Re: neigh_create/inetdev_destroy race?

[Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>]

On Sun, Aug 15, 2004 at 07:14:50PM -0700, David S. Miller wrote:
> On Sat, 14 Aug 2004 16:27:03 +1000
> Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote:
> 
> > Is there any thing that prevents the following scenario from occuring?
> > 
> > CPU0                                        CPU1
> > neigh_create
> >                                     inet_del_ifa
> >                                             notifier_call_chain
> >                                                     neigh_ifdown
> >                                             inetdev_destroy
> >     arp_constructor
> >             neigh->parms =
> >                     in_dev->arp_parms
> >                                                     in_dev->dead = 1
> >                                                     in_dev->dev->ip_ptr =
> >                                                             NULL
> >                                                     neigh_parms_release
> >     n->parms->neigh_setup => BUG
> 
> Is there anything other than hostess_sv11.c, sealevel.c, and shaper.c
> which are using n->parms->neigh_setup at all?
> 
> This seems to be a very obscure special case hack, which perhaps we
> can removee entirely.

That maybe the case, but the race has nothing to do with neigh_setup.

Even if you remove neigh_setup altogether, the very next line in
neigh_create will dereference n->parms by looking up base_reachable_time.

Cheers,
-- 
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt