OpenE2K/linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity
dc327f8931
linux/net
History
WANG Cong dc327f8931 net_sched: close another race condition in tcf_mirred_release() 
We saw the following extra refcount release on veth device:

  kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1

Since we heavily use mirred action to redirect packets to veth, I think
this is caused by the following race condition:

CPU0:
tcf_mirred_release(): (in RCU callback)
	struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);

CPU1:
mirred_device_event():
        spin_lock_bh(&mirred_list_lock);
        list_for_each_entry(m, &mirred_list, tcfm_list) {
                if (rcu_access_pointer(m->tcfm_dev) == dev) {
                        dev_put(dev);
                        /* Note : no rcu grace period necessary, as
                         * net_device are already rcu protected.
                         */
                        RCU_INIT_POINTER(m->tcfm_dev, NULL);
                }
        }
        spin_unlock_bh(&mirred_list_lock);

CPU0:
tcf_mirred_release():
        spin_lock_bh(&mirred_list_lock);
        list_del(&m->tcfm_list);
        spin_unlock_bh(&mirred_list_lock);
        if (dev)               // <======== Stil refers to the old m->tcfm_dev
                dev_put(dev);  // <======== dev_put() is called on it again

The action init code path is good because it is impossible to modify
an action that is being removed.

So, fix this by moving everything under the spinlock.

Fixes: 2ee22a90c7 ("net_sched: act_mirred: remove spinlock in fast path")
Fixes: 6bd00b8506 ("act_mirred: fix a race condition on mirred_list")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-05-17 12:40:28 -04:00
..
6lowpan 6lowpan: move mac802154 header 2016-04-13 10:41:10 +02:00
9p
802
8021q
appletalk
atm treewide: replace dev->trans_start update with helper 2016-05-04 14:16:49 -04:00
ax25
batman-adv batman-adv: use batadv_compare_eth when possible 2016-05-10 18:28:54 +08:00
bluetooth Bluetooth: fix power_on vs close race 2016-05-13 16:50:23 +02:00
bridge Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-09 15:59:24 -04:00
caif
can sock: enable timestamping using control messages 2016-04-04 15:50:30 -04:00
ceph libceph: make authorizer destruction independent of ceph_auth_client 2016-04-25 20:54:13 +02:00
core net: also make sch_handle_egress() drop monitor ready 2016-05-16 14:02:44 -04:00
dcb
dccp dccp: do not assume DCCP code is non preemptible 2016-05-02 17:02:25 -04:00
decnet decnet: Do not build routes to devices without decnet private data. 2016-04-10 23:01:30 -04:00
dns_resolver
dsa dsa: Rename switch chip data to cd 2016-05-11 19:36:28 -04:00
ethernet
hsr net/hsr: Use setup_timer and mod_timer. 2016-05-16 14:00:43 -04:00
ieee802154 Merge branch 'for-upstream' of git://git.kernel.org/pub/scm/linux/kernel/git/bluetooth/bluetooth-next 2016-04-26 13:15:56 -04:00
ipv4 tcp: minor optimizations around tcp_hdr() usage 2016-05-16 13:46:23 -04:00
ipv6 tcp: minor optimizations around tcp_hdr() usage 2016-05-16 13:46:23 -04:00
ipx
irda treewide: replace dev->trans_start update with helper 2016-05-04 14:16:49 -04:00
iucv
kcm
key
l2tp Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-04 00:52:29 -04:00
l3mdev net: l3mdev: Allow send on enslaved interface 2016-05-09 22:33:52 -04:00
lapb
llc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-09 15:59:24 -04:00
mac80211 Some more work for 4.7, notably: 2016-05-12 11:46:58 -04:00
mac802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next 2016-03-19 10:05:34 -07:00
mpls GSO: Add GSO type for fixed IPv4 ID 2016-04-14 16:23:40 -04:00
netfilter Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
netlabel
netlink netlink: Fix dump skb leak/double free 2016-05-16 22:05:15 -04:00
netrom
nfc nfc: nci: Add nci_nfcc_loopback to the nci core 2016-05-04 01:48:16 +02:00
openvswitch Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-15 13:32:48 -04:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-04-23 18:51:33 -04:00
phonet
qrtr net: qrtr: fix build problems 2016-05-16 13:44:58 -04:00
rds Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-04 00:52:29 -04:00
rfkill rfkill: Use switch to demux userspace operations 2016-04-05 10:48:53 +02:00
rose
rxrpc net: udp: rename UDP_INC_STATS_BH() 2016-04-27 22:48:23 -04:00
sched net_sched: close another race condition in tcf_mirred_release() 2016-05-17 12:40:28 -04:00
sctp sctp: prepare for socket backlog behavior change 2016-05-02 17:02:26 -04:00
sunrpc sunrpc: set SOCK_FASYNC 2016-05-13 01:43:52 -04:00
switchdev net: switchdev: Drop EXPERIMENTAL from description 2016-05-14 17:06:37 -04:00
tipc tipc: fix nametable publication field in nl compat 2016-05-17 12:34:02 -04:00
unix
vmw_vsock Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-09 15:59:24 -04:00
wimax
wireless cfg80211: make wdev_list accessible to drivers 2016-05-12 11:16:40 +02:00
x25 net: fix a kernel infoleak in x25 module 2016-05-09 22:45:33 -04:00
xfrm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-09 15:59:24 -04:00
compat.c
Kconfig bpf: add generic constant blinding for use in jits 2016-05-16 13:49:32 -04:00
Makefile net: Add Qualcomm IPC router 2016-05-08 23:46:14 -04:00
socket.c tcp: remove SKBTX_ACK_TSTAMP since it is redundant 2016-04-28 16:06:10 -04:00
sysctl_net.c