swh:1:snp:38ae39f9fd01a4b0ef06fab5668b65bf4c2aca03
Revision 6bd4f355df2eae80b8a5c7b097371cd1e05f20d5 authored by Eric Dumazet on 03 December 2015, 05:53:57 UTC, committed by David S. Miller on 03 December 2015, 16:32:06 UTC
While testing the np->opt RCU conversion, I found that UDP/IPv6 was using a mixture of xchg() and sk_dst_lock to protect concurrent changes to sk->sk_dst_cache, leading to possible corruptions and crashes. ip6_sk_dst_lookup_flow() uses sk_dst_check() anyway, so the simplest way to fix the mess is to remove sk_dst_lock completely, as we did for IPv4. __ip6_dst_store() and ip6_dst_store() share same implementation. sk_setup_caps() being called with socket lock being held or not, we have to use sk_dst_set() instead of __sk_dst_set() Note that I had to move the "np->dst_cookie = rt6_get_cookie(rt);" in ip6_dst_store() before the sk_setup_caps(sk, dst) call. This is because ip6_dst_store() can be called from process context, without any lock held. As soon as the dst is installed in sk->sk_dst_cache, dst can be freed from another cpu doing a concurrent ip6_dst_store() Doing the dst dereference before doing the install is needed to make sure no use after free would trigger. Signed-off-by: Eric Dumazet <edumazet@google.com> Reported-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
1 parent c836a8b
Tip revision: 0cdd776ec92c0fec768c7079331804d3e52d4b27 authored by Linus Torvalds on 15 May 2022, 15:08:51 UTC
Merge tag 'driver-core-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Merge tag 'driver-core-5.18-rc7' of git://git.kernel.org/pub/scm/linux/kernel/git/gregkh/driver-core
Tip revision: 0cdd776
File | Mode | Size |
---|---|---|
Documentation | ||
arch | ||
block | ||
certs | ||
crypto | ||
drivers | ||
firmware | ||
fs | ||
include | ||
init | ||
ipc | ||
kernel | ||
lib | ||
mm | ||
net | ||
samples | ||
scripts | ||
security | ||
sound | ||
tools | ||
usr | ||
virt | ||
.get_maintainer.ignore | -rw-r--r-- | 31 bytes |
.gitignore | -rw-r--r-- | 1.2 KB |
.mailmap | -rw-r--r-- | 5.4 KB |
COPYING | -rw-r--r-- | 18.3 KB |
CREDITS | -rw-r--r-- | 94.9 KB |
Kbuild | -rw-r--r-- | 2.6 KB |
Kconfig | -rw-r--r-- | 252 bytes |
MAINTAINERS | -rw-r--r-- | 327.8 KB |
Makefile | -rw-r--r-- | 53.5 KB |
README | -rw-r--r-- | 18.2 KB |
REPORTING-BUGS | -rw-r--r-- | 7.3 KB |
Computing file changes ...