提交 dc327f89 编写于 作者: W WANG Cong 提交者: David S. Miller

net_sched: close another race condition in tcf_mirred_release()

We saw the following extra refcount release on veth device:

  kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1

Since we heavily use mirred action to redirect packets to veth, I think
this is caused by the following race condition:

CPU0:
tcf_mirred_release(): (in RCU callback)
	struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);

CPU1:
mirred_device_event():
        spin_lock_bh(&mirred_list_lock);
        list_for_each_entry(m, &mirred_list, tcfm_list) {
                if (rcu_access_pointer(m->tcfm_dev) == dev) {
                        dev_put(dev);
                        /* Note : no rcu grace period necessary, as
                         * net_device are already rcu protected.
                         */
                        RCU_INIT_POINTER(m->tcfm_dev, NULL);
                }
        }
        spin_unlock_bh(&mirred_list_lock);

CPU0:
tcf_mirred_release():
        spin_lock_bh(&mirred_list_lock);
        list_del(&m->tcfm_list);
        spin_unlock_bh(&mirred_list_lock);
        if (dev)               // <======== Stil refers to the old m->tcfm_dev
                dev_put(dev);  // <======== dev_put() is called on it again

The action init code path is good because it is impossible to modify
an action that is being removed.

So, fix this by moving everything under the spinlock.

Fixes: 2ee22a90 ("net_sched: act_mirred: remove spinlock in fast path")
Fixes: 6bd00b85 ("act_mirred: fix a race condition on mirred_list")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NCong Wang <xiyou.wangcong@gmail.com>
Acked-by: NJamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: NDavid S. Miller <davem@davemloft.net>
上级 03aaaa9b
...@@ -36,14 +36,15 @@ static DEFINE_SPINLOCK(mirred_list_lock); ...@@ -36,14 +36,15 @@ static DEFINE_SPINLOCK(mirred_list_lock);
static void tcf_mirred_release(struct tc_action *a, int bind) static void tcf_mirred_release(struct tc_action *a, int bind)
{ {
struct tcf_mirred *m = to_mirred(a); struct tcf_mirred *m = to_mirred(a);
struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1); struct net_device *dev;
/* We could be called either in a RCU callback or with RTNL lock held. */ /* We could be called either in a RCU callback or with RTNL lock held. */
spin_lock_bh(&mirred_list_lock); spin_lock_bh(&mirred_list_lock);
list_del(&m->tcfm_list); list_del(&m->tcfm_list);
spin_unlock_bh(&mirred_list_lock); dev = rcu_dereference_protected(m->tcfm_dev, 1);
if (dev) if (dev)
dev_put(dev); dev_put(dev);
spin_unlock_bh(&mirred_list_lock);
} }
static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = { static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = {
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册