[IPV6]: Fix race in route selection.
YOSHIFUJI Hideaki [Fri, 28 Apr 2006 22:59:15 +0000 (15:59 -0700)]
We eliminated rt6_dflt_lock (to protect default router pointer)
at 2.6.17-rc1, and introduced rt6_select() for general router selection.
The function is called in the context of rt6_lock read-lock held,
but this means, we have some race conditions when we do round-robin.

Signed-off-by; YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/ipv6/route.c

index 7907874..0190e39 100644 (file)
@@ -317,7 +317,7 @@ static struct rt6_info *rt6_select(struct rt6_info **head, int oif,
                  __FUNCTION__, head, head ? *head : NULL, oif);
 
        for (rt = rt0, metric = rt0->rt6i_metric;
-            rt && rt->rt6i_metric == metric;
+            rt && rt->rt6i_metric == metric && (!last || rt != rt0);
             rt = rt->u.next) {
                int m;
 
@@ -343,9 +343,12 @@ static struct rt6_info *rt6_select(struct rt6_info **head, int oif,
            (strict & RT6_SELECT_F_REACHABLE) &&
            last && last != rt0) {
                /* no entries matched; do round-robin */
+               static spinlock_t lock = SPIN_LOCK_UNLOCKED;
+               spin_lock(&lock);
                *head = rt0->u.next;
                rt0->u.next = last->u.next;
                last->u.next = rt0;
+               spin_unlock(&lock);
        }
 
        RT6_TRACE("%s() => %p, score=%d\n",