[Top] [All Lists]

[PATCH] Hang in downing interface with IPv6 PRIVACY

To: "David S. Miller" <davem@xxxxxxxxxx>
Subject: [PATCH] Hang in downing interface with IPv6 PRIVACY
From: Krishna Kumar <krkumar@xxxxxxxxxx>
Date: Fri, 7 Nov 2003 11:01:41 -0800 (PST)
Cc: netdev@xxxxxxxxxxx, <krkumar@xxxxxxxxxx>
In-reply-to: <>
Sender: netdev-bounce@xxxxxxxxxxx
While using PRIVACY extensions, I sometimes get a hang when I remove the
interface. But I can reproduce this every time using the test script at
the end of the mail (hang depends on the order of address deletion).

The bug is in ipv6_del_addr() where if a temp address is being deleted, it
does an __in6_ifa_put() of the main address from which it was derived
(basically the autoconf prefix address). So if the main address was
deleted first, it's ifp ref count would be 1 and it would 'wait' to be
freed till it's temp address was freed first. When the temp address is
deleted, the __put() routine drops the main address's ifp ref count to 0,
but not free it. unregister_netdevice() hangs giving message that ref
count is 1. Fix tested overnight.

Also, the code at the top of the routine is unnecessary, the same is being
done when the address is found a little later in that routine.


- KK

-------------------------- PATCH -----------------------------------------
diff -ruN linux-2.6.0-test9-bk9/net/ipv6/addrconf.c
--- linux-2.6.0-test9-bk9/net/ipv6/addrconf.c   2003-11-07 10:56:42.000000000 
+++       2003-11-07 
10:56:50.000000000 -0800
@@ -571,15 +571,6 @@

        ifp->dead = 1;

-       spin_lock_bh(&ifp->lock);
-       if (ifp->ifpub) {
-               __in6_ifa_put(ifp->ifpub);
-               ifp->ifpub = NULL;
-       }
-       spin_unlock_bh(&ifp->lock);
        for (ifap = &inet6_addr_lst[hash]; (ifa=*ifap) != NULL;
             ifap = &ifa->lst_next) {
@@ -600,7 +591,7 @@
                        if (ifa == ifp) {
                                *ifap = ifa->tmp_next;
                                if (ifp->ifpub) {
-                                       __in6_ifa_put(ifp->ifpub);
+                                       in6_ifa_put(ifp->ifpub);
                                        ifp->ifpub = NULL;
----------------------- TEST PROGRAM ------------------------------------
insmod /lib/modules/2.6.0-test9-bk9/kernel/drivers/net/e100/e100.ko
ifup eth0

# enable privacy address creation
echo 1  > /proc/sys/net/ipv6/conf/eth0/use_tempaddr

# set router, get autoconf/privacy addresses
echo 1 > /proc/sys/net/ipv6/conf/all/forwarding
echo 0 > /proc/sys/net/ipv6/conf/all/forwarding

# wait for radvd to configure interface addresses
sleep 10

# kill radvd (paranoia)
kill `ps -ef|grep radvd|grep -v grep|awk '{print $2}'`

# delete last regular address first! (happens to be regular :-)
ifconfig eth0 del `ifconfig eth0 | grep Site | tail -1 | awk '{print $3}'`

# now delete all other addresses. bug happens here when the temp address
# is deleted, it doesn't free the regular addresses 'ifp'.
for i in `ifconfig eth0 | grep Site | awk '{print $3}'`
        ifconfig eth0 del $i

ifdown eth0
rmmod e100

<Prev in Thread] Current Thread [Next in Thread>