aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Dumazet <edumazet@google.com>2012-07-29 19:20:37 -0400
committerDavid S. Miller <davem@davemloft.net>2012-07-30 17:53:22 -0400
commit404e0a8b6a55d5e1cd138c6deb1bca9abdf75d8c (patch)
tree38e9748d38c415cc97b973fecb9279cd43f76393
parentcca32e4bf999a34ac08d959f351f2b30bcd02460 (diff)
net: ipv4: fix RCU races on dst refcounts
commit c6cffba4ffa2 (ipv4: Fix input route performance regression.) added various fatal races with dst refcounts. crashes happen on tcp workloads if routes are added/deleted at the same time. The dst_free() calls from free_fib_info_rcu() are clearly racy. We need instead regular dst refcounting (dst_release()) and make sure dst_release() is aware of RCU grace periods : Add DST_RCU_FREE flag so that dst_release() respects an RCU grace period before dst destruction for cached dst Introduce a new inet_sk_rx_dst_set() helper, using atomic_inc_not_zero() to make sure we dont increase a zero refcount (On a dst currently waiting an rcu grace period before destruction) rt_cache_route() must take a reference on the new cached route, and release it if was not able to install it. With this patch, my machines survive various benchmarks. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--include/net/dst.h7
-rw-r--r--include/net/inet_sock.h13
-rw-r--r--net/core/dst.c26
-rw-r--r--net/decnet/dn_route.c6
-rw-r--r--net/ipv4/fib_semantics.c4
-rw-r--r--net/ipv4/route.c16
-rw-r--r--net/ipv4/tcp_input.c3
-rw-r--r--net/ipv4/tcp_ipv4.c12
-rw-r--r--net/ipv4/tcp_minisocks.c3
9 files changed, 55 insertions, 35 deletions
diff --git a/include/net/dst.h b/include/net/dst.h
index baf597890064..31a9fd39edb6 100644
--- a/include/net/dst.h
+++ b/include/net/dst.h
@@ -61,6 +61,7 @@ struct dst_entry {
61#define DST_NOPEER 0x0040 61#define DST_NOPEER 0x0040
62#define DST_FAKE_RTABLE 0x0080 62#define DST_FAKE_RTABLE 0x0080
63#define DST_XFRM_TUNNEL 0x0100 63#define DST_XFRM_TUNNEL 0x0100
64#define DST_RCU_FREE 0x0200
64 65
65 unsigned short pending_confirm; 66 unsigned short pending_confirm;
66 67
@@ -382,12 +383,6 @@ static inline void dst_free(struct dst_entry *dst)
382 __dst_free(dst); 383 __dst_free(dst);
383} 384}
384 385
385static inline void dst_rcu_free(struct rcu_head *head)
386{
387 struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head);
388 dst_free(dst);
389}
390
391static inline void dst_confirm(struct dst_entry *dst) 386static inline void dst_confirm(struct dst_entry *dst)
392{ 387{
393 dst->pending_confirm = 1; 388 dst->pending_confirm = 1;
diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h
index 613cfa401672..e3fd34c83ac9 100644
--- a/include/net/inet_sock.h
+++ b/include/net/inet_sock.h
@@ -249,4 +249,17 @@ static inline __u8 inet_sk_flowi_flags(const struct sock *sk)
249 return flags; 249 return flags;
250} 250}
251 251
252static inline void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb)
253{
254 struct dst_entry *dst = skb_dst(skb);
255
256 if (atomic_inc_not_zero(&dst->__refcnt)) {
257 if (!(dst->flags & DST_RCU_FREE))
258 dst->flags |= DST_RCU_FREE;
259
260 sk->sk_rx_dst = dst;
261 inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
262 }
263}
264
252#endif /* _INET_SOCK_H */ 265#endif /* _INET_SOCK_H */
diff --git a/net/core/dst.c b/net/core/dst.c
index 069d51d29414..d9e33ebe170f 100644
--- a/net/core/dst.c
+++ b/net/core/dst.c
@@ -258,6 +258,15 @@ again:
258} 258}
259EXPORT_SYMBOL(dst_destroy); 259EXPORT_SYMBOL(dst_destroy);
260 260
261static void dst_rcu_destroy(struct rcu_head *head)
262{
263 struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head);
264
265 dst = dst_destroy(dst);
266 if (dst)
267 __dst_free(dst);
268}
269
261void dst_release(struct dst_entry *dst) 270void dst_release(struct dst_entry *dst)
262{ 271{
263 if (dst) { 272 if (dst) {
@@ -265,10 +274,14 @@ void dst_release(struct dst_entry *dst)
265 274
266 newrefcnt = atomic_dec_return(&dst->__refcnt); 275 newrefcnt = atomic_dec_return(&dst->__refcnt);
267 WARN_ON(newrefcnt < 0); 276 WARN_ON(newrefcnt < 0);
268 if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) { 277 if (unlikely(dst->flags & (DST_NOCACHE | DST_RCU_FREE)) && !newrefcnt) {
269 dst = dst_destroy(dst); 278 if (dst->flags & DST_RCU_FREE) {
270 if (dst) 279 call_rcu_bh(&dst->rcu_head, dst_rcu_destroy);
271 __dst_free(dst); 280 } else {
281 dst = dst_destroy(dst);
282 if (dst)
283 __dst_free(dst);
284 }
272 } 285 }
273 } 286 }
274} 287}
@@ -320,11 +333,14 @@ EXPORT_SYMBOL(__dst_destroy_metrics_generic);
320 */ 333 */
321void skb_dst_set_noref(struct sk_buff *skb, struct dst_entry *dst) 334void skb_dst_set_noref(struct sk_buff *skb, struct dst_entry *dst)
322{ 335{
336 bool hold;
337
323 WARN_ON(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); 338 WARN_ON(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
324 /* If dst not in cache, we must take a reference, because 339 /* If dst not in cache, we must take a reference, because
325 * dst_release() will destroy dst as soon as its refcount becomes zero 340 * dst_release() will destroy dst as soon as its refcount becomes zero
326 */ 341 */
327 if (unlikely(dst->flags & DST_NOCACHE)) { 342 hold = (dst->flags & (DST_NOCACHE | DST_RCU_FREE)) == DST_NOCACHE;
343 if (unlikely(hold)) {
328 dst_hold(dst); 344 dst_hold(dst);
329 skb_dst_set(skb, dst); 345 skb_dst_set(skb, dst);
330 } else { 346 } else {
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index 85a3604c87c8..26719779ad8e 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -184,6 +184,12 @@ static __inline__ unsigned int dn_hash(__le16 src, __le16 dst)
184 return dn_rt_hash_mask & (unsigned int)tmp; 184 return dn_rt_hash_mask & (unsigned int)tmp;
185} 185}
186 186
187static inline void dst_rcu_free(struct rcu_head *head)
188{
189 struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head);
190 dst_free(dst);
191}
192
187static inline void dnrt_free(struct dn_route *rt) 193static inline void dnrt_free(struct dn_route *rt)
188{ 194{
189 call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); 195 call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index da0cc2e6b250..e55171f184f9 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -172,9 +172,9 @@ static void free_fib_info_rcu(struct rcu_head *head)
172 if (nexthop_nh->nh_exceptions) 172 if (nexthop_nh->nh_exceptions)
173 free_nh_exceptions(nexthop_nh); 173 free_nh_exceptions(nexthop_nh);
174 if (nexthop_nh->nh_rth_output) 174 if (nexthop_nh->nh_rth_output)
175 dst_free(&nexthop_nh->nh_rth_output->dst); 175 dst_release(&nexthop_nh->nh_rth_output->dst);
176 if (nexthop_nh->nh_rth_input) 176 if (nexthop_nh->nh_rth_input)
177 dst_free(&nexthop_nh->nh_rth_input->dst); 177 dst_release(&nexthop_nh->nh_rth_input->dst);
178 } endfor_nexthops(fi); 178 } endfor_nexthops(fi);
179 179
180 release_net(fi->fib_net); 180 release_net(fi->fib_net);
diff --git a/net/ipv4/route.c b/net/ipv4/route.c
index fc1a81ca79a7..d6eabcfe8a90 100644
--- a/net/ipv4/route.c
+++ b/net/ipv4/route.c
@@ -1199,11 +1199,6 @@ restart:
1199 fnhe->fnhe_stamp = jiffies; 1199 fnhe->fnhe_stamp = jiffies;
1200} 1200}
1201 1201
1202static inline void rt_free(struct rtable *rt)
1203{
1204 call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
1205}
1206
1207static void rt_cache_route(struct fib_nh *nh, struct rtable *rt) 1202static void rt_cache_route(struct fib_nh *nh, struct rtable *rt)
1208{ 1203{
1209 struct rtable *orig, *prev, **p = &nh->nh_rth_output; 1204 struct rtable *orig, *prev, **p = &nh->nh_rth_output;
@@ -1213,17 +1208,14 @@ static void rt_cache_route(struct fib_nh *nh, struct rtable *rt)
1213 1208
1214 orig = *p; 1209 orig = *p;
1215 1210
1211 rt->dst.flags |= DST_RCU_FREE;
1212 dst_hold(&rt->dst);
1216 prev = cmpxchg(p, orig, rt); 1213 prev = cmpxchg(p, orig, rt);
1217 if (prev == orig) { 1214 if (prev == orig) {
1218 if (orig) 1215 if (orig)
1219 rt_free(orig); 1216 dst_release(&orig->dst);
1220 } else { 1217 } else {
1221 /* Routes we intend to cache in the FIB nexthop have 1218 dst_release(&rt->dst);
1222 * the DST_NOCACHE bit clear. However, if we are
1223 * unsuccessful at storing this route into the cache
1224 * we really need to set it.
1225 */
1226 rt->dst.flags |= DST_NOCACHE;
1227 } 1219 }
1228} 1220}
1229 1221
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index a356e1fecf9a..9be30b039ae3 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -5604,8 +5604,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb)
5604 tcp_set_state(sk, TCP_ESTABLISHED); 5604 tcp_set_state(sk, TCP_ESTABLISHED);
5605 5605
5606 if (skb != NULL) { 5606 if (skb != NULL) {
5607 sk->sk_rx_dst = dst_clone(skb_dst(skb)); 5607 inet_sk_rx_dst_set(sk, skb);
5608 inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
5609 security_inet_conn_established(sk, skb); 5608 security_inet_conn_established(sk, skb);
5610 } 5609 }
5611 5610
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 2fbd9921253f..7f91e5ac8277 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1617,19 +1617,19 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb)
1617#endif 1617#endif
1618 1618
1619 if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */ 1619 if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */
1620 struct dst_entry *dst = sk->sk_rx_dst;
1621
1620 sock_rps_save_rxhash(sk, skb); 1622 sock_rps_save_rxhash(sk, skb);
1621 if (sk->sk_rx_dst) { 1623 if (dst) {
1622 struct dst_entry *dst = sk->sk_rx_dst;
1623 if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif || 1624 if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif ||
1624 dst->ops->check(dst, 0) == NULL) { 1625 dst->ops->check(dst, 0) == NULL) {
1625 dst_release(dst); 1626 dst_release(dst);
1626 sk->sk_rx_dst = NULL; 1627 sk->sk_rx_dst = NULL;
1627 } 1628 }
1628 } 1629 }
1629 if (unlikely(sk->sk_rx_dst == NULL)) { 1630 if (unlikely(sk->sk_rx_dst == NULL))
1630 sk->sk_rx_dst = dst_clone(skb_dst(skb)); 1631 inet_sk_rx_dst_set(sk, skb);
1631 inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; 1632
1632 }
1633 if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) { 1633 if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) {
1634 rsk = sk; 1634 rsk = sk;
1635 goto reset; 1635 goto reset;
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c
index 3f1cc2028edd..232a90c3ec86 100644
--- a/net/ipv4/tcp_minisocks.c
+++ b/net/ipv4/tcp_minisocks.c
@@ -387,8 +387,7 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req,
387 struct tcp_sock *oldtp = tcp_sk(sk); 387 struct tcp_sock *oldtp = tcp_sk(sk);
388 struct tcp_cookie_values *oldcvp = oldtp->cookie_values; 388 struct tcp_cookie_values *oldcvp = oldtp->cookie_values;
389 389
390 newsk->sk_rx_dst = dst_clone(skb_dst(skb)); 390 inet_sk_rx_dst_set(newsk, skb);
391 inet_sk(newsk)->rx_dst_ifindex = skb->skb_iif;
392 391
393 /* TCP Cookie Transactions require space for the cookie pair, 392 /* TCP Cookie Transactions require space for the cookie pair,
394 * as it differs for each connection. There is no need to 393 * as it differs for each connection. There is no need to