Commit 6a9e9cea authored by Florian Westphal's avatar Florian Westphal Committed by David S. Miller

net: ipv4: fix infinite loop on secondary addr promotion

secondary address promotion causes infinite loop -- it arranges
for ifa->ifa_next to point back to itself.

Problem is that 'prev_prom' and 'last_prim' might point at the same entry,
so 'last_sec' pointer must be obtained after prev_prom->next update.

Fixes: 2638eb8b ("net: ipv4: provide __rcu annotation for ifa_list")
Reported-by: default avatarRan Rozenstein <ranro@mellanox.com>
Reported-by: default avatarTariq Toukan <tariqt@mellanox.com>
Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5b9469a2
...@@ -428,8 +428,9 @@ static void __inet_del_ifa(struct in_device *in_dev, ...@@ -428,8 +428,9 @@ static void __inet_del_ifa(struct in_device *in_dev,
if (prev_prom) { if (prev_prom) {
struct in_ifaddr *last_sec; struct in_ifaddr *last_sec;
last_sec = rtnl_dereference(last_prim->ifa_next);
rcu_assign_pointer(prev_prom->ifa_next, next_sec); rcu_assign_pointer(prev_prom->ifa_next, next_sec);
last_sec = rtnl_dereference(last_prim->ifa_next);
rcu_assign_pointer(promote->ifa_next, last_sec); rcu_assign_pointer(promote->ifa_next, last_sec);
rcu_assign_pointer(last_prim->ifa_next, promote); rcu_assign_pointer(last_prim->ifa_next, promote);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment