On Sun, Aug 15, 2004 at 07:14:50PM -0700, David S. Miller wrote:
> On Sat, 14 Aug 2004 16:27:03 +1000
> Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx> wrote:
>
> > Is there any thing that prevents the following scenario from occuring?
> >
> > CPU0 CPU1
> > neigh_create
> > inet_del_ifa
> > notifier_call_chain
> > neigh_ifdown
> > inetdev_destroy
> > arp_constructor
> > neigh->parms =
> > in_dev->arp_parms
> > in_dev->dead = 1
> > in_dev->dev->ip_ptr =
> > NULL
> > neigh_parms_release
> > n->parms->neigh_setup => BUG
>
> Is there anything other than hostess_sv11.c, sealevel.c, and shaper.c
> which are using n->parms->neigh_setup at all?
>
> This seems to be a very obscure special case hack, which perhaps we
> can removee entirely.
That maybe the case, but the race has nothing to do with neigh_setup.
Even if you remove neigh_setup altogether, the very next line in
neigh_create will dereference n->parms by looking up base_reachable_time.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@xxxxxxxxxxxxxxxxxxx>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
|