net: ipv4: fix infinite loop on secondary addr promotion
authorFlorian Westphal <fw@strlen.de>
Thu, 27 Jun 2019 12:03:32 +0000 (14:03 +0200)
committerDavid S. Miller <davem@davemloft.net>
Thu, 27 Jun 2019 16:54:34 +0000 (09:54 -0700)
secondary address promotion causes infinite loop -- it arranges
for ifa->ifa_next to point back to itself.

Problem is that 'prev_prom' and 'last_prim' might point at the same entry,
so 'last_sec' pointer must be obtained after prev_prom->next update.

Fixes: 2638eb8b50cf ("net: ipv4: provide __rcu annotation for ifa_list")
Reported-by: Ran Rozenstein <ranro@mellanox.com>
Reported-by: Tariq Toukan <tariqt@mellanox.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/ipv4/devinet.c

index 7874303220c504edcd705ed2fefbc0d9ec020397..137d1892395d3e9f9bb26ed532484b9737aaab8f 100644 (file)
@@ -428,8 +428,9 @@ no_promotions:
                if (prev_prom) {
                        struct in_ifaddr *last_sec;
 
-                       last_sec = rtnl_dereference(last_prim->ifa_next);
                        rcu_assign_pointer(prev_prom->ifa_next, next_sec);
+
+                       last_sec = rtnl_dereference(last_prim->ifa_next);
                        rcu_assign_pointer(promote->ifa_next, last_sec);
                        rcu_assign_pointer(last_prim->ifa_next, promote);
                }