Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 1215e51e authored by WANG Cong's avatar WANG Cong Committed by David S. Miller
Browse files

ipv4: fix a deadlock in ip_ra_control 



Similar to commit 87e9f031
("ipv4: fix a potential deadlock in mcast getsockopt() path"),
there is a deadlock scenario for IP_ROUTER_ALERT too:

       CPU0                    CPU1
       ----                    ----
  lock(rtnl_mutex);
                               lock(sk_lock-AF_INET);
                               lock(rtnl_mutex);
  lock(sk_lock-AF_INET);

Fix this by always locking RTNL first on all setsockopt() paths.

Note, after this patch ip_ra_lock is no longer needed either.

Reported-by: default avatarDmitry Vyukov <dvyukov@google.com>
Tested-by: default avatarAndrey Konovalov <andreyknvl@google.com>
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 271a8b42

net/ipv4/ip_sockglue.c

+1 −0
Original line number Diff line number Diff line
@@ -591,6 +591,7 @@ static bool setsockopt_needs_rtnl(int optname) 
	case MCAST_LEAVE_GROUP:

	case MCAST_LEAVE_SOURCE_GROUP:

	case MCAST_UNBLOCK_SOURCE:

	case IP_ROUTER_ALERT:

		return true;

	}

	return false;

net/ipv4/ipmr.c

+2 −9
Original line number Diff line number Diff line
@@ -1278,7 +1278,7 @@ static void mrtsock_destruct(struct sock *sk) 
	struct net *net = sock_net(sk);

	struct mr_table *mrt;



	rtnl_lock();

	ASSERT_RTNL();

	ipmr_for_each_table(mrt, net) {

		if (sk == rtnl_dereference(mrt->mroute_sk)) {

			IPV4_DEVCONF_ALL(net, MC_FORWARDING)--;
@@ -1289,7 +1289,6 @@ static void mrtsock_destruct(struct sock *sk) 
			mroute_clean_tables(mrt, false);

		}

	}

	rtnl_unlock();

}



/* Socket options and virtual interface manipulation. The whole
@@ -1353,13 +1352,8 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, 
		if (sk != rcu_access_pointer(mrt->mroute_sk)) {

			ret = -EACCES;

		} else {

			/* We need to unlock here because mrtsock_destruct takes

			 * care of rtnl itself and we can't change that due to

			 * the IP_ROUTER_ALERT setsockopt which runs without it.

			 */

			rtnl_unlock();

			ret = ip_ra_control(sk, 0, NULL);

			goto out;

			goto out_unlock;

		}

		break;

	case MRT_ADD_VIF:
@@ -1470,7 +1464,6 @@ int ip_mroute_setsockopt(struct sock *sk, int optname, char __user *optval, 
	}

out_unlock:

	rtnl_unlock();

out:

	return ret;

}

net/ipv4/raw.c

+2 −0
Original line number Diff line number Diff line
@@ -682,7 +682,9 @@ static void raw_close(struct sock *sk, long timeout) 
	/*

	 * Raw sockets may have direct kernel references. Kill them.

	 */

	rtnl_lock();

	ip_ra_control(sk, 0, NULL);

	rtnl_unlock();



	sk_common_release(sk);

}