On Wed, 2019-02-20 at 18:10 +0100, Paolo Abeni wrote:
> We must access rt6_info->from under RCU read lock: move the
> dereference under such lock, with proper annotation, and use
> rcu_access_pointer() to check for null value outside the lock.
> 
> Fixes: a68886a69180 ("net/ipv6: Make from in rt6_info rcu protected")
> Signed-off-by: Paolo Abeni <pab...@redhat.com>
> ---
>  net/ipv6/route.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
> 
> diff --git a/net/ipv6/route.c b/net/ipv6/route.c
> index bd09abd1fb22..cbaa8745d9ff 100644
> --- a/net/ipv6/route.c
> +++ b/net/ipv6/route.c
> @@ -1610,15 +1610,15 @@ static int rt6_remove_exception_rt(struct rt6_info 
> *rt)
>  static void rt6_update_exception_stamp_rt(struct rt6_info *rt)
>  {
>       struct rt6_exception_bucket *bucket;
> -     struct fib6_info *from = rt->from;
>       struct in6_addr *src_key = NULL;
>       struct rt6_exception *rt6_ex;
> +     struct fib6_info *from;
>  
> -     if (!from ||
> -         !(rt->rt6i_flags & RTF_CACHE))
> +     if (!rcu_access_pointer(rt->from) || !(rt->rt6i_flags & RTF_CACHE))
>               return;
>  
>       rcu_read_lock();
> +     from = rcu_dereference(rt->from);

-ELOWONCOFFEE: even this one is racy, as rt->from can go away due to
underlying device removal between the two fetch operation.

I'll send a v2.

Again, I'm sorry for the noise,

Paolo

Reply via email to