Hello,
On Fri, 22 May 2015, Eric W. Biederman wrote:
> ip_error does not check if in_dev is NULL before dereferencing it.
>
> IThe following sequence of calls is possible:
> CPU A CPU B
> ip_rcv_finish
> ip_route_input_noref()
> ip_route_input_slow()
> inetdev_destroy()
> dst_input()
>
> With the result that a network device can be destroyed while processing
> an input packet.
How can that happen in practice? May be network
driver is missing a napi_disable() call in ndo_stop()?
napi_disable is supposed to wait backlog before NETDEV_DOWN
and NETDEV_UNREGISTER (where inetdev_destroy is called) handlers
are notified. Any link to original crash report, info for used
driver, etc?
After commit 8030f54499925d ("[IPV4] devinet: Register inetdev
earlier.") dev->ip_ptr is always present while packets are
processed, only in_dev->ifa_list can be NULL.
Regards
--
Julian Anastasov <j...@ssi.bg>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majord...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
