OpenE2K/linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
bf1ecd2105
linux/net/sched
History
WANG Cong dc327f8931 net_sched: close another race condition in tcf_mirred_release() 
We saw the following extra refcount release on veth device:

  kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1

Since we heavily use mirred action to redirect packets to veth, I think
this is caused by the following race condition:

CPU0:
tcf_mirred_release(): (in RCU callback)
	struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);

CPU1:
mirred_device_event():
        spin_lock_bh(&mirred_list_lock);
        list_for_each_entry(m, &mirred_list, tcfm_list) {
                if (rcu_access_pointer(m->tcfm_dev) == dev) {
                        dev_put(dev);
                        /* Note : no rcu grace period necessary, as
                         * net_device are already rcu protected.
                         */
                        RCU_INIT_POINTER(m->tcfm_dev, NULL);
                }
        }
        spin_unlock_bh(&mirred_list_lock);

CPU0:
tcf_mirred_release():
        spin_lock_bh(&mirred_list_lock);
        list_del(&m->tcfm_list);
        spin_unlock_bh(&mirred_list_lock);
        if (dev)               // <======== Stil refers to the old m->tcfm_dev
                dev_put(dev);  // <======== dev_put() is called on it again

The action init code path is good because it is impossible to modify
an action that is being removed.

So, fix this by moving everything under the spinlock.

Fixes: 2ee22a90c7 ("net_sched: act_mirred: remove spinlock in fast path")
Fixes: 6bd00b8506 ("act_mirred: fix a race condition on mirred_list")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-05-17 12:40:28 -04:00
..
act_api.c
act_bpf.c bpf: wire in data and data_end for cls_act_bpf 2016-05-06 16:01:54 -04:00
act_connmark.c
act_csum.c
act_gact.c net/sched: act_gact: Update statistics when offloaded to hardware 2016-05-16 13:43:50 -04:00
act_ife.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
act_ipt.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
act_meta_mark.c
act_meta_skbprio.c
act_mirred.c net_sched: close another race condition in tcf_mirred_release() 2016-05-17 12:40:28 -04:00
act_nat.c
act_pedit.c
act_police.c
act_simple.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
act_skbedit.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
act_vlan.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
cls_api.c
cls_basic.c
cls_bpf.c bpf: wire in data and data_end for cls_act_bpf 2016-05-06 16:01:54 -04:00
cls_cgroup.c
cls_flow.c
cls_flower.c net/sched: cls_flower: Hardware offloaded filters statistics support 2016-05-16 13:43:50 -04:00
cls_fw.c
cls_route.c
cls_rsvp6.c
cls_rsvp.c
cls_rsvp.h
cls_tcindex.c
cls_u32.c net: cls_u32: Add support for skip-sw flag to tc u32 classifier. 2016-05-16 13:30:57 -04:00
em_canid.c
em_cmp.c
em_ipset.c
em_meta.c
em_nbyte.c
em_text.c
em_u32.c
ematch.c
Kconfig
Makefile
sch_api.c
sch_atm.c
sch_blackhole.c
sch_cbq.c
sch_choke.c
sch_codel.c
sch_drr.c
sch_dsmark.c
sch_fifo.c
sch_fq_codel.c fq_codel: fix memory limitation drift 2016-05-16 21:54:24 -04:00
sch_fq.c
sch_generic.c net: remove dev->trans_start 2016-05-04 14:16:50 -04:00
sch_gred.c
sch_hfsc.c
sch_hhf.c
sch_htb.c
sch_ingress.c
sch_mq.c
sch_mqprio.c
sch_multiq.c
sch_netem.c
sch_pie.c
sch_plug.c
sch_prio.c
sch_qfq.c
sch_red.c
sch_sfb.c
sch_sfq.c
sch_tbf.c
sch_teql.c