IPv6: fix race between cleanup and add/delete address
stephen hemminger [Wed, 3 Mar 2010 08:19:59 +0000 (08:19 +0000)]
This solves a potential race problem during the cleanup process.
The issue is that addrconf_ifdown() needs to traverse address list,
but then drop lock to call the notifier. The version in -next
could get confused if add/delete happened during this window.
Original code (2.6.32 and earlier) was okay because all addresses
were always deleted.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv6/addrconf.c

index 7a4bf76..6cf3ee1 100644 (file)
@@ -2615,7 +2615,7 @@ static void addrconf_bonding_change(struct net_device *dev, unsigned long event)
 static int addrconf_ifdown(struct net_device *dev, int how)
 {
        struct inet6_dev *idev;
-       struct inet6_ifaddr *ifa, **bifa;
+       struct inet6_ifaddr *ifa, *keep_list, **bifa;
        struct net *net = dev_net(dev);
        int i;
 
@@ -2689,8 +2689,12 @@ static int addrconf_ifdown(struct net_device *dev, int how)
                write_lock_bh(&idev->lock);
        }
 #endif
-       bifa = &idev->addr_list;
-       while ((ifa = *bifa) != NULL) {
+       keep_list = NULL;
+       bifa = &keep_list;
+       while ((ifa = idev->addr_list) != NULL) {
+               idev->addr_list = ifa->if_next;
+               ifa->if_next = NULL;
+
                addrconf_del_timer(ifa);
 
                /* If just doing link down, and address is permanent
@@ -2698,6 +2702,9 @@ static int addrconf_ifdown(struct net_device *dev, int how)
                if (how == 0 &&
                    (ifa->flags&IFA_F_PERMANENT) &&
                    !(ipv6_addr_type(&ifa->addr) & IPV6_ADDR_LINKLOCAL)) {
+
+                       /* Move to holding list */
+                       *bifa = ifa;
                        bifa = &ifa->if_next;
 
                        /* If not doing DAD on this address, just keep it. */
@@ -2714,8 +2721,6 @@ static int addrconf_ifdown(struct net_device *dev, int how)
                        ifa->flags |= IFA_F_TENTATIVE;
                        in6_ifa_hold(ifa);
                } else {
-                       *bifa = ifa->if_next;
-                       ifa->if_next = NULL;
                        ifa->dead = 1;
                }
                write_unlock_bh(&idev->lock);
@@ -2726,6 +2731,9 @@ static int addrconf_ifdown(struct net_device *dev, int how)
 
                write_lock_bh(&idev->lock);
        }
+
+       idev->addr_list = keep_list;
+
        write_unlock_bh(&idev->lock);
 
        /* Step 5: Discard multicast list */