[IPV4]: severe locking bug in fib_semantics.c

[net-next-2.6.git] / net / ipv4 / fib_semantics.c
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c

index 6d2a6ac070e35d035a7401ca89cc8f8b53449743..51738000f3dc4c12c5db72063548b8535f7517e6 100644 (file)
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -15,7 +15,6 @@
   *             2 of the License, or (at your option) any later version.
   */
  
-#include <linux/config.h>
  #include <asm/uaccess.h>
  #include <asm/system.h>
  #include <linux/bitops.h>
@@ -29,6 +28,7 @@
  #include <linux/errno.h>
  #include <linux/in.h>
  #include <linux/inet.h>
+#include <linux/inetdevice.h>
  #include <linux/netdevice.h>
  #include <linux/if_arp.h>
  #include <linux/proc_fs.h>
@@ -36,6 +36,7 @@
  #include <linux/netlink.h>
  #include <linux/init.h>
  
+#include <net/arp.h>
  #include <net/ip.h>
  #include <net/protocol.h>
  #include <net/route.h>
@@ -158,7 +159,7 @@ void free_fib_info(struct fib_info *fi)
  
  void fib_release_info(struct fib_info *fi)
  {
-       write_lock(&fib_info_lock);
+       write_lock_bh(&fib_info_lock);
         if (fi && --fi->fib_treeref == 0) {
                 hlist_del(&fi->fib_hash);
                 if (fi->fib_prefsrc)
@@ -171,7 +172,7 @@ void fib_release_info(struct fib_info *fi)
                 fi->fib_dead = 1;
                 fib_info_put(fi);
         }
-       write_unlock(&fib_info_lock);
+       write_unlock_bh(&fib_info_lock);
  }
  
  static __inline__ int nh_comp(const struct fib_info *fi, const struct fib_info *ofi)
@@ -597,7 +598,7 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
         unsigned int old_size = fib_hash_size;
         unsigned int i, bytes;
  
-       write_lock(&fib_info_lock);
+       write_lock_bh(&fib_info_lock);
         old_info_hash = fib_info_hash;
         old_laddrhash = fib_info_laddrhash;
         fib_hash_size = new_size;
@@ -638,7 +639,7 @@ static void fib_hash_move(struct hlist_head *new_info_hash,
         }
         fib_info_laddrhash = new_laddrhash;
  
-       write_unlock(&fib_info_lock);
+       write_unlock_bh(&fib_info_lock);
  
         bytes = old_size * sizeof(struct hlist_head *);
         fib_hash_free(old_info_hash, bytes);
@@ -708,11 +709,10 @@ fib_create_info(const struct rtmsg *r, struct kern_rta *rta,
                         goto failure;
         }
  
-       fi = kmalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
+       fi = kzalloc(sizeof(*fi)+nhs*sizeof(struct fib_nh), GFP_KERNEL);
         if (fi == NULL)
                 goto failure;
         fib_info_cnt++;
-       memset(fi, 0, sizeof(*fi)+nhs*sizeof(struct fib_nh));
  
         fi->fib_protocol = r->rtm_protocol;
  
@@ -820,7 +820,7 @@ link_it:
  
         fi->fib_treeref++;
         atomic_inc(&fi->fib_clntref);
-       write_lock(&fib_info_lock);
+       write_lock_bh(&fib_info_lock);
         hlist_add_head(&fi->fib_hash,
                        &fib_info_hash[fib_info_hashfn(fi)]);
         if (fi->fib_prefsrc) {
@@ -839,7 +839,7 @@ link_it:
                 head = &fib_info_devhash[hash];
                 hlist_add_head(&nh->nh_hash, head);
         } endfor_nexthops(fi)
-       write_unlock(&fib_info_lock);
+       write_unlock_bh(&fib_info_lock);
         return fi;
  
  err_inval:
@@ -961,10 +961,6 @@ fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
         rtm->rtm_protocol = fi->fib_protocol;
         if (fi->fib_priority)
                 RTA_PUT(skb, RTA_PRIORITY, 4, &fi->fib_priority);
-#ifdef CONFIG_NET_CLS_ROUTE
-       if (fi->fib_nh[0].nh_tclassid)
-               RTA_PUT(skb, RTA_FLOW, 4, &fi->fib_nh[0].nh_tclassid);
-#endif
         if (rtnetlink_put_metrics(skb, fi->fib_metrics) < 0)
                 goto rtattr_failure;
         if (fi->fib_prefsrc)
@@ -974,6 +970,10 @@ fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
                         RTA_PUT(skb, RTA_GATEWAY, 4, &fi->fib_nh->nh_gw);
                 if (fi->fib_nh->nh_oif)
                         RTA_PUT(skb, RTA_OIF, sizeof(int), &fi->fib_nh->nh_oif);
+#ifdef CONFIG_NET_CLS_ROUTE
+               if (fi->fib_nh[0].nh_tclassid)
+                       RTA_PUT(skb, RTA_FLOW, 4, &fi->fib_nh[0].nh_tclassid);
+#endif
         }
  #ifdef CONFIG_IP_ROUTE_MULTIPATH
         if (fi->fib_nhs > 1) {
@@ -992,6 +992,10 @@ fib_dump_info(struct sk_buff *skb, u32 pid, u32 seq, int event,
                         nhp->rtnh_ifindex = nh->nh_oif;
                         if (nh->nh_gw)
                                 RTA_PUT(skb, RTA_GATEWAY, 4, &nh->nh_gw);
+#ifdef CONFIG_NET_CLS_ROUTE
+                       if (nh->nh_tclassid)
+                               RTA_PUT(skb, RTA_FLOW, 4, &nh->nh_tclassid);
+#endif
                         nhp->rtnh_len = skb->tail - (unsigned char*)nhp;
                 } endfor_nexthops(fi);
                 mp_head->rta_type = RTA_MULTIPATH;
@@ -1043,7 +1047,7 @@ fib_convert_rtentry(int cmd, struct nlmsghdr *nl, struct rtmsg *rtm,
         }
  
         nl->nlmsg_flags = NLM_F_REQUEST;
-       nl->nlmsg_pid = current->pid;
+       nl->nlmsg_pid = 0;
         nl->nlmsg_seq = 0;
         nl->nlmsg_len = NLMSG_LENGTH(sizeof(*rtm));
         if (cmd == SIOCDELRT) {