Commit 8cc196d6 authored by David Ahern's avatar David Ahern Committed by David S. Miller

neighbor: gc_list changes should be protected by table lock

Adding and removing neighbor entries to / from the gc_list need to be
done while holding the table lock; a couple of places were missed in the
original patch.

Move the list_add_tail in neigh_alloc to ___neigh_create where the lock
is already obtained. Since neighbor entries should rarely be moved
to/from PERMANENT state, add lock/unlock around the gc_list changes in
neigh_change_state rather than extending the lock hold around all
neighbor updates.

Fixes: 58956317 ("neighbor: Improve garbage collection")
Reported-by: default avatarAndrei Vagin <avagin@gmail.com>
Reported-by: syzbot+6cc2fd1d3bdd2e007363@syzkaller.appspotmail.com
Reported-by: syzbot+35e87b87c00f386b041f@syzkaller.appspotmail.com
Reported-by: syzbot+b354d1fb59091ea73c37@syzkaller.appspotmail.com
Reported-by: syzbot+3ddead5619658537909b@syzkaller.appspotmail.com
Reported-by: syzbot+424d47d5c456ce8b2bbe@syzkaller.appspotmail.com
Reported-by: syzbot+e4d42eb35f6a27b0a628@syzkaller.appspotmail.com
Signed-off-by: default avatarDavid Ahern <dsahern@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 93698321
...@@ -138,11 +138,17 @@ static void neigh_change_state(struct neighbour *n, u8 new) ...@@ -138,11 +138,17 @@ static void neigh_change_state(struct neighbour *n, u8 new)
* add to the gc list if new state is not permanent * add to the gc list if new state is not permanent
*/ */
if (new_is_perm && on_gc_list) { if (new_is_perm && on_gc_list) {
write_lock_bh(&n->tbl->lock);
list_del_init(&n->gc_list); list_del_init(&n->gc_list);
write_unlock_bh(&n->tbl->lock);
atomic_dec(&n->tbl->gc_entries); atomic_dec(&n->tbl->gc_entries);
} else if (!new_is_perm && !on_gc_list) { } else if (!new_is_perm && !on_gc_list) {
/* add entries to the tail; cleaning removes from the front */ /* add entries to the tail; cleaning removes from the front */
write_lock_bh(&n->tbl->lock);
list_add_tail(&n->gc_list, &n->tbl->gc_list); list_add_tail(&n->gc_list, &n->tbl->gc_list);
write_unlock_bh(&n->tbl->lock);
atomic_inc(&n->tbl->gc_entries); atomic_inc(&n->tbl->gc_entries);
} }
} }
...@@ -390,10 +396,6 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, ...@@ -390,10 +396,6 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl,
n->tbl = tbl; n->tbl = tbl;
refcount_set(&n->refcnt, 1); refcount_set(&n->refcnt, 1);
n->dead = 1; n->dead = 1;
if (!permanent)
list_add_tail(&n->gc_list, &n->tbl->gc_list);
else
INIT_LIST_HEAD(&n->gc_list); INIT_LIST_HEAD(&n->gc_list);
atomic_inc(&tbl->entries); atomic_inc(&tbl->entries);
...@@ -616,6 +618,9 @@ static struct neighbour *___neigh_create(struct neigh_table *tbl, ...@@ -616,6 +618,9 @@ static struct neighbour *___neigh_create(struct neigh_table *tbl,
} }
n->dead = 0; n->dead = 0;
if (!permanent)
list_add_tail(&n->gc_list, &n->tbl->gc_list);
if (want_ref) if (want_ref)
neigh_hold(n); neigh_hold(n);
rcu_assign_pointer(n->next, rcu_assign_pointer(n->next,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment