On Wed, 2019-02-20 at 18:10 +0100, Paolo Abeni wrote:
> We must access rt6_info->from under RCU read lock: move the
> dereference under such lock, with proper annotation, and use
> rcu_access_pointer() to check for null value outside the lock.
>
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Paolo Abeni <pab...@redhat.com>
> ---
> net/ipv6/route.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index bd09abd1fb22..cbaa8745d9ff 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -1610,15 +1610,15 @@ static int rt6_remove_exception_rt(struct rt6_info
> *rt)
> static void rt6_update_exception_stamp_rt(struct rt6_info *rt)
> {
> struct rt6_exception_bucket *bucket;
> - struct fib6_info *from = rt->from;
> struct in6_addr *src_key = NULL;
> struct rt6_exception *rt6_ex;
> + struct fib6_info *from;
>
> - if (!from ||
> - !(rt->rt6i_flags & RTF_CACHE))
> + if (!rcu_access_pointer(rt->from) || !(rt->rt6i_flags & RTF_CACHE))
> return;
>
> rcu_read_lock();
> + from = rcu_dereference(rt->from);
-ELOWONCOFFEE: even this one is racy, as rt->from can go away due to
underlying device removal between the two fetch operation.
I'll send a v2.
Again, I'm sorry for the noise,
Paolo
