diff options
author | Pavel Emelyanov <xemul@openvz.org> | 2008-06-27 23:06:08 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2008-06-27 23:06:08 -0400 |
commit | 9a375803feaadb6c34e0807bd9325885dcca5c00 (patch) | |
tree | fba3b0835d1fb3211da1c1be9dd6d4508e6668a6 /net | |
parent | a0a61a604c60c14accc3962ecfeee9acc7a3c08a (diff) |
inet fragments: fix race between inet_frag_find and inet_frag_secret_rebuild
The problem is that while we work w/o the inet_frags.lock even
read-locked the secret rebuild timer may occur (on another CPU, since
BHs are still disabled in the inet_frag_find) and change the rnd seed
for ipv4/6 fragments.
It was caused by my patch fd9e63544cac30a34c951f0ec958038f0529e244
([INET]: Omit double hash calculations in xxx_frag_intern) late
in the 2.6.24 kernel, so this should probably be queued to -stable.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/ipv4/inet_fragment.c | 16 | ||||
-rw-r--r-- | net/ipv4/ip_fragment.c | 2 | ||||
-rw-r--r-- | net/ipv6/netfilter/nf_conntrack_reasm.c | 3 | ||||
-rw-r--r-- | net/ipv6/reassembly.c | 2 |
4 files changed, 17 insertions, 6 deletions
diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c index 4ed429bd595..0546a0bc97e 100644 --- a/net/ipv4/inet_fragment.c +++ b/net/ipv4/inet_fragment.c | |||
@@ -192,14 +192,21 @@ EXPORT_SYMBOL(inet_frag_evictor); | |||
192 | 192 | ||
193 | static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf, | 193 | static struct inet_frag_queue *inet_frag_intern(struct netns_frags *nf, |
194 | struct inet_frag_queue *qp_in, struct inet_frags *f, | 194 | struct inet_frag_queue *qp_in, struct inet_frags *f, |
195 | unsigned int hash, void *arg) | 195 | void *arg) |
196 | { | 196 | { |
197 | struct inet_frag_queue *qp; | 197 | struct inet_frag_queue *qp; |
198 | #ifdef CONFIG_SMP | 198 | #ifdef CONFIG_SMP |
199 | struct hlist_node *n; | 199 | struct hlist_node *n; |
200 | #endif | 200 | #endif |
201 | unsigned int hash; | ||
201 | 202 | ||
202 | write_lock(&f->lock); | 203 | write_lock(&f->lock); |
204 | /* | ||
205 | * While we stayed w/o the lock other CPU could update | ||
206 | * the rnd seed, so we need to re-calculate the hash | ||
207 | * chain. Fortunatelly the qp_in can be used to get one. | ||
208 | */ | ||
209 | hash = f->hashfn(qp_in); | ||
203 | #ifdef CONFIG_SMP | 210 | #ifdef CONFIG_SMP |
204 | /* With SMP race we have to recheck hash table, because | 211 | /* With SMP race we have to recheck hash table, because |
205 | * such entry could be created on other cpu, while we | 212 | * such entry could be created on other cpu, while we |
@@ -247,7 +254,7 @@ static struct inet_frag_queue *inet_frag_alloc(struct netns_frags *nf, | |||
247 | } | 254 | } |
248 | 255 | ||
249 | static struct inet_frag_queue *inet_frag_create(struct netns_frags *nf, | 256 | static struct inet_frag_queue *inet_frag_create(struct netns_frags *nf, |
250 | struct inet_frags *f, void *arg, unsigned int hash) | 257 | struct inet_frags *f, void *arg) |
251 | { | 258 | { |
252 | struct inet_frag_queue *q; | 259 | struct inet_frag_queue *q; |
253 | 260 | ||
@@ -255,7 +262,7 @@ static struct inet_frag_queue *inet_frag_create(struct netns_frags *nf, | |||
255 | if (q == NULL) | 262 | if (q == NULL) |
256 | return NULL; | 263 | return NULL; |
257 | 264 | ||
258 | return inet_frag_intern(nf, q, f, hash, arg); | 265 | return inet_frag_intern(nf, q, f, arg); |
259 | } | 266 | } |
260 | 267 | ||
261 | struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, | 268 | struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, |
@@ -264,7 +271,6 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, | |||
264 | struct inet_frag_queue *q; | 271 | struct inet_frag_queue *q; |
265 | struct hlist_node *n; | 272 | struct hlist_node *n; |
266 | 273 | ||
267 | read_lock(&f->lock); | ||
268 | hlist_for_each_entry(q, n, &f->hash[hash], list) { | 274 | hlist_for_each_entry(q, n, &f->hash[hash], list) { |
269 | if (q->net == nf && f->match(q, key)) { | 275 | if (q->net == nf && f->match(q, key)) { |
270 | atomic_inc(&q->refcnt); | 276 | atomic_inc(&q->refcnt); |
@@ -274,6 +280,6 @@ struct inet_frag_queue *inet_frag_find(struct netns_frags *nf, | |||
274 | } | 280 | } |
275 | read_unlock(&f->lock); | 281 | read_unlock(&f->lock); |
276 | 282 | ||
277 | return inet_frag_create(nf, f, key, hash); | 283 | return inet_frag_create(nf, f, key); |
278 | } | 284 | } |
279 | EXPORT_SYMBOL(inet_frag_find); | 285 | EXPORT_SYMBOL(inet_frag_find); |
diff --git a/net/ipv4/ip_fragment.c b/net/ipv4/ip_fragment.c index cd6ce6ac635..37221f65915 100644 --- a/net/ipv4/ip_fragment.c +++ b/net/ipv4/ip_fragment.c | |||
@@ -229,6 +229,8 @@ static inline struct ipq *ip_find(struct net *net, struct iphdr *iph, u32 user) | |||
229 | 229 | ||
230 | arg.iph = iph; | 230 | arg.iph = iph; |
231 | arg.user = user; | 231 | arg.user = user; |
232 | |||
233 | read_lock(&ip4_frags.lock); | ||
232 | hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol); | 234 | hash = ipqhashfn(iph->id, iph->saddr, iph->daddr, iph->protocol); |
233 | 235 | ||
234 | q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash); | 236 | q = inet_frag_find(&net->ipv4.frags, &ip4_frags, &arg, hash); |
diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c index e65e26e210e..cf20bc4fd60 100644 --- a/net/ipv6/netfilter/nf_conntrack_reasm.c +++ b/net/ipv6/netfilter/nf_conntrack_reasm.c | |||
@@ -207,9 +207,10 @@ fq_find(__be32 id, struct in6_addr *src, struct in6_addr *dst) | |||
207 | arg.id = id; | 207 | arg.id = id; |
208 | arg.src = src; | 208 | arg.src = src; |
209 | arg.dst = dst; | 209 | arg.dst = dst; |
210 | |||
211 | read_lock_bh(&nf_frags.lock); | ||
210 | hash = ip6qhashfn(id, src, dst); | 212 | hash = ip6qhashfn(id, src, dst); |
211 | 213 | ||
212 | local_bh_disable(); | ||
213 | q = inet_frag_find(&nf_init_frags, &nf_frags, &arg, hash); | 214 | q = inet_frag_find(&nf_init_frags, &nf_frags, &arg, hash); |
214 | local_bh_enable(); | 215 | local_bh_enable(); |
215 | if (q == NULL) | 216 | if (q == NULL) |
diff --git a/net/ipv6/reassembly.c b/net/ipv6/reassembly.c index 798cabc7535..a60d7d12971 100644 --- a/net/ipv6/reassembly.c +++ b/net/ipv6/reassembly.c | |||
@@ -247,6 +247,8 @@ fq_find(struct net *net, __be32 id, struct in6_addr *src, struct in6_addr *dst, | |||
247 | arg.id = id; | 247 | arg.id = id; |
248 | arg.src = src; | 248 | arg.src = src; |
249 | arg.dst = dst; | 249 | arg.dst = dst; |
250 | |||
251 | read_lock(&ip6_frags.lock); | ||
250 | hash = ip6qhashfn(id, src, dst); | 252 | hash = ip6qhashfn(id, src, dst); |
251 | 253 | ||
252 | q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash); | 254 | q = inet_frag_find(&net->ipv6.frags, &ip6_frags, &arg, hash); |