From patchwork Wed Feb 17 00:41:33 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jay Vosburgh X-Patchwork-Id: 583785 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 2E5B1140297; Wed, 17 Feb 2016 11:42:25 +1100 (AEDT) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1aVqCE-0005VO-Vq; Wed, 17 Feb 2016 00:42:22 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_AES_256_CBC_SHA1:32) (Exim 4.76) (envelope-from ) id 1aVqBs-0005O2-Lu for kernel-team@lists.ubuntu.com; Wed, 17 Feb 2016 00:42:00 +0000 Received: from c-67-183-59-65.hsd1.wa.comcast.net ([67.183.59.65] helo=famine.localdomain) by youngberry.canonical.com with esmtpsa (TLS1.0:RSA_AES_128_CBC_SHA1:16) (Exim 4.76) (envelope-from ) id 1aVqBs-00029l-4U for kernel-team@lists.ubuntu.com; Wed, 17 Feb 2016 00:42:00 +0000 From: Jay Vosburgh To: kernel-team@lists.ubuntu.com Subject: [SRU][Trusty][PATCH v2 4/4] netfilter: bridge: Use __in6_dev_get rather than in6_dev_get in br_validate_ipv6 Date: Tue, 16 Feb 2016 16:41:33 -0800 Message-Id: <1455669693-19975-5-git-send-email-jay.vosburgh@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1455669693-19975-1-git-send-email-jay.vosburgh@canonical.com> References: <1455669693-19975-1-git-send-email-jay.vosburgh@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Julien Grall BugLink: https://bugs.launchpad.net/nova/+bug/1463911 The commit efb6de9b4ba0092b2c55f6a52d16294a8a698edd "netfilter: bridge: forward IPv6 fragmented packets" introduced a new function br_validate_ipv6 which take a reference on the inet6 device. Although, the reference is not released at the end. This will result to the impossibility to destroy any netdevice using ipv6 and bridge. It's possible to directly retrieve the inet6 device without taking a reference as all netfilter hooks are protected by rcu_read_lock via nf_hook_slow. Spotted while trying to destroy a Xen guest on the upstream Linux: "unregister_netdevice: waiting for vif1.0 to become free. Usage count = 1" Signed-off-by: Julien Grall Cc: Bernhard Thaler Cc: Pablo Neira Ayuso Cc: fw@strlen.de Cc: ian.campbell@citrix.com Cc: wei.liu2@citrix.com Cc: Bob Liu Acked-by: Stephen Hemminger Signed-off-by: Pablo Neira Ayuso (backported from commit 86e8971800381c3a8d8d9327f83b1f97ccb04a4f) Signed-off-by: Jay Vosburgh --- net/bridge/br_netfilter.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/bridge/br_netfilter.c b/net/bridge/br_netfilter.c index a1c6954f5e24..70282dd8d69e 100644 --- a/net/bridge/br_netfilter.c +++ b/net/bridge/br_netfilter.c @@ -642,7 +642,7 @@ static int br_validate_ipv6(struct sk_buff *skb) { const struct ipv6hdr *hdr; struct net_device *dev = skb->dev; - struct inet6_dev *idev = in6_dev_get(skb->dev); + struct inet6_dev *idev = __in6_dev_get(skb->dev); u32 pkt_len; u8 ip6h_len = sizeof(struct ipv6hdr);