aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorPavel Emelyanov <xemul@openvz.org>2008-06-27 23:06:08 -0400
committerDavid S. Miller <davem@davemloft.net>2008-06-27 23:06:08 -0400
commit9a375803feaadb6c34e0807bd9325885dcca5c00 (patch)
treefba3b0835d1fb3211da1c1be9dd6d4508e6668a6 /net
parenta0a61a604c60c14accc3962ecfeee9acc7a3c08a (diff)
inet fragments: fix race between inet_frag_find and inet_frag_secret_rebuild
The problem is that while we work w/o the inet_frags.lock even read-locked the secret rebuild timer may occur (on another CPU, since BHs are still disabled in the inet_frag_find) and change the rnd seed for ipv4/6 fragments. It was caused by my patch fd9e63544cac30a34c951f0ec958038f0529e244 ([INET]: Omit double hash calculations in xxx_frag_intern) late in the 2.6.24 kernel, so this should probably be queued to -stable. Signed-off-by: Pavel Emelyanov <xemul@openvz.org> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r--net/ipv4/inet_fragment.c16
-rw-r--r--net/ipv4/ip_fragment.c2
-rw-r--r--net/ipv6/netfilter/nf_conntrack_reasm.c3
-rw-r--r--net/ipv6/reassembly.c2
4 files changed, 17 insertions, 6 deletions
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 4ed429bd595..0546a0bc97e 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -192,14 +192,21 @@ EXPORT_SYMBOL(inet_frag_evictor);
192 192
193static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf, 193static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf,
194 struct inet_frag_queue *qp_in, struct inet_frags *f, 194 struct inet_frag_queue *qp_in, struct inet_frags *f,
195 unsigned int hash, void *arg) 195 void *arg)
196{ 196{
197 struct inet_frag_queue *qp; 197 struct inet_frag_queue *qp;
198#ifdef CONFIG_SMP 198#ifdef CONFIG_SMP
199 struct hlist_node *n; 199 struct hlist_node *n;
200#endif 200#endif
201 unsigned int hash;
201 202
202 write_lock(&f->lock); 203 write_lock(&f->lock);
204 /*
205 * While we stayed w/o the lock other CPU could update
206 * the rnd seed, so we need to re-calculate the hash
207 * chain. Fortunatelly the qp_in can be used to get one.
208 */
209 hash = f->hashfn(qp_in);
203#ifdef CONFIG_SMP 210#ifdef CONFIG_SMP
204 /* With SMP race we have to recheck hash table, because 211 /* With SMP race we have to recheck hash table, because
205 * such entry could be created on other cpu, while we 212 * such entry could be created on other cpu, while we
@@ -247,7 +254,7 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf,
247} 254}
248 255
249static struct inet_frag_queue *inet_frag_create(struct netns_frags *nf, 256static struct inet_frag_queue *inet_frag_create(struct netns_frags *nf,
250 struct inet_frags *f, void *arg, unsigned int hash) 257 struct inet_frags *f, void *arg)
251{ 258{
252 struct inet_frag_queue *q; 259 struct inet_frag_queue *q;
253 260
@@ -255,7 +262,7 @@ static struct inet_frag_queue *inet_frag_create(struct netns_frags *nf,
255 if (q == NULL) 262 if (q == NULL)
256 return NULL; 263 return NULL;
257 264
258 return inet_frag_intern(nf, q, f, hash, arg); 265 return inet_frag_intern(nf, q, f, arg);
259} 266}
260 267
261struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, 268struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
@@ -264,7 +271,6 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
264 struct inet_frag_queue *q; 271 struct inet_frag_queue *q;
265 struct hlist_node *n; 272 struct hlist_node *n;
266 273
267 read_lock(&f->lock);
268 hlist_for_each_entry(q, n, &f->hash[hash], list) { 274 hlist_for_each_entry(q, n, &f->hash[hash], list) {
269 if (q->net == nf && f->match(q, key)) { 275 if (q->net == nf && f->match(q, key)) {
270 atomic_inc(&q->refcnt); 276 atomic_inc(&q->refcnt);
@@ -274,6 +280,6 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf,
274 } 280 }
275 read_unlock(&f->lock); 281 read_unlock(&f->lock);
276 282
277 return inet_frag_create(nf, f, key, hash); 283 return inet_frag_create(nf, f, key);
278} 284}
279EXPORT_SYMBOL(inet_frag_find); 285EXPORT_SYMBOL(inet_frag_find);
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c
index cd6ce6ac635..37221f65915 100644
--- a/net/ipv4/ip_fragment.c
+++ b/net/ipv4/ip_fragment.c
@@ -229,6 +229,8 @@ static inline struct ipq *ip_find(struct net *net, struct iphdr *iph, u32 user)
229 229
230 arg.iph = iph; 230 arg.iph = iph;
231 arg.user = user; 231 arg.user = user;
232
233 read_lock(&ip4_frags.lock);
232 hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol); 234 hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol);
233 235
234 q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash); 236 q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash);
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c
index e65e26e210e..cf20bc4fd60 100644
--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
@@ -207,9 +207,10 @@ fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst)
207 arg.id = id; 207 arg.id = id;
208 arg.src = src; 208 arg.src = src;
209 arg.dst = dst; 209 arg.dst = dst;
210
211 read_lock_bh(&nf_frags.lock);
210 hash = ip6qhashfn(id, src, dst); 212 hash = ip6qhashfn(id, src, dst);
211 213
212 local_bh_disable();
213 q = inet_frag_find(&nf_init_frags, &nf_frags, &arg, hash); 214 q = inet_frag_find(&nf_init_frags, &nf_frags, &arg, hash);
214 local_bh_enable(); 215 local_bh_enable();
215 if (q == NULL) 216 if (q == NULL)
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c
index 798cabc7535..a60d7d12971 100644
--- a/net/ipv6/reassembly.c
+++ b/net/ipv6/reassembly.c
@@ -247,6 +247,8 @@ fq_find(struct net *net, __be32 id, struct in6_addr *src, struct in6_addr *dst,
247 arg.id = id; 247 arg.id = id;
248 arg.src = src; 248 arg.src = src;
249 arg.dst = dst; 249 arg.dst = dst;
250
251 read_lock(&ip6_frags.lock);
250 hash = ip6qhashfn(id, src, dst); 252 hash = ip6qhashfn(id, src, dst);
251 253
252 q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash); 254 q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash);