git.baikalelectronics.ru Git - kernel.git/commit

author	Francesco Ruggeri <fruggeri@aristanetworks.com>
	Mon, 16 Jan 2012 10:40:10 +0000 (10:40 +0000)
committer	David S. Miller <davem@davemloft.net>
	Wed, 18 Jan 2012 21:38:34 +0000 (16:38 -0500)
commit	e7295cb460475f91308c308819da25dfa6900405
tree	ed05c2420ea75eb036507d556d46d713ebe3bd9a	tree \| snapshot
parent	6f316c5a29203b31e5580da6584628e1ac5ac88c	commit \| diff

net: race condition in ipv6 forwarding and disable_ipv6 parameters

There is a race condition in addrconf_sysctl_forward() and
addrconf_sysctl_disable().
These functions change idev->cnf.forwarding (resp. idev->cnf.disable_ipv6)
and then try to grab the rtnl lock before performing any actions.
If that fails they restore the original value and restart the syscall.
This creates race conditions if ipv6 code tries to access
these parameters, or if multiple instances try to do the same operation.
As an example of the former, if __ipv6_ifa_notify() finds a 0 in
idev->cnf.forwarding when invoked by addrconf_ifdown() it may not free
anycast addresses, ultimately resulting in the net_device not being freed.
This patch reads the user parameters into a temporary location and only
writes the actual parameters when the rtnl lock is acquired.
Tested in 2.6.38.8.
Signed-off-by: Francesco Ruggeri <fruggeri@aristanetworks.com>
Signed-off-by: David S. Miller <davem@davemloft.net>