bonding: fix bonding_masters race condition in bond unloading

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

While the bonding module is unloading, it is considered that after
rtnl_link_unregister all bond devices are destroyed but since no
synchronization mechanism exists, a new bond device can be created
via bonding_masters before unregister_pernet_subsys which would
lead to multiple problems (e.g. NULL pointer dereference, wrong RIP,
list corruption).

This patch fixes the issue by removing any bond devices left in the
netns after bonding_masters is removed from sysfs.

Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com>
Acked-by: Veaceslav Falico <vfalico@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

nikolay@redhat.com and committed by

David S. Miller 13 years ago 69b0216a ffcdedb6

1 changed file

expand all

drivers

net

bonding

bond_main.c

drivers/net/bonding/bond_main.c

··· 4846 4846 static void __net_exit bond_net_exit(struct net *net) 4847 4847 { 4848 4848 struct bond_net *bn = net_generic(net, bond_net_id); 4849 + struct bonding *bond, *tmp_bond; 4850 + LIST_HEAD(list); 4849 4851 4850 4852 bond_destroy_sysfs(bn); 4851 4853 bond_destroy_proc_dir(bn); 4854 + 4855 + /* Kill off any bonds created after unregistering bond rtnl ops */ 4856 + rtnl_lock(); 4857 + list_for_each_entry_safe(bond, tmp_bond, &bn->dev_list, bond_list) 4858 + unregister_netdevice_queue(bond->dev, &list); 4859 + unregister_netdevice_many(&list); 4860 + rtnl_unlock(); 4852 4861 } 4853 4862 4854 4863 static struct pernet_operations bond_net_ops = {