b223856640
Consider the following scenario:
ipv6_del_addr(ifp)
ipv6_ifa_notify(RTM_DELADDR, ifp)
ip6_del_rt(ifp->rt)
after returning from the ipv6_ifa_notify and enabling BH-s
back, but *before* calling the addrconf_del_timer the
ifp->timer fires and:
addrconf_dad_timer(ifp)
addrconf_dad_completed(ifp)
ipv6_ifa_notify(RTM_NEWADDR, ifp)
ip6_ins_rt(ifp->rt)
then return back to the ipv6_del_addr and:
in6_ifa_put(ifp)
inet6_ifa_finish_destroy(ifp)
dst_release(&ifp->rt->u.dst)
After this we have an ifp->rt inserted into fib6 lists, but
queued for gc, which in turn can result in oopses in the
fib6_run_gc. Maybe some other nasty things, but we caught
only the oops in gc so far.
The solution is to disarm the ifp->timer before flushing the
rt from it.
Signed-off-by: Andrey Vagin <avagin@parallels.com>
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
|
||
|---|---|---|
| .. | ||
| netfilter | ||
| addrconf_core.c | ||
| addrconf.c | ||
| addrlabel.c | ||
| af_inet6.c | ||
| ah6.c | ||
| anycast.c | ||
| datagram.c | ||
| esp6.c | ||
| exthdrs_core.c | ||
| exthdrs.c | ||
| fib6_rules.c | ||
| icmp.c | ||
| inet6_connection_sock.c | ||
| inet6_hashtables.c | ||
| ip6_fib.c | ||
| ip6_flowlabel.c | ||
| ip6_input.c | ||
| ip6_output.c | ||
| ip6_tunnel.c | ||
| ip6mr.c | ||
| ipcomp6.c | ||
| ipv6_sockglue.c | ||
| Kconfig | ||
| Makefile | ||
| mcast.c | ||
| mip6.c | ||
| ndisc.c | ||
| netfilter.c | ||
| proc.c | ||
| protocol.c | ||
| raw.c | ||
| reassembly.c | ||
| route.c | ||
| sit.c | ||
| syncookies.c | ||
| sysctl_net_ipv6.c | ||
| tcp_ipv6.c | ||
| tunnel6.c | ||
| udp_impl.h | ||
| udp.c | ||
| udplite.c | ||
| xfrm6_input.c | ||
| xfrm6_mode_beet.c | ||
| xfrm6_mode_ro.c | ||
| xfrm6_mode_transport.c | ||
| xfrm6_mode_tunnel.c | ||
| xfrm6_output.c | ||
| xfrm6_policy.c | ||
| xfrm6_state.c | ||
| xfrm6_tunnel.c | ||