8 @@ extern unsigned long neigh_rand_reach_time(unsigned long base); > extern void pneigh_enqueue(struct neigh_table *tbl, struct neigh_parms *p, > struct sk_buff *skb); > extern struct pneigh_entry *pneigh_lookup(struct neigh_table *tbl, struct net *net, const void *key, struct net_device *dev, int creat); > +extern struct pneigh_entry *__pneigh_lookup(struct neigh_table *tbl, > + struct net *net, const void *key, struct net_device *dev); > extern int pneigh_delete(struct neigh_table *tbl, struct net *net, const void *key, struct net_device *dev); > > extern void neigh_app_ns(struct neighbour *n); > diff --git a/net/core/neighbour.c b/net/core/neighbour.c > index d9a02b2..c97bf5b 100644 > --- a/net/core/neighbour.c > +++ b/net/core/neighbour.c > @@ -466,6 +466,28 @@ out_neigh_release: > goto out; > } > > +struct pneigh_entry *__pneigh_lookup(struct neigh_table *tbl, > + struct net *net, const void *pkey, struct net_device *dev) > +{ > + struct pneigh_entry *n; > + int key_len = tbl->key_len; > + u32 hash_val = *(u32 *)(pkey + key_len - 4); > + > + hash_val ^= (hash_val >> 16); > + hash_val ^= hash_val >> 8; > + hash_val ^= hash_val >> 4; > + hash_val &= PNEIGH_HASHMASK; > + > + for (n = tbl->phash_buckets[hash_val]; n; n = n->next) { > + if (!memcmp(n->key, pkey, key_len) && > + (n->net == net) && > + (n->dev == dev || !n->dev)) > + break; > + } > + > + return n; > +} > + > struct pneigh_entry * pneigh_lookup(struct neigh_table *tbl, > struct net *net, const void *pkey, > struct net_device *dev, int creat) > diff --git a/net/ipv6/ndisc.c b/net/ipv6/ndisc.c > index 0d33a7d..bb72ef4 100644 > --- a/net/ipv6/ndisc.c > +++ b/net/ipv6/ndisc.c > @@ -676,6 +676,20 @@ static void ndisc_solicit(struct neighbour *neigh, struct sk_buff *skb) > } > } > > +static struct pneigh_entry *neigh_check_router(struct net_device *dev, > + struct in6_addr *addr, int *is_router) > +{ > + struct pneigh_entry *n; > + > + read_lock_bh(&nd_tbl.lock); > + n = __pneigh_lookup(&nd_tbl, &init_net, addr, dev); > + if (n != NULL) > + *is_router = (n->flags & NTF_ROUTER); > + read_unlock_bh(&nd_tbl.lock); > + > + return n; > +} > + > static void ndisc_recv_ns(struct sk_buff *skb) > { > struct nd_msg *msg = (struct nd_msg *)skb_transport_header(skb); > @@ -790,8 +804,8 @@ static void ndisc_recv_ns(struct sk_buff *skb) > if (ipv6_chk_acast_addr(dev, &msg->target) || > (idev->cnf.forwarding && > (ipv6_devconf.proxy_ndp || idev->cnf.proxy_ndp) && > - (pneigh = pneigh_lookup(&nd_tbl, &init_net, > - &msg->target, dev, 0)) != NULL)) { > + (pneigh = neigh_check_router(dev, &msg->target, > + &is_router)) != NULL)) { > if (!(NEIGH_CB(skb)->flags & LOCALLY_ENQUEUED) && > skb->pkt_type != PACKET_HOST && > inc != 0 && > @@ -812,7 +826,7 @@ static void ndisc_recv_ns(struct sk_buff *skb) > goto out; > } > > - is_router = !!(pneigh ? pneigh->flags & NTF_ROUTER : idev->cnf.forwarding); > + is_router = !!(pneigh ? is_router : idev->cnf.forwarding); > > if (dad) { > struct in6_addr maddr; > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists