Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
neigh: do not modify unlinked entries
The lockless lookups can return entry that is unlinked. Sometimes they get reference before last neigh_cleanup_and_release, sometimes they do not need reference. Later, any modification attempts may result in the following problems: 1. entry is not destroyed immediately because neigh_update can start the timer for dead entry, eg. on change to NUD_REACHABLE state. As result, entry lives for some time but is invisible and out of control. 2. __neigh_event_send can run in parallel with neigh_destroy while refcnt=0 but if timer is started and expired refcnt can reach 0 for second time leading to second neigh_destroy and possible crash. Thanks to Eric Dumazet and Ying Xue for their work and analyze on the __neigh_event_send change. Fixes: 767e97e ("neigh: RCU conversion of struct neighbour") Fixes: a263b30 ("ipv4: Make neigh lookups directly in output packet path.") Fixes: 6fd6ce2 ("ipv6: Do not depend on rt->n in ip6_finish_output2().") Cc: Eric Dumazet <[email protected]> Cc: Ying Xue <[email protected]> Signed-off-by: Julian Anastasov <[email protected]> Acked-by: Eric Dumazet <[email protected]> Signed-off-by: David S. Miller <[email protected]>
- Loading branch information