linux/net
Pavel Emelyanov 076931989f [INET]: Fix inet_diag register vs rcv race
The following race is possible when one cpu unregisters the handler
while other one is trying to receive a message and call this one:

CPU1:                                                 CPU2:
inet_diag_rcv()                                       inet_diag_unregister()
  mutex_lock(&inet_diag_mutex);
  netlink_rcv_skb(skb, &inet_diag_rcv_msg);
    if (inet_diag_table[nlh->nlmsg_type] == 
                               NULL) /* false handler is still registered */
    ...
    netlink_dump_start(idiagnl, skb, nlh,
                           inet_diag_dump, NULL);
           cb = kzalloc(sizeof(*cb), GFP_KERNEL);
                   /* sleep here freeing memory 
                    * or preempt
                    * or sleep later on nlk->cb_mutex
                    */
                                                         spin_lock(&inet_diag_register_lock);
                                                         inet_diag_table[type] = NULL;
    ...                                                  spin_unlock(&inet_diag_register_lock);
                                                         synchronize_rcu();
                                                         /* CPU1 is sleeping - RCU quiescent
                                                          * state is passed
                                                          */
                                                         return;
    /* inet_diag_dump is finally called: */
    inet_diag_dump()
      handler = inet_diag_table[cb->nlh->nlmsg_type];
      BUG_ON(handler == NULL); 
      /* OOPS! While we slept the unregister has set
       * handler to NULL :(
       */

Grep showed, that the register/unregister functions are called
from init/fini module callbacks for tcp_/dccp_diag, so it's OK
to use the inet_diag_mutex to synchronize manipulations with the
inet_diag_table and the access to it.

Besides, as Herbert pointed out, asynchronous dumps should hold 
this mutex as well, and thus, we provide the mutex as cb_mutex one.

Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
2007-11-30 00:08:14 +11:00
..
9p 9p: add missing end-of-options record for trans_fd 2007-11-06 08:02:53 -06:00
802 [NET]: Move hardware header operations out of netdevice. 2007-10-10 16:52:52 -07:00
8021q [VLAN]: Fix nested VLAN transmit bug 2007-11-29 22:16:41 +11:00
appletalk [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
atm [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
ax25 [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
bluetooth [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
bridge [BRIDGE]: Properly dereference the br_should_route_hook 2007-11-29 23:58:58 +11:00
core [SKBUFF]: Free old skb properly in skb_morph 2007-11-26 23:11:19 +08:00
dccp [DCCP]: Add missing "space" 2007-11-19 23:46:02 -08:00
decnet [INET]: Small possible memory leak in FIB rules 2007-11-10 22:12:03 -08:00
econet [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
ethernet [NET]: Validate device addr prior to interface-up 2007-10-23 21:27:50 -07:00
ieee80211 ieee80211: Stop net_ratelimit/IEEE80211_DEBUG_DROP log pollution 2007-11-20 16:43:17 -05:00
ipv4 [INET]: Fix inet_diag register vs rcv race 2007-11-30 00:08:14 +11:00
ipv6 [IPV6] TCPMD5: Fix deleting key operation. 2007-11-20 17:31:23 -08:00
ipx [IPX]: Use existing sock refcnt debugging infrastructure 2007-11-10 21:39:26 -08:00
irda [IRDA]: Compilation for CONFIG_INET=n case 2007-11-22 19:15:56 +08:00
iucv [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
key [IPSEC]: Temporarily remove locks around copying of non-atomic fields 2007-11-26 19:07:34 +08:00
lapb [PATCH] remove many unneeded #includes of sched.h 2007-02-14 08:09:54 -08:00
llc [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
mac80211 mac80211: add missing space in error message 2007-11-20 16:43:17 -05:00
netfilter [NETFILTER]: Fix NULL pointer dereference in nf_nat_move_storage() 2007-11-15 15:52:32 -08:00
netlabel [NetLabel]: correct usage of RCU locking 2007-10-26 04:29:08 -07:00
netlink [NET]: Move unneeded data to initdata section. 2007-11-13 03:23:50 -08:00
netrom [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
packet [AF_PACKET]: Fix minor code duplication 2007-11-12 21:05:20 -08:00
rfkill rfkill: Fix sparse warning 2007-11-10 22:00:28 -08:00
rose [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
rxrpc [NET]: Add the helper kernel_sock_shutdown() 2007-11-12 18:10:39 -08:00
sched [PKT_SCHED]: Check subqueue status before calling hard_start_xmit 2007-11-13 20:40:55 -08:00
sctp [SCTP]: Add missing "space" 2007-11-19 23:47:47 -08:00
sunrpc [SUNRPC]: Remove SPIN_LOCK_UNLOCKED 2007-11-22 19:40:22 +08:00
tipc [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
unix [UNIX]: EOF on non-blocking SOCK_SEQPACKET 2007-11-29 23:19:23 +11:00
wanrouter [NET]: Make /proc/net per network namespace 2007-10-10 16:49:06 -07:00
wireless [WIRELESS] WEXT: Fix userspace corruption on 64-bit. 2007-11-20 03:29:53 -08:00
x25 [NET]: Forget the zero_it argument of sk_alloc() 2007-11-01 00:39:31 -07:00
xfrm [XFRM]: Fix leak of expired xfrm_states 2007-11-27 11:10:07 +08:00
compat.c O_CLOEXEC for SCM_RIGHTS 2007-07-16 09:05:45 -07:00
Kconfig [NET]: Add network namespace clone & unshare support. 2007-10-10 16:52:46 -07:00
Makefile 9p: Reorganization of 9p file system code 2007-07-14 15:13:40 -05:00
nonet.c
socket.c [NET]: Add the helper kernel_sock_shutdown() 2007-11-12 18:10:39 -08:00
sysctl_net.c
TUNABLE