Patchwork IPv6: fix anycast address ref count leakage

login
register
mail settings
Submitter stephen hemminger
Date Feb. 25, 2010, 11:57 p.m.
Message ID <20100225155707.779c582a@nehalam>
Download mbox | patch
Permalink /patch/46297/
State Superseded
Delegated to: David Miller
Headers show

Comments

stephen hemminger - Feb. 25, 2010, 11:57 p.m.
The recent change in net-next to keep IPv6 address can lead to device
hanging with unresolved refcount on removal. The issue is that the conversion
of address from permanent to temporary needs to notify the anycast list
code to clean up it's ref count. Also, want to tell other uses of IPv6
(bonding/sctp) that the address is no longer available.

The fix is to notify like a regular delete.  When link comes back, DAD
runs and will notify with NETDEV_UP that address is back.

The decrement of idev refcount when cleaning up addrconf_hash, should
never cause address to be freed; therefore it can use __in6_ifa_put.

The timer cleanup should be done when address deletion is done
in second loop.

Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>



--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
stephen hemminger - Feb. 26, 2010, 12:54 a.m.
On Thu, 25 Feb 2010 15:57:07 -0800
Stephen Hemminger <shemminger@vyatta.com> wrote:

> The recent change in net-next to keep IPv6 address can lead to device
> hanging with unresolved refcount on removal. The issue is that the conversion
> of address from permanent to temporary needs to notify the anycast list
> code to clean up it's ref count. Also, want to tell other uses of IPv6
> (bonding/sctp) that the address is no longer available.
> 
> The fix is to notify like a regular delete.  When link comes back, DAD
> runs and will notify with NETDEV_UP that address is back.
> 
> The decrement of idev refcount when cleaning up addrconf_hash, should
> never cause address to be freed; therefore it can use __in6_ifa_put.
> 
> The timer cleanup should be done when address deletion is done
> in second loop.
> 
> Signed-off-by: Stephen Hemminger <shemminger@vyatta.com>
> 

Wait till I split/revise this one; it has a problem.

Patch

--- a/net/ipv6/addrconf.c	2010-02-25 15:04:58.207491933 -0800
+++ b/net/ipv6/addrconf.c	2010-02-25 15:07:57.735384610 -0800
@@ -2653,8 +2653,7 @@  static int addrconf_ifdown(struct net_de
 			    (how || !(ifa->flags&IFA_F_PERMANENT))) {
 				*bifa = ifa->lst_next;
 				ifa->lst_next = NULL;
-				addrconf_del_timer(ifa);
-				in6_ifa_put(ifa);
+				__in6_ifa_put(ifa);
 				continue;
 			}
 			bifa = &ifa->lst_next;
@@ -2706,14 +2705,15 @@  static int addrconf_ifdown(struct net_de
 			ifa->if_next = NULL;
 
 			ifa->dead = 1;
-			write_unlock_bh(&idev->lock);
+		}
+		addrconf_del_timer(ifa);
+		write_unlock_bh(&idev->lock);
 
-			__ipv6_ifa_notify(RTM_DELADDR, ifa);
-			atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifa);
-			in6_ifa_put(ifa);
+		__ipv6_ifa_notify(RTM_DELADDR, ifa);
+		atomic_notifier_call_chain(&inet6addr_chain, NETDEV_DOWN, ifa);
+		in6_ifa_put(ifa);
 
-			write_lock_bh(&idev->lock);
-		}
+		write_lock_bh(&idev->lock);
 	}
 	write_unlock_bh(&idev->lock);