[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Sat, 4 Apr 2015 19:06:46 +0300 (EEST)
From: Julian Anastasov <ja@....bg>
To: Eric Dumazet <eric.dumazet@...il.com>
cc: Alexei Potashnik <alexei@...estorage.com>,
Joern Engel <joern@...estorage.com>,
"David S. Miller" <davem@...emloft.net>, netdev@...r.kernel.org
Subject: Re: neigh use-after-free
Hello,
On Fri, 3 Apr 2015, Eric Dumazet wrote:
> > Problem is __neigh_event_send() is ignoring n->dead
> >
> >
>
> Please try following patch :
>
> diff --git a/net/core/neighbour.c b/net/core/neighbour.c
> index 3de6542560288b3896ab243879a7b4a9b098ca0d..3a2928332b31bfd421ca409ba9bc4e82f82b3552 100644
> --- a/net/core/neighbour.c
> +++ b/net/core/neighbour.c
> @@ -957,7 +957,8 @@ int __neigh_event_send(struct neighbour *neigh, struct sk_buff *skb)
> rc = 0;
> if (neigh->nud_state & (NUD_CONNECTED | NUD_DELAY | NUD_PROBE))
> goto out_unlock_bh;
At this point we can have NUD_STALE, NUD_INCOMPLETE or
NUD_FAILED. Not sure about NUD_STALE but for others we should
call kfree_skb(skb) and to return rc = 1. It is possible that
we never resolved this entry, so rc = 0 is not correct for all
cases.
When n->dead = 1 the neigh is unlinked but the
option to call somehow __neigh_create() looks complex.
As result, in a rare case we can drop packets while
neigh_periodic_work is removing NUD_STALE entry. May be
it can take a RCU grace period.
> -
> + if (neigh->dead)
> + goto out_unlock_bh;
> if (!(neigh->nud_state & (NUD_STALE | NUD_INCOMPLETE))) {
> if (NEIGH_VAR(neigh->parms, MCAST_PROBES) +
> NEIGH_VAR(neigh->parms, APP_PROBES)) {
Regards
--
Julian Anastasov <ja@....bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists