Skip to content

Commit 328fbe7

Browse files
Kirill Tkhaidavem330
Kirill Tkhai
authored and
davem330
committed
net: Close race between {un, }register_netdevice_notifier() and setup_net()/cleanup_net()
{un,}register_netdevice_notifier() iterate over all net namespaces hashed to net_namespace_list. But pernet_operations register and unregister netdevices in unhashed net namespace, and they are not seen for netdevice notifiers. This results in asymmetry: 1)Race with register_netdevice_notifier() pernet_operations::init(net) ... register_netdevice() ... call_netdevice_notifiers() ... ... nb is not called ... ... register_netdevice_notifier(nb) -> net skipped ... ... list_add_tail(&net->list, ..) ... Then, userspace stops using net, and it's destructed: pernet_operations::exit(net) unregister_netdevice() call_netdevice_notifiers() ... nb is called ... This always happens with net::loopback_dev, but it may be not the only device. 2)Race with unregister_netdevice_notifier() pernet_operations::init(net) register_netdevice() call_netdevice_notifiers() ... nb is called ... Then, userspace stops using net, and it's destructed: list_del_rcu(&net->list) ... pernet_operations::exit(net) unregister_netdevice_notifier(nb) -> net skipped dev_change_net_namespace() ... call_netdevice_notifiers() ... nb is not called ... unregister_netdevice() call_netdevice_notifiers() ... nb is not called ... This race is more danger, since dev_change_net_namespace() moves real network devices, which use not trivial netdevice notifiers, and if this will happen, the system will be left in unpredictable state. The patch closes the race. During the testing I found two places, where register_netdevice_notifier() is called from pernet init/exit methods (which led to deadlock) and fixed them (see previous patches). The review moved me to one more unusual registration place: raw_init() (can driver). It may be a reason of problems, if someone creates in-kernel CAN_RAW sockets, since they will be destroyed in exit method and raw_release() will call unregister_netdevice_notifier(). But grep over kernel tree does not show, someone creates such sockets from kernel space. Theoretically, there can be more places like this, and which are hidden from review, but we found them on the first bumping there (since there is no a race, it will be 100% reproducible). Signed-off-by: Kirill Tkhai <[email protected]> Signed-off-by: David S. Miller <[email protected]>
1 parent 9e2f6c5 commit 328fbe7

File tree

1 file changed

+6
-0
lines changed

1 file changed

+6
-0
lines changed

net/core/dev.c

Lines changed: 6 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1625,6 +1625,8 @@ int register_netdevice_notifier(struct notifier_block *nb)
16251625
struct net *net;
16261626
int err;
16271627

1628+
/* Close race with setup_net() and cleanup_net() */
1629+
down_write(&pernet_ops_rwsem);
16281630
rtnl_lock();
16291631
err = raw_notifier_chain_register(&netdev_chain, nb);
16301632
if (err)
@@ -1649,6 +1651,7 @@ int register_netdevice_notifier(struct notifier_block *nb)
16491651

16501652
unlock:
16511653
rtnl_unlock();
1654+
up_write(&pernet_ops_rwsem);
16521655
return err;
16531656

16541657
rollback:
@@ -1694,6 +1697,8 @@ int unregister_netdevice_notifier(struct notifier_block *nb)
16941697
struct net *net;
16951698
int err;
16961699

1700+
/* Close race with setup_net() and cleanup_net() */
1701+
down_write(&pernet_ops_rwsem);
16971702
rtnl_lock();
16981703
err = raw_notifier_chain_unregister(&netdev_chain, nb);
16991704
if (err)
@@ -1713,6 +1718,7 @@ int unregister_netdevice_notifier(struct notifier_block *nb)
17131718
up_read(&net_rwsem);
17141719
unlock:
17151720
rtnl_unlock();
1721+
up_write(&pernet_ops_rwsem);
17161722
return err;
17171723
}
17181724
EXPORT_SYMBOL(unregister_netdevice_notifier);

0 commit comments

Comments
 (0)