From: Brad Peters <bpeters@redhat.com>
Date: Thu, 31 Jul 2008 11:20:31 -0400
Subject: [net] race between neigh_timer_handler and neigh_update
Message-id: 20080731152031.6492.43654.sendpatchset@squad5-lp1.lab.bos.redhat.com
O-Subject: [PATCH RHEL5.3] Fix for race between neigh_timer_handler and neigh_update
Bugzilla: 440555
RH-Acked-by: Neil Horman <nhorman@redhat.com>
RH-Acked-by: David Howells <dhowells@redhat.com>

RHBZ#:
======
https://bugzilla.redhat.com/show_bug.cgi?id=440555

Description:
===========
neigh_update sends skb from neigh->arp_queue while neigh_timer_handler
has increased skbs refcount and calls solicit with the
skb. neigh_timer_handler should not increase skbs refcount but make a
copy of the skb and do solicit with the copy.

RHEL Version Found:
================
RHEL 5.1

kABI Status:
============
No symbols were harmed.

Brew:
=====
Built on all platforms.
http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1386630

Upstream Status:
================
Backported from:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=7e36763b2c204d59de4e88087f84a2c0c8421f25

Test Status:
============
Fix confirmed by Ping Tian Han <IBM> through 22+ hours of the
same ST test which uncovered the bug.
===============================================================

Brad Peters 1-978-392-1000 x 23183
IBM on-site partner.

Proposed Patch:
===============
This patch is based on 2.6.18-95.el5

diff --git a/net/core/neighbour.c b/net/core/neighbour.c
index f76696e..74e9d51 100644
--- a/net/core/neighbour.c
+++ b/net/core/neighbour.c
@@ -812,7 +812,7 @@ static void neigh_timer_handler(unsigned long arg)
 		struct sk_buff *skb = skb_peek(&neigh->arp_queue);
 		/* keep skb alive even if arp_queue overflows */
 		if (skb)
-			skb_get(skb);
+			skb = skb_copy(skb, GFP_ATOMIC);
 		write_unlock(&neigh->lock);
 		neigh->ops->solicit(neigh, skb);
 		atomic_inc(&neigh->probes);