802: fix a possible race condition

(Resend with a better changelog)

garp_pdu_queue() should ways be called with this spin lock.
garp_uninit_applicant() only holds rtnl lock which is not
enough here.  A possible race can happen as garp_pdu_rcv()
is called in BH context:

	garp_pdu_rcv()
	  |->garp_pdu_parse_msg()
	    |->garp_pdu_parse_attr()
	      |-> garp_gid_event()

Found by code inspection.

Cc: Eric Dumazet <eric.dumazet@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: David Ward <david.ward@ll.mit.edu>
Cc: "Jorge Boncompte [DTI2]" <jorge@dti2.net>
Signed-off-by: Cong Wang <amwang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Cong Wang 2013-04-02 21:52:40 +00:00 committed by David S. Miller
parent 23a9544206
commit cfbe800b8b
1 changed files with 4 additions and 0 deletions

View File

@ -609,8 +609,12 @@ void garp_uninit_applicant(struct net_device *dev, struct garp_application *appl
/* Delete timer and generate a final TRANSMIT_PDU event to flush out /* Delete timer and generate a final TRANSMIT_PDU event to flush out
* all pending messages before the applicant is gone. */ * all pending messages before the applicant is gone. */
del_timer_sync(&app->join_timer); del_timer_sync(&app->join_timer);
spin_lock_bh(&app->lock);
garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU); garp_gid_event(app, GARP_EVENT_TRANSMIT_PDU);
garp_pdu_queue(app); garp_pdu_queue(app);
spin_unlock_bh(&app->lock);
garp_queue_xmit(app); garp_queue_xmit(app);
dev_mc_del(dev, appl->proto.group_address); dev_mc_del(dev, appl->proto.group_address);