diff options
| author | Eric Dumazet <edumazet@google.com> | 2015-12-03 00:53:57 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2015-12-03 11:32:06 -0500 |
| commit | 6bd4f355df2eae80b8a5c7b097371cd1e05f20d5 (patch) | |
| tree | e903f55cdcc87ed834790e4f257d407f886a9d23 /net/core/sock.c | |
| parent | c836a8ba93869d6a0290a6ae0047fbef09066871 (diff) | |
ipv6: kill sk_dst_lock
While testing the np->opt RCU conversion, I found that UDP/IPv6 was
using a mixture of xchg() and sk_dst_lock to protect concurrent changes
to sk->sk_dst_cache, leading to possible corruptions and crashes.
ip6_sk_dst_lookup_flow() uses sk_dst_check() anyway, so the simplest
way to fix the mess is to remove sk_dst_lock completely, as we did for
IPv4.
__ip6_dst_store() and ip6_dst_store() share same implementation.
sk_setup_caps() being called with socket lock being held or not,
we have to use sk_dst_set() instead of __sk_dst_set()
Note that I had to move the "np->dst_cookie = rt6_get_cookie(rt);"
in ip6_dst_store() before the sk_setup_caps(sk, dst) call.
This is because ip6_dst_store() can be called from process context,
without any lock held.
As soon as the dst is installed in sk->sk_dst_cache, dst can be freed
from another cpu doing a concurrent ip6_dst_store()
Doing the dst dereference before doing the install is needed to make
sure no use after free would trigger.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/core/sock.c')
| -rw-r--r-- | net/core/sock.c | 4 |
1 files changed, 1 insertions, 3 deletions
diff --git a/net/core/sock.c b/net/core/sock.c index 9d79569935a3..e31dfcee1729 100644 --- a/net/core/sock.c +++ b/net/core/sock.c | |||
| @@ -1530,7 +1530,6 @@ struct sock *sk_clone_lock(const struct sock *sk, const gfp_t priority) | |||
| 1530 | skb_queue_head_init(&newsk->sk_receive_queue); | 1530 | skb_queue_head_init(&newsk->sk_receive_queue); |
| 1531 | skb_queue_head_init(&newsk->sk_write_queue); | 1531 | skb_queue_head_init(&newsk->sk_write_queue); |
| 1532 | 1532 | ||
| 1533 | spin_lock_init(&newsk->sk_dst_lock); | ||
| 1534 | rwlock_init(&newsk->sk_callback_lock); | 1533 | rwlock_init(&newsk->sk_callback_lock); |
| 1535 | lockdep_set_class_and_name(&newsk->sk_callback_lock, | 1534 | lockdep_set_class_and_name(&newsk->sk_callback_lock, |
| 1536 | af_callback_keys + newsk->sk_family, | 1535 | af_callback_keys + newsk->sk_family, |
| @@ -1607,7 +1606,7 @@ void sk_setup_caps(struct sock *sk, struct dst_entry *dst) | |||
| 1607 | { | 1606 | { |
| 1608 | u32 max_segs = 1; | 1607 | u32 max_segs = 1; |
| 1609 | 1608 | ||
| 1610 | __sk_dst_set(sk, dst); | 1609 | sk_dst_set(sk, dst); |
| 1611 | sk->sk_route_caps = dst->dev->features; | 1610 | sk->sk_route_caps = dst->dev->features; |
| 1612 | if (sk->sk_route_caps & NETIF_F_GSO) | 1611 | if (sk->sk_route_caps & NETIF_F_GSO) |
| 1613 | sk->sk_route_caps |= NETIF_F_GSO_SOFTWARE; | 1612 | sk->sk_route_caps |= NETIF_F_GSO_SOFTWARE; |
| @@ -2388,7 +2387,6 @@ void sock_init_data(struct socket *sock, struct sock *sk) | |||
| 2388 | } else | 2387 | } else |
| 2389 | sk->sk_wq = NULL; | 2388 | sk->sk_wq = NULL; |
| 2390 | 2389 | ||
| 2391 | spin_lock_init(&sk->sk_dst_lock); | ||
| 2392 | rwlock_init(&sk->sk_callback_lock); | 2390 | rwlock_init(&sk->sk_callback_lock); |
| 2393 | lockdep_set_class_and_name(&sk->sk_callback_lock, | 2391 | lockdep_set_class_and_name(&sk->sk_callback_lock, |
| 2394 | af_callback_keys + sk->sk_family, | 2392 | af_callback_keys + sk->sk_family, |