mirror of https://github.com/torvalds/linux.git
6bd4f355df
While testing the np->opt RCU conversion, I found that UDP/IPv6 was using a mixture of xchg() and sk_dst_lock to protect concurrent changes to sk->sk_dst_cache, leading to possible corruptions and crashes. ip6_sk_dst_lookup_flow() uses sk_dst_check() anyway, so the simplest way to fix the mess is to remove sk_dst_lock completely, as we did for IPv4. __ip6_dst_store() and ip6_dst_store() share same implementation. sk_setup_caps() being called with socket lock being held or not, we have to use sk_dst_set() instead of __sk_dst_set() Note that I had to move the "np->dst_cookie = rt6_get_cookie(rt);" in ip6_dst_store() before the sk_setup_caps(sk, dst) call. This is because ip6_dst_store() can be called from process context, without any lock held. As soon as the dst is installed in sk->sk_dst_cache, dst can be freed from another cpu doing a concurrent ip6_dst_store() Doing the dst dereference before doing the install is needed to make sure no use after free would trigger. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> |
||
|---|---|---|
| .. | ||
| Makefile | ||
| datagram.c | ||
| dev.c | ||
| dev_addr_lists.c | ||
| dev_ioctl.c | ||
| drop_monitor.c | ||
| dst.c | ||
| ethtool.c | ||
| fib_rules.c | ||
| filter.c | ||
| flow.c | ||
| flow_dissector.c | ||
| gen_estimator.c | ||
| gen_stats.c | ||
| link_watch.c | ||
| lwtunnel.c | ||
| neighbour.c | ||
| net-procfs.c | ||
| net-sysfs.c | ||
| net-sysfs.h | ||
| net-traces.c | ||
| net_namespace.c | ||
| netclassid_cgroup.c | ||
| netevent.c | ||
| netpoll.c | ||
| netprio_cgroup.c | ||
| pktgen.c | ||
| ptp_classifier.c | ||
| request_sock.c | ||
| rtnetlink.c | ||
| scm.c | ||
| secure_seq.c | ||
| skbuff.c | ||
| sock.c | ||
| sock_diag.c | ||
| stream.c | ||
| sysctl_net_core.c | ||
| timestamping.c | ||
| tso.c | ||
| utils.c | ||