Commit 3006bc38 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller

bonding: fix a race in IGMP handling

RCU conversion in IGMP code done in net-next-2.6 raised a race in
__bond_resend_igmp_join_requests().

It iterates in_dev->mc_list without appropriate protection (RTNL, or
read_lock on in_dev->mc_list_lock).

Another cpu might delete an entry while we use it and trigger a fault.
Signed-off-by: default avatarEric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 28cb6ccd
...@@ -878,8 +878,10 @@ static void __bond_resend_igmp_join_requests(struct net_device *dev) ...@@ -878,8 +878,10 @@ static void __bond_resend_igmp_join_requests(struct net_device *dev)
rcu_read_lock(); rcu_read_lock();
in_dev = __in_dev_get_rcu(dev); in_dev = __in_dev_get_rcu(dev);
if (in_dev) { if (in_dev) {
read_lock(&in_dev->mc_list_lock);
for (im = in_dev->mc_list; im; im = im->next) for (im = in_dev->mc_list; im; im = im->next)
ip_mc_rejoin_group(im); ip_mc_rejoin_group(im);
read_unlock(&in_dev->mc_list_lock);
} }
rcu_read_unlock(); rcu_read_unlock();
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment