* [PATCH net] net: ipmr, ip6mr: fix vif/tunnel failure race condition
@ 2015-11-24 16:09 Nikolay Aleksandrov
2015-11-24 18:56 ` Cong Wang
2015-11-24 22:16 ` David Miller
0 siblings, 2 replies; 3+ messages in thread
From: Nikolay Aleksandrov @ 2015-11-24 16:09 UTC (permalink / raw)
To: netdev; +Cc: davem, yoshfuji, Nikolay Aleksandrov
From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Since (at least) commit b17a7c179dd3 ("[NET]: Do sysfs registration as
part of register_netdevice."), netdev_run_todo() deals only with
unregistration, so we don't need to do the rtnl_unlock/lock cycle to
finish registration when failing pimreg or dvmrp device creation. In
fact that opens a race condition where someone can delete the device
while rtnl is unlocked because it's fully registered. The problem gets
worse when netlink support is introduced as there are more points of entry
that can cause it and it also makes reusing that code correctly impossible.
Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
---
I was able to crash the kernel by artificially triggering this race just to
confim it. I know it's very unlikely to hit the race in the real world, but
the biggest advantage of the change is that the code can be re-used later
when adding netlink support.
net/ipv4/ipmr.c | 8 --------
net/ipv6/ip6mr.c | 4 ----
2 files changed, 12 deletions(-)
diff --git a/net/ipv4/ipmr.c b/net/ipv4/ipmr.c
index 292123bc30fa..c3a38353f5dc 100644
--- a/net/ipv4/ipmr.c
+++ b/net/ipv4/ipmr.c
@@ -441,10 +441,6 @@ struct net_device *ipmr_new_tunnel(struct net *net, struct vifctl *v)
return dev;
failure:
- /* allow the register to be completed before unregistering. */
- rtnl_unlock();
- rtnl_lock();
-
unregister_netdevice(dev);
return NULL;
}
@@ -540,10 +536,6 @@ static struct net_device *ipmr_reg_vif(struct net *net, struct mr_table *mrt)
return dev;
failure:
- /* allow the register to be completed before unregistering. */
- rtnl_unlock();
- rtnl_lock();
-
unregister_netdevice(dev);
return NULL;
}
diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index 7a4a1b81dbb6..a10e77103c88 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c
@@ -765,10 +765,6 @@ static struct net_device *ip6mr_reg_vif(struct net *net, struct mr6_table *mrt)
return dev;
failure:
- /* allow the register to be completed before unregistering. */
- rtnl_unlock();
- rtnl_lock();
-
unregister_netdevice(dev);
return NULL;
}
--
2.4.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net] net: ipmr, ip6mr: fix vif/tunnel failure race condition
2015-11-24 16:09 [PATCH net] net: ipmr, ip6mr: fix vif/tunnel failure race condition Nikolay Aleksandrov
@ 2015-11-24 18:56 ` Cong Wang
2015-11-24 22:16 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: Cong Wang @ 2015-11-24 18:56 UTC (permalink / raw)
To: Nikolay Aleksandrov
Cc: netdev, David Miller, Hideaki YOSHIFUJI, Nikolay Aleksandrov
On Tue, Nov 24, 2015 at 8:09 AM, Nikolay Aleksandrov
<razor@blackwall.org> wrote:
> From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
>
> Since (at least) commit b17a7c179dd3 ("[NET]: Do sysfs registration as
> part of register_netdevice."), netdev_run_todo() deals only with
> unregistration, so we don't need to do the rtnl_unlock/lock cycle to
> finish registration when failing pimreg or dvmrp device creation. In
> fact that opens a race condition where someone can delete the device
> while rtnl is unlocked because it's fully registered. The problem gets
> worse when netlink support is introduced as there are more points of entry
> that can cause it and it also makes reusing that code correctly impossible.
>
> Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
Makes sense for me, we do have some other cases (e.g. macvlan) where
we call unregister_netdevice() in error path without re-taking RTNL lock.
So,
Reviewed-by: Cong Wang <cwang@twopensource.com>
Thanks.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net] net: ipmr, ip6mr: fix vif/tunnel failure race condition
2015-11-24 16:09 [PATCH net] net: ipmr, ip6mr: fix vif/tunnel failure race condition Nikolay Aleksandrov
2015-11-24 18:56 ` Cong Wang
@ 2015-11-24 22:16 ` David Miller
1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2015-11-24 22:16 UTC (permalink / raw)
To: razor; +Cc: netdev, yoshfuji, nikolay
From: Nikolay Aleksandrov <razor@blackwall.org>
Date: Tue, 24 Nov 2015 17:09:30 +0100
> From: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
>
> Since (at least) commit b17a7c179dd3 ("[NET]: Do sysfs registration as
> part of register_netdevice."), netdev_run_todo() deals only with
> unregistration, so we don't need to do the rtnl_unlock/lock cycle to
> finish registration when failing pimreg or dvmrp device creation. In
> fact that opens a race condition where someone can delete the device
> while rtnl is unlocked because it's fully registered. The problem gets
> worse when netlink support is introduced as there are more points of entry
> that can cause it and it also makes reusing that code correctly impossible.
>
> Signed-off-by: Nikolay Aleksandrov <nikolay@cumulusnetworks.com>
> ---
> I was able to crash the kernel by artificially triggering this race just to
> confim it. I know it's very unlikely to hit the race in the real world, but
> the biggest advantage of the change is that the code can be re-used later
> when adding netlink support.
Applied, thank you.
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2015-11-24 22:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2015-11-24 16:09 [PATCH net] net: ipmr, ip6mr: fix vif/tunnel failure race condition Nikolay Aleksandrov
2015-11-24 18:56 ` Cong Wang
2015-11-24 22:16 ` David Miller
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.