summaryrefslogtreecommitdiff
path: root/net/ipv4/tcp_scalable.c
diff options
context:
space:
mode:
authorDavid S. Miller <davem@davemloft.net>2008-02-11 21:45:44 -0800
committerDavid S. Miller <davem@davemloft.net>2008-02-12 17:54:17 -0800
commit69cc64d8d92bf852f933e90c888dfff083bd4fc9 (patch)
tree33e3b7c690fc1b0658cd64dac3d8c3ef7e7bb71f /net/ipv4/tcp_scalable.c
parent3611f4d2a5e0f6135805f88bc5ecb63fa9ee5107 (diff)
downloadlinux-3.10-69cc64d8d92bf852f933e90c888dfff083bd4fc9.tar.gz
linux-3.10-69cc64d8d92bf852f933e90c888dfff083bd4fc9.tar.bz2
linux-3.10-69cc64d8d92bf852f933e90c888dfff083bd4fc9.zip
[NDISC]: Fix race in generic address resolution
Frank Blaschka provided the bug report and the initial suggested fix for this bug. He also validated this version of this fix. The problem is that the access to neigh->arp_queue is inconsistent, we grab references when dropping the lock lock to call neigh->ops->solicit() but this does not prevent other threads of control from trying to send out that packet at the same time causing corruptions because both code paths believe they have exclusive access to the skb. The best option seems to be to hold the write lock on neigh->lock during the ->solicit() call. I looked at all of the ndisc_ops implementations and this seems workable. The only case that needs special care is the IPV4 ARP implementation of arp_solicit(). It wants to take neigh->lock as a reader to protect the header entry in neigh->ha during the emission of the soliciation. We can simply remove the read lock calls to take care of that since holding the lock as a writer at the caller providers a superset of the protection afforded by the existing read locking. The rest of the ->solicit() implementations don't care whether the neigh is locked or not. Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/tcp_scalable.c')
0 files changed, 0 insertions, 0 deletions