ipv4: fix a race in update_or_create_fnhe()

commit caa415270c732505240bb60171c44a7838c555e8 upstream.

nh_exceptions is effectively used under rcu, but lacks proper
barriers. Between kzalloc() and setting of nh->nh_exceptions(),
we need a proper memory barrier.

Signed-off-by: Eric Dumazet <edumazet@google.com>
Fixes: 4895c771c7f00 ("ipv4: Add FIB nexthop exceptions.")
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Ben Hutchings <ben@decadent.org.uk>

diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index 68d6df7bc85aa2148300a7244c6a585728ca1172..928bf612f6ff8b276f75f5b64f6ec1feaf3ecd94 100644 (file)
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -89,7 +89,7 @@ struct fib_nh {
        int                     nh_saddr_genid;
        struct rtable __rcu * __percpu *nh_pcpu_rth_output;
        struct rtable __rcu     *nh_rth_input;
-       struct fnhe_hash_bucket *nh_exceptions;
+       struct fnhe_hash_bucket __rcu *nh_exceptions;
 };
 
 /*

diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 6f44569623ae2e5321f2b406379a3f3f485a9508..83656bdb00e2aa2dd40a8d4091fa066f9dc6b8b0 100644 (file)
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -157,9 +157,12 @@ static void rt_fibinfo_free(struct rtable __rcu **rtp)
 
 static void free_nh_exceptions(struct fib_nh *nh)
 {
-       struct fnhe_hash_bucket *hash = nh->nh_exceptions;
+       struct fnhe_hash_bucket *hash;
        int i;
 
+       hash = rcu_dereference_protected(nh->nh_exceptions, 1);
+       if (!hash)
+               return;
        for (i = 0; i < FNHE_HASH_SIZE; i++) {
                struct fib_nh_exception *fnhe;
 
@@ -206,8 +209,7 @@ static void free_fib_info_rcu(struct rcu_head *head)
        change_nexthops(fi) {
                if (nexthop_nh->nh_dev)
                        dev_put(nexthop_nh->nh_dev);
-               if (nexthop_nh->nh_exceptions)
-                       free_nh_exceptions(nexthop_nh);
+               free_nh_exceptions(nexthop_nh);
                rt_fibinfo_free_cpus(nexthop_nh->nh_pcpu_rth_output);
                rt_fibinfo_free(&nexthop_nh->nh_rth_input);
        } endfor_nexthops(fi);

diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index 13816361fc0401bf5abe9dd0c96fa5ce58bd3d50..e0d59ff394b246e1b2d3189c00db76303f69c1be 100644 (file)
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -635,12 +635,12 @@ static void update_or_create_fnhe(struct fib_nh *nh, __be32 daddr, __be32 gw,
 
        spin_lock_bh(&fnhe_lock);
 
-       hash = nh->nh_exceptions;
+       hash = rcu_dereference(nh->nh_exceptions);
        if (!hash) {
                hash = kzalloc(FNHE_HASH_SIZE * sizeof(*hash), GFP_ATOMIC);
                if (!hash)
                        goto out_unlock;
-               nh->nh_exceptions = hash;
+               rcu_assign_pointer(nh->nh_exceptions, hash);
        }
 
        hash += hval;
@@ -1293,7 +1293,7 @@ static void ip_del_fnhe(struct fib_nh *nh, __be32 daddr)
 
 static struct fib_nh_exception *find_exception(struct fib_nh *nh, __be32 daddr)
 {
-       struct fnhe_hash_bucket *hash = nh->nh_exceptions;
+       struct fnhe_hash_bucket *hash = rcu_dereference(nh->nh_exceptions);
        struct fib_nh_exception *fnhe;
        u32 hval;