3.3-rc3+ Crash in __neigh_for_each_release

Submitter	Eric Dumazet
Date	Feb. 21, 2012, 8:46 p.m.
Message ID	<1329857209.18384.53.camel@edumazet-laptop>
Download	mbox \| patch
Permalink	/patch/142363/
State	Accepted
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> Received-SPF: pass (google.com: domain of eric.dumazet@gmail.com designates 10.180.86.105 as permitted sender) client-ip=10.180.86.105; Message-ID: <1329857209.18384.53.camel@edumazet-laptop> Subject: Re: 3.3-rc3+ Crash in __neigh_for_each_release From: Eric Dumazet <eric.dumazet@gmail.com> To: David Miller <davem@davemloft.net> Cc: mroos@linux.ee, netdev@vger.kernel.org Date: Tue, 21 Feb 2012 21:46:49 +0100 In-Reply-To: <1329851756.18384.47.camel@edumazet-laptop> References: <alpine.SOC.1.00.1202201359190.8004@math.ut.ee> <1329851004.18384.45.camel@edumazet-laptop> <20120221.140716.1396286389544946379.davem@davemloft.net> <1329851756.18384.47.camel@edumazet-laptop> Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk

Comments

Eric Dumazet - Feb. 21, 2012, 8:46 p.m.

Le mardi 21 février 2012 à 20:15 +0100, Eric Dumazet a écrit :
> Le mardi 21 février 2012 à 14:07 -0500, David Miller a écrit :
> > From: Eric Dumazet <eric.dumazet@gmail.com>
> > Date: Tue, 21 Feb 2012 20:03:24 +0100
> > 
> > > But I dont know enough this code to know if the following patch is the
> > > way to fix this. (and __neigh_for_each_release() can also be deleted if
> > > no users left in tree)
> > 
> > I think instead of removing the code, we need to have it iterate over
> > "arp_tbl" but only invoke the callback for devices which are of type
> > ATM.
> 
> That makes sense...
> 
> Or invoke callback for all entries, and filter in callback non ATM ones.
> 
> 

What about following patch ?

Meelis, can you test it please ?

[PATCH] atm: clip: remove clip_tbl

Commit 32092ecf0644 (atm: clip: Use device neigh support on top of
"arp_tbl".) introduced a bug since clip_tbl is zeroed : Crash occurs in
__neigh_for_each_release()

idle_timer_check() must use instead arp_tbl and neigh_check_cb() should
ignore non clip neighbours.

Idea from David Miller.

Reported-by: Meelis Roos <mroos@linux.ee>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
---
 net/atm/clip.c |   10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller - Feb. 21, 2012, 10:46 p.m.

From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Tue, 21 Feb 2012 21:46:49 +0100

> [PATCH] atm: clip: remove clip_tbl
> 
> Commit 32092ecf0644 (atm: clip: Use device neigh support on top of
> "arp_tbl".) introduced a bug since clip_tbl is zeroed : Crash occurs in
> __neigh_for_each_release()
> 
> idle_timer_check() must use instead arp_tbl and neigh_check_cb() should
> ignore non clip neighbours.
> 
> Idea from David Miller.
> 
> Reported-by: Meelis Roos <mroos@linux.ee>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

Yep, this looks a lot better, once we have positive testing from
Meelis I'll apply this.

Thanks.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Meelis Roos - Feb. 22, 2012, 7:19 a.m.

> What about following patch ?
> 
> Meelis, can you test it please ?

Works fine, thank you!
 
> [PATCH] atm: clip: remove clip_tbl
> 
> Commit 32092ecf0644 (atm: clip: Use device neigh support on top of
> "arp_tbl".) introduced a bug since clip_tbl is zeroed : Crash occurs in
> __neigh_for_each_release()
> 
> idle_timer_check() must use instead arp_tbl and neigh_check_cb() should
> ignore non clip neighbours.
> 
> Idea from David Miller.
> 
> Reported-by: Meelis Roos <mroos@linux.ee>
> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>

Tested-by: Meelis Roos <mroos@linux.ee>

Eric Dumazet - Feb. 22, 2012, 7:21 a.m.

Le mercredi 22 février 2012 à 09:19 +0200, mroos@linux.ee a écrit :
> > What about following patch ?
> > 
> > Meelis, can you test it please ?
> 
> Works fine, thank you!
>  
> > [PATCH] atm: clip: remove clip_tbl
> > 
> > Commit 32092ecf0644 (atm: clip: Use device neigh support on top of
> > "arp_tbl".) introduced a bug since clip_tbl is zeroed : Crash occurs in
> > __neigh_for_each_release()
> > 
> > idle_timer_check() must use instead arp_tbl and neigh_check_cb() should
> > ignore non clip neighbours.
> > 
> > Idea from David Miller.
> > 
> > Reported-by: Meelis Roos <mroos@linux.ee>
> > Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> 
> Tested-by: Meelis Roos <mroos@linux.ee>
> 

Thanks !


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

David Miller - Feb. 22, 2012, 7:24 a.m.

From: mroos@linux.ee
Date: Wed, 22 Feb 2012 09:19:15 +0200 (EET)

>> What about following patch ?
>> 
>> Meelis, can you test it please ?
> 
> Works fine, thank you!
>  
>> [PATCH] atm: clip: remove clip_tbl
>> 
>> Commit 32092ecf0644 (atm: clip: Use device neigh support on top of
>> "arp_tbl".) introduced a bug since clip_tbl is zeroed : Crash occurs in
>> __neigh_for_each_release()
>> 
>> idle_timer_check() must use instead arp_tbl and neigh_check_cb() should
>> ignore non clip neighbours.
>> 
>> Idea from David Miller.
>> 
>> Reported-by: Meelis Roos <mroos@linux.ee>
>> Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
> 
> Tested-by: Meelis Roos <mroos@linux.ee>

Applied, thanks everyone.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Patch

diff --git a/net/atm/clip.c b/net/atm/clip.c
index c12c258..127fe70 100644
--- a/net/atm/clip.c
+++ b/net/atm/clip.c
@@ -46,8 +46,8 @@ 
 
 static struct net_device *clip_devs;
 static struct atm_vcc *atmarpd;
-static struct neigh_table clip_tbl;
 static struct timer_list idle_timer;
+static const struct neigh_ops clip_neigh_ops;
 
 static int to_atmarpd(enum atmarp_ctrl_type type, int itf, __be32 ip)
 {
@@ -123,6 +123,8 @@  static int neigh_check_cb(struct neighbour *n)
 	struct atmarp_entry *entry = neighbour_priv(n);
 	struct clip_vcc *cv;
 
+	if (n->ops != &clip_neigh_ops)
+		return 0;
 	for (cv = entry->vccs; cv; cv = cv->next) {
 		unsigned long exp = cv->last_use + cv->idle_timeout;
 
@@ -154,10 +156,10 @@  static int neigh_check_cb(struct neighbour *n)
 
 static void idle_timer_check(unsigned long dummy)
 {
-	write_lock(&clip_tbl.lock);
-	__neigh_for_each_release(&clip_tbl, neigh_check_cb);
+	write_lock(&arp_tbl.lock);
+	__neigh_for_each_release(&arp_tbl, neigh_check_cb);
 	mod_timer(&idle_timer, jiffies + CLIP_CHECK_INTERVAL * HZ);
-	write_unlock(&clip_tbl.lock);
+	write_unlock(&arp_tbl.lock);
 }
 
 static int clip_arp_rcv(struct sk_buff *skb)

Patchwork 3.3-rc3+ Crash in __neigh_for_each_release

Comments

Patch