releases/2.6.17.11/fix-ipv4-routing-locking-bug.patch

   1 From stable-bounces@linux.kernel.org Thu Aug 17 22:57:51 2006
   2 Date: Thu, 17 Aug 2006 22:57:22 -0700 (PDT)
   3 Message-Id: <20060817.225722.41634450.davem@davemloft.net>
   4 To: stable@kernel.org
   5 From: David Miller <davem@davemloft.net>
   6 Subject: Fix ipv4 routing locking bug
   7
   8
   9 From: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
  10
  11 [IPV4]: severe locking bug in fib_semantics.c
  12
  13 Found in 2.4 by Yixin Pan <yxpan@hotmail.com>.
  14
  15 > When I read fib_semantics.c of Linux-2.4.32, write_lock(&fib_info_lock) =
  16 > is used in fib_release_info() instead of write_lock_bh(&fib_info_lock).  =
  17 > Is the following case possible: a BH interrupts fib_release_info() while =
  18 > holding the write lock, and calls ip_check_fib_default() which calls =
  19 > read_lock(&fib_info_lock), and spin forever.
  20
  21 Signed-off-by: Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
  22 Signed-off-by: David S. Miller <davem@davemloft.net>
  23 Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
  24
  25 ---
  26  net/ipv4/fib_semantics.c |   12 ++++++------
  27  1 file changed, 6 insertions(+), 6 deletions(-)
  28
  29 --- linux-2.6.17.9.orig/net/ipv4/fib_semantics.c
  30 +++ linux-2.6.17.9/net/ipv4/fib_semantics.c
  31 @@ -160,7 +160,7 @@ void free_fib_info(struct fib_info *fi)
  32
  33  void fib_release_info(struct fib_info *fi)
  34  {
  35 -       write_lock(&fib_info_lock);
  36 +       write_lock_bh(&fib_info_lock);
  37         if (fi && --fi->fib_treeref == 0) {
  38                 hlist_del(&fi->fib_hash);
  39                 if (fi->fib_prefsrc)
  40 @@ -173,7 +173,7 @@ void fib_release_info(struct fib_info *f
  41                 fi->fib_dead = 1;
  42                 fib_info_put(fi);
  43         }
  44 -       write_unlock(&fib_info_lock);
  45 +       write_unlock_bh(&fib_info_lock);
  46  }
  47
  48  static __inline__ int nh_comp(const struct fib_info *fi, const struct fib_info *ofi)
  49 @@ -599,7 +599,7 @@ static void fib_hash_move(struct hlist_h
  50         unsigned int old_size = fib_hash_size;
  51         unsigned int i, bytes;
  52
  53 -       write_lock(&fib_info_lock);
  54 +       write_lock_bh(&fib_info_lock);
  55         old_info_hash = fib_info_hash;
  56         old_laddrhash = fib_info_laddrhash;
  57         fib_hash_size = new_size;
  58 @@ -640,7 +640,7 @@ static void fib_hash_move(struct hlist_h
  59         }
  60         fib_info_laddrhash = new_laddrhash;
  61
  62 -       write_unlock(&fib_info_lock);
  63 +       write_unlock_bh(&fib_info_lock);
  64
  65         bytes = old_size * sizeof(struct hlist_head *);
  66         fib_hash_free(old_info_hash, bytes);
  67 @@ -822,7 +822,7 @@ link_it:
  68
  69         fi->fib_treeref++;
  70         atomic_inc(&fi->fib_clntref);
  71 -       write_lock(&fib_info_lock);
  72 +       write_lock_bh(&fib_info_lock);
  73         hlist_add_head(&fi->fib_hash,
  74                        &fib_info_hash[fib_info_hashfn(fi)]);
  75         if (fi->fib_prefsrc) {
  76 @@ -841,7 +841,7 @@ link_it:
  77                 head = &fib_info_devhash[hash];
  78                 hlist_add_head(&nh->nh_hash, head);
  79         } endfor_nexthops(fi)
  80 -       write_unlock(&fib_info_lock);
  81 +       write_unlock_bh(&fib_info_lock);
  82         return fi;
  83
  84  err_inval: