802: fix a possible race condition

(Resend with a better changelog) garp_pdu_queue() should ways be called with this spin lock. garp_uninit_applicant() only holds rtnl lock which is not enough here. A possible race can happen as garp_pdu_rcv() is called in BH context: garp_pdu_rcv() |->garp_pdu_parse_msg() |->garp_pdu_parse_attr() |-> garp_gid_event() Found by code inspection. Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: David Ward <david.ward@ll.mit.edu> Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net> Signed-off-by: N Cong Wang <amwang@redhat.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

802: fix a possible race condition
(Resend with a better changelog) garp_pdu_queue() should ways be called with this spin lock. garp_uninit_applicant() only holds rtnl lock which is not enough here. A possible race can happen as garp_pdu_rcv() is called in BH context: garp_pdu_rcv() |->garp_pdu_parse_msg() |->garp_pdu_parse_attr() |-> garp_gid_event() Found by code inspection. Cc: Eric Dumazet <eric.dumazet@gmail.com> Cc: "David S. Miller" <davem@davemloft.net> Cc: David Ward <david.ward@ll.mit.edu> Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net> Signed-off-by: N Cong Wang <amwang@redhat.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
cfbe800b · Cong Wang · David S. Miller · 23a95442 · cfbe800b
隐藏空白更改
内联并排

Showing with 4 addition and 0 deletion

net/802/garp.c net/802/garp.c +4 -0

未找到文件。
--- a/net/802/garp.c
+++ b/net/802/garp.c
@@ -609,8 +609,12 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl
 	/* Delete timer and generate a final TRANSMIT_PDU event to flush out
 	 * all pending messages before the applicant is gone. */
 	del_timer_sync(&app->join_timer);
+
+	spin_lock_bh(&app->lock);
 	garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU);
 	garp_pdu_queue(app);
+	spin_unlock_bh(&app->lock);
+
 	garp_queue_xmit(app);

 	dev_mc_del(dev, appl->proto.group_address);