From: Brad Peters <bpeters@redhat.com> Date: Thu, 31 Jul 2008 11:20:31 -0400 Subject: [net] race between neigh_timer_handler and neigh_update Message-id: 20080731152031.6492.43654.sendpatchset@squad5-lp1.lab.bos.redhat.com O-Subject: [PATCH RHEL5.3] Fix for race between neigh_timer_handler and neigh_update Bugzilla: 440555 RH-Acked-by: Neil Horman <nhorman@redhat.com> RH-Acked-by: David Howells <dhowells@redhat.com> RHBZ#: ====== https://bugzilla.redhat.com/show_bug.cgi?id=440555 Description: =========== neigh_update sends skb from neigh->arp_queue while neigh_timer_handler has increased skbs refcount and calls solicit with the skb. neigh_timer_handler should not increase skbs refcount but make a copy of the skb and do solicit with the copy. RHEL Version Found: ================ RHEL 5.1 kABI Status: ============ No symbols were harmed. Brew: ===== Built on all platforms. http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1386630 Upstream Status: ================ Backported from: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7e36763b2c204d59de4e88087f84a2c0c8421f25 Test Status: ============ Fix confirmed by Ping Tian Han <IBM> through 22+ hours of the same ST test which uncovered the bug. =============================================================== Brad Peters 1-978-392-1000 x 23183 IBM on-site partner. Proposed Patch: =============== This patch is based on 2.6.18-95.el5 diff --git a/net/core/neighbour.c b/net/core/neighbour.c index f76696e..74e9d51 100644 --- a/net/core/neighbour.c +++ b/net/core/neighbour.c @@ -812,7 +812,7 @@ static void neigh_timer_handler(unsigned long arg) struct sk_buff *skb = skb_peek(&neigh->arp_queue); /* keep skb alive even if arp_queue overflows */ if (skb) - skb_get(skb); + skb = skb_copy(skb, GFP_ATOMIC); write_unlock(&neigh->lock); neigh->ops->solicit(neigh, skb); atomic_inc(&neigh->probes);