lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date:   Tue, 28 Feb 2017 22:03:48 +0800 (CST)
From:   颜小波 <yanxb123@....com>
To:     "Stephen Hemminger" <stephen@...workplumber.org>
Cc:     netdev@...r.kernel.org
Subject: [drivers/net/vxlan]Why rcu_read_lock is not obtained before rculist
 travelling

Hi Stephen,


I am studying vxlan device driver in 4.10 kernel. I see that vxlan_fdb in fdb_head list is rcu protected. call_rcu is invoked to free vxlan fdb, which will defer the vxlan_fdb_free until all rcu reads exist the race condition. 

But I don’t find any rcu_read_lock invoked before travelling fdb_head list.  In vxlan_xmit and vxlan_snoop function, vxlan_find_mac function is called to search the vxlan_fdb of the dst_mac or src_mac. Then information in vxlan_fdb  is used for further process.  But as no rcu_read_lock is obtained before the list travelling, I am wondering if it is possible that vxlan_fdb is freed when it is being used. 

static void vxlan_fdb_destroy(struct vxlan_dev *vxlan, struct vxlan_fdb *f)
{
       netdev_dbg(vxlan->dev,
                  "delete %pM\n", f->eth_addr);

       --vxlan->addrcnt;
       vxlan_fdb_notify(vxlan, f, first_remote_rtnl(f), RTM_DELNEIGH);

       hlist_del_rcu(&f->hlist);
       call_rcu(&f->rcu, vxlan_fdb_free);
}


Thanks

Xiaobo

Powered by blists - more mailing lists