Hmm... I got lazy yesterday night I sent the same patch from my
laptop, only changelog was updated.

I should have rebased my patch, because the merge of the np->opt patch
had a small fuzz in dccp_v6_connect() :
a :
if (np->opt != NULL)

became

if (opt)

Thanks !


On Thu, Dec 3, 2015 at 8:32 AM, David Miller <da...@davemloft.net> wrote:
> From: Eric Dumazet <eric.duma...@gmail.com>
> Date: Wed, 02 Dec 2015 21:53:57 -0800
>
>> From: Eric Dumazet <eduma...@google.com>
>>
>> While testing the np->opt RCU conversion, I found that UDP/IPv6 was
>> using a mixture of xchg() and sk_dst_lock to protect concurrent changes
>> to sk->sk_dst_cache, leading to possible corruptions and crashes.
>>
>> ip6_sk_dst_lookup_flow() uses sk_dst_check() anyway, so the simplest
>> way to fix the mess is to remove sk_dst_lock completely, as we did for
>> IPv4.
>>
>> __ip6_dst_store() and ip6_dst_store() share same implementation.
>>
>> sk_setup_caps() being called with socket lock being held or not,
>> we have to use sk_dst_set() instead of __sk_dst_set()
>>
>> Note that I had to move the "np->dst_cookie = rt6_get_cookie(rt);"
>> in ip6_dst_store() before the sk_setup_caps(sk, dst) call.
>>
>> This is because ip6_dst_store() can be called from process context,
>> without any lock held.
>>
>> As soon as the dst is installed in sk->sk_dst_cache, dst can be freed
>> from another cpu doing a concurrent ip6_dst_store()
>>
>> Doing the dst dereference before doing the install is needed to make
>> sure no use after free would trigger.
>>
>> Signed-off-by: Eric Dumazet <eduma...@google.com>
>> Reported-by: Dmitry Vyukov <dvyu...@google.com>
>> ---
>> v2: added the explanation about rt6_get_cookie(rt) called
>> before sk_setup_caps()
>
> Applied to 'net', with some fuzz... did you happen to generate this
> against net-next by chance?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Reply via email to