mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-10 07:00:48 +00:00
ipv6: Handle missing host route in __ipv6_ifa_notify
Rajendra reported a kernel panic when a link was taken down: [ 6870.263084] BUG: unable to handle kernel NULL pointer dereference at 00000000000000a8 [ 6870.271856] IP: [<ffffffff8efc5764>] __ipv6_ifa_notify+0x154/0x290 <snip> [ 6870.570501] Call Trace: [ 6870.573238] [<ffffffff8efc58c6>] ? ipv6_ifa_notify+0x26/0x40 [ 6870.579665] [<ffffffff8efc98ec>] ? addrconf_dad_completed+0x4c/0x2c0 [ 6870.586869] [<ffffffff8efe70c6>] ? ipv6_dev_mc_inc+0x196/0x260 [ 6870.593491] [<ffffffff8efc9c6a>] ? addrconf_dad_work+0x10a/0x430 [ 6870.600305] [<ffffffff8f01ade4>] ? __switch_to_asm+0x34/0x70 [ 6870.606732] [<ffffffff8ea93a7a>] ? process_one_work+0x18a/0x430 [ 6870.613449] [<ffffffff8ea93d6d>] ? worker_thread+0x4d/0x490 [ 6870.619778] [<ffffffff8ea93d20>] ? process_one_work+0x430/0x430 [ 6870.626495] [<ffffffff8ea99dd9>] ? kthread+0xd9/0xf0 [ 6870.632145] [<ffffffff8f01ade4>] ? __switch_to_asm+0x34/0x70 [ 6870.638573] [<ffffffff8ea99d00>] ? kthread_park+0x60/0x60 [ 6870.644707] [<ffffffff8f01ae77>] ? ret_from_fork+0x57/0x70 [ 6870.650936] Code: 31 c0 31 d2 41 b9 20 00 08 02 b9 09 00 00 0 addrconf_dad_work is kicked to be scheduled when a device is brought up. There is a race between addrcond_dad_work getting scheduled and taking the rtnl lock and a process taking the link down (under rtnl). The latter removes the host route from the inet6_addr as part of addrconf_ifdown which is run for NETDEV_DOWN. The former attempts to use the host route in __ipv6_ifa_notify. If the down event removes the host route due to the race to the rtnl, then the BUG listed above occurs. Since the DAD sequence can not be aborted, add a check for the missing host route in __ipv6_ifa_notify. The only way this should happen is due to the previously mentioned race. The host route is created when the address is added to an interface; it is only removed on a down event where the address is kept. Add a warning if the host route is missing AND the device is up; this is a situation that should never happen. Fixes: f1705ec197e7 ("net: ipv6: Make address flushing on ifdown optional") Reported-by: Rajendra Dendukuri <rajendra.dendukuri@broadcom.com> Signed-off-by: David Ahern <dsahern@gmail.com> Reviewed-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
parent
ea977d19d9
commit
2d819d250a
@ -5964,13 +5964,20 @@ static void __ipv6_ifa_notify(int event, struct inet6_ifaddr *ifp)
|
||||
switch (event) {
|
||||
case RTM_NEWADDR:
|
||||
/*
|
||||
* If the address was optimistic
|
||||
* we inserted the route at the start of
|
||||
* our DAD process, so we don't need
|
||||
* to do it again
|
||||
* If the address was optimistic we inserted the route at the
|
||||
* start of our DAD process, so we don't need to do it again.
|
||||
* If the device was taken down in the middle of the DAD
|
||||
* cycle there is a race where we could get here without a
|
||||
* host route, so nothing to insert. That will be fixed when
|
||||
* the device is brought up.
|
||||
*/
|
||||
if (!rcu_access_pointer(ifp->rt->fib6_node))
|
||||
if (ifp->rt && !rcu_access_pointer(ifp->rt->fib6_node)) {
|
||||
ip6_ins_rt(net, ifp->rt);
|
||||
} else if (!ifp->rt && (ifp->idev->dev->flags & IFF_UP)) {
|
||||
pr_warn("BUG: Address %pI6c on device %s is missing its host route.\n",
|
||||
&ifp->addr, ifp->idev->dev->name);
|
||||
}
|
||||
|
||||
if (ifp->idev->cnf.forwarding)
|
||||
addrconf_join_anycast(ifp);
|
||||
if (!ipv6_addr_any(&ifp->peer_addr))
|
||||
|
Loading…
x
Reference in New Issue
Block a user