diff options
author | Eric Dumazet <edumazet@google.com> | 2012-07-29 19:20:37 -0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2012-07-30 17:53:22 -0400 |
commit | 404e0a8b6a55d5e1cd138c6deb1bca9abdf75d8c (patch) | |
tree | 38e9748d38c415cc97b973fecb9279cd43f76393 | |
parent | cca32e4bf999a34ac08d959f351f2b30bcd02460 (diff) |
net: ipv4: fix RCU races on dst refcounts
commit c6cffba4ffa2 (ipv4: Fix input route performance regression.)
added various fatal races with dst refcounts.
crashes happen on tcp workloads if routes are added/deleted at the same
time.
The dst_free() calls from free_fib_info_rcu() are clearly racy.
We need instead regular dst refcounting (dst_release()) and make
sure dst_release() is aware of RCU grace periods :
Add DST_RCU_FREE flag so that dst_release() respects an RCU grace period
before dst destruction for cached dst
Introduce a new inet_sk_rx_dst_set() helper, using atomic_inc_not_zero()
to make sure we dont increase a zero refcount (On a dst currently
waiting an rcu grace period before destruction)
rt_cache_route() must take a reference on the new cached route, and
release it if was not able to install it.
With this patch, my machines survive various benchmarks.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | include/net/dst.h | 7 | ||||
-rw-r--r-- | include/net/inet_sock.h | 13 | ||||
-rw-r--r-- | net/core/dst.c | 26 | ||||
-rw-r--r-- | net/decnet/dn_route.c | 6 | ||||
-rw-r--r-- | net/ipv4/fib_semantics.c | 4 | ||||
-rw-r--r-- | net/ipv4/route.c | 16 | ||||
-rw-r--r-- | net/ipv4/tcp_input.c | 3 | ||||
-rw-r--r-- | net/ipv4/tcp_ipv4.c | 12 | ||||
-rw-r--r-- | net/ipv4/tcp_minisocks.c | 3 |
9 files changed, 55 insertions, 35 deletions
diff --git a/include/net/dst.h b/include/net/dst.h index baf597890064..31a9fd39edb6 100644 --- a/include/net/dst.h +++ b/include/net/dst.h | |||
@@ -61,6 +61,7 @@ struct dst_entry { | |||
61 | #define DST_NOPEER 0x0040 | 61 | #define DST_NOPEER 0x0040 |
62 | #define DST_FAKE_RTABLE 0x0080 | 62 | #define DST_FAKE_RTABLE 0x0080 |
63 | #define DST_XFRM_TUNNEL 0x0100 | 63 | #define DST_XFRM_TUNNEL 0x0100 |
64 | #define DST_RCU_FREE 0x0200 | ||
64 | 65 | ||
65 | unsigned short pending_confirm; | 66 | unsigned short pending_confirm; |
66 | 67 | ||
@@ -382,12 +383,6 @@ static inline void dst_free(struct dst_entry *dst) | |||
382 | __dst_free(dst); | 383 | __dst_free(dst); |
383 | } | 384 | } |
384 | 385 | ||
385 | static inline void dst_rcu_free(struct rcu_head *head) | ||
386 | { | ||
387 | struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head); | ||
388 | dst_free(dst); | ||
389 | } | ||
390 | |||
391 | static inline void dst_confirm(struct dst_entry *dst) | 386 | static inline void dst_confirm(struct dst_entry *dst) |
392 | { | 387 | { |
393 | dst->pending_confirm = 1; | 388 | dst->pending_confirm = 1; |
diff --git a/include/net/inet_sock.h b/include/net/inet_sock.h index 613cfa401672..e3fd34c83ac9 100644 --- a/include/net/inet_sock.h +++ b/include/net/inet_sock.h | |||
@@ -249,4 +249,17 @@ static inline __u8 inet_sk_flowi_flags(const struct sock *sk) | |||
249 | return flags; | 249 | return flags; |
250 | } | 250 | } |
251 | 251 | ||
252 | static inline void inet_sk_rx_dst_set(struct sock *sk, const struct sk_buff *skb) | ||
253 | { | ||
254 | struct dst_entry *dst = skb_dst(skb); | ||
255 | |||
256 | if (atomic_inc_not_zero(&dst->__refcnt)) { | ||
257 | if (!(dst->flags & DST_RCU_FREE)) | ||
258 | dst->flags |= DST_RCU_FREE; | ||
259 | |||
260 | sk->sk_rx_dst = dst; | ||
261 | inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; | ||
262 | } | ||
263 | } | ||
264 | |||
252 | #endif /* _INET_SOCK_H */ | 265 | #endif /* _INET_SOCK_H */ |
diff --git a/net/core/dst.c b/net/core/dst.c index 069d51d29414..d9e33ebe170f 100644 --- a/net/core/dst.c +++ b/net/core/dst.c | |||
@@ -258,6 +258,15 @@ again: | |||
258 | } | 258 | } |
259 | EXPORT_SYMBOL(dst_destroy); | 259 | EXPORT_SYMBOL(dst_destroy); |
260 | 260 | ||
261 | static void dst_rcu_destroy(struct rcu_head *head) | ||
262 | { | ||
263 | struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head); | ||
264 | |||
265 | dst = dst_destroy(dst); | ||
266 | if (dst) | ||
267 | __dst_free(dst); | ||
268 | } | ||
269 | |||
261 | void dst_release(struct dst_entry *dst) | 270 | void dst_release(struct dst_entry *dst) |
262 | { | 271 | { |
263 | if (dst) { | 272 | if (dst) { |
@@ -265,10 +274,14 @@ void dst_release(struct dst_entry *dst) | |||
265 | 274 | ||
266 | newrefcnt = atomic_dec_return(&dst->__refcnt); | 275 | newrefcnt = atomic_dec_return(&dst->__refcnt); |
267 | WARN_ON(newrefcnt < 0); | 276 | WARN_ON(newrefcnt < 0); |
268 | if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) { | 277 | if (unlikely(dst->flags & (DST_NOCACHE | DST_RCU_FREE)) && !newrefcnt) { |
269 | dst = dst_destroy(dst); | 278 | if (dst->flags & DST_RCU_FREE) { |
270 | if (dst) | 279 | call_rcu_bh(&dst->rcu_head, dst_rcu_destroy); |
271 | __dst_free(dst); | 280 | } else { |
281 | dst = dst_destroy(dst); | ||
282 | if (dst) | ||
283 | __dst_free(dst); | ||
284 | } | ||
272 | } | 285 | } |
273 | } | 286 | } |
274 | } | 287 | } |
@@ -320,11 +333,14 @@ EXPORT_SYMBOL(__dst_destroy_metrics_generic); | |||
320 | */ | 333 | */ |
321 | void skb_dst_set_noref(struct sk_buff *skb, struct dst_entry *dst) | 334 | void skb_dst_set_noref(struct sk_buff *skb, struct dst_entry *dst) |
322 | { | 335 | { |
336 | bool hold; | ||
337 | |||
323 | WARN_ON(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); | 338 | WARN_ON(!rcu_read_lock_held() && !rcu_read_lock_bh_held()); |
324 | /* If dst not in cache, we must take a reference, because | 339 | /* If dst not in cache, we must take a reference, because |
325 | * dst_release() will destroy dst as soon as its refcount becomes zero | 340 | * dst_release() will destroy dst as soon as its refcount becomes zero |
326 | */ | 341 | */ |
327 | if (unlikely(dst->flags & DST_NOCACHE)) { | 342 | hold = (dst->flags & (DST_NOCACHE | DST_RCU_FREE)) == DST_NOCACHE; |
343 | if (unlikely(hold)) { | ||
328 | dst_hold(dst); | 344 | dst_hold(dst); |
329 | skb_dst_set(skb, dst); | 345 | skb_dst_set(skb, dst); |
330 | } else { | 346 | } else { |
diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c index 85a3604c87c8..26719779ad8e 100644 --- a/net/decnet/dn_route.c +++ b/net/decnet/dn_route.c | |||
@@ -184,6 +184,12 @@ static __inline__ unsigned int dn_hash(__le16 src, __le16 dst) | |||
184 | return dn_rt_hash_mask & (unsigned int)tmp; | 184 | return dn_rt_hash_mask & (unsigned int)tmp; |
185 | } | 185 | } |
186 | 186 | ||
187 | static inline void dst_rcu_free(struct rcu_head *head) | ||
188 | { | ||
189 | struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head); | ||
190 | dst_free(dst); | ||
191 | } | ||
192 | |||
187 | static inline void dnrt_free(struct dn_route *rt) | 193 | static inline void dnrt_free(struct dn_route *rt) |
188 | { | 194 | { |
189 | call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); | 195 | call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); |
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c index da0cc2e6b250..e55171f184f9 100644 --- a/net/ipv4/fib_semantics.c +++ b/net/ipv4/fib_semantics.c | |||
@@ -172,9 +172,9 @@ static void free_fib_info_rcu(struct rcu_head *head) | |||
172 | if (nexthop_nh->nh_exceptions) | 172 | if (nexthop_nh->nh_exceptions) |
173 | free_nh_exceptions(nexthop_nh); | 173 | free_nh_exceptions(nexthop_nh); |
174 | if (nexthop_nh->nh_rth_output) | 174 | if (nexthop_nh->nh_rth_output) |
175 | dst_free(&nexthop_nh->nh_rth_output->dst); | 175 | dst_release(&nexthop_nh->nh_rth_output->dst); |
176 | if (nexthop_nh->nh_rth_input) | 176 | if (nexthop_nh->nh_rth_input) |
177 | dst_free(&nexthop_nh->nh_rth_input->dst); | 177 | dst_release(&nexthop_nh->nh_rth_input->dst); |
178 | } endfor_nexthops(fi); | 178 | } endfor_nexthops(fi); |
179 | 179 | ||
180 | release_net(fi->fib_net); | 180 | release_net(fi->fib_net); |
diff --git a/net/ipv4/route.c b/net/ipv4/route.c index fc1a81ca79a7..d6eabcfe8a90 100644 --- a/net/ipv4/route.c +++ b/net/ipv4/route.c | |||
@@ -1199,11 +1199,6 @@ restart: | |||
1199 | fnhe->fnhe_stamp = jiffies; | 1199 | fnhe->fnhe_stamp = jiffies; |
1200 | } | 1200 | } |
1201 | 1201 | ||
1202 | static inline void rt_free(struct rtable *rt) | ||
1203 | { | ||
1204 | call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free); | ||
1205 | } | ||
1206 | |||
1207 | static void rt_cache_route(struct fib_nh *nh, struct rtable *rt) | 1202 | static void rt_cache_route(struct fib_nh *nh, struct rtable *rt) |
1208 | { | 1203 | { |
1209 | struct rtable *orig, *prev, **p = &nh->nh_rth_output; | 1204 | struct rtable *orig, *prev, **p = &nh->nh_rth_output; |
@@ -1213,17 +1208,14 @@ static void rt_cache_route(struct fib_nh *nh, struct rtable *rt) | |||
1213 | 1208 | ||
1214 | orig = *p; | 1209 | orig = *p; |
1215 | 1210 | ||
1211 | rt->dst.flags |= DST_RCU_FREE; | ||
1212 | dst_hold(&rt->dst); | ||
1216 | prev = cmpxchg(p, orig, rt); | 1213 | prev = cmpxchg(p, orig, rt); |
1217 | if (prev == orig) { | 1214 | if (prev == orig) { |
1218 | if (orig) | 1215 | if (orig) |
1219 | rt_free(orig); | 1216 | dst_release(&orig->dst); |
1220 | } else { | 1217 | } else { |
1221 | /* Routes we intend to cache in the FIB nexthop have | 1218 | dst_release(&rt->dst); |
1222 | * the DST_NOCACHE bit clear. However, if we are | ||
1223 | * unsuccessful at storing this route into the cache | ||
1224 | * we really need to set it. | ||
1225 | */ | ||
1226 | rt->dst.flags |= DST_NOCACHE; | ||
1227 | } | 1219 | } |
1228 | } | 1220 | } |
1229 | 1221 | ||
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c index a356e1fecf9a..9be30b039ae3 100644 --- a/net/ipv4/tcp_input.c +++ b/net/ipv4/tcp_input.c | |||
@@ -5604,8 +5604,7 @@ void tcp_finish_connect(struct sock *sk, struct sk_buff *skb) | |||
5604 | tcp_set_state(sk, TCP_ESTABLISHED); | 5604 | tcp_set_state(sk, TCP_ESTABLISHED); |
5605 | 5605 | ||
5606 | if (skb != NULL) { | 5606 | if (skb != NULL) { |
5607 | sk->sk_rx_dst = dst_clone(skb_dst(skb)); | 5607 | inet_sk_rx_dst_set(sk, skb); |
5608 | inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; | ||
5609 | security_inet_conn_established(sk, skb); | 5608 | security_inet_conn_established(sk, skb); |
5610 | } | 5609 | } |
5611 | 5610 | ||
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index 2fbd9921253f..7f91e5ac8277 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c | |||
@@ -1617,19 +1617,19 @@ int tcp_v4_do_rcv(struct sock *sk, struct sk_buff *skb) | |||
1617 | #endif | 1617 | #endif |
1618 | 1618 | ||
1619 | if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */ | 1619 | if (sk->sk_state == TCP_ESTABLISHED) { /* Fast path */ |
1620 | struct dst_entry *dst = sk->sk_rx_dst; | ||
1621 | |||
1620 | sock_rps_save_rxhash(sk, skb); | 1622 | sock_rps_save_rxhash(sk, skb); |
1621 | if (sk->sk_rx_dst) { | 1623 | if (dst) { |
1622 | struct dst_entry *dst = sk->sk_rx_dst; | ||
1623 | if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif || | 1624 | if (inet_sk(sk)->rx_dst_ifindex != skb->skb_iif || |
1624 | dst->ops->check(dst, 0) == NULL) { | 1625 | dst->ops->check(dst, 0) == NULL) { |
1625 | dst_release(dst); | 1626 | dst_release(dst); |
1626 | sk->sk_rx_dst = NULL; | 1627 | sk->sk_rx_dst = NULL; |
1627 | } | 1628 | } |
1628 | } | 1629 | } |
1629 | if (unlikely(sk->sk_rx_dst == NULL)) { | 1630 | if (unlikely(sk->sk_rx_dst == NULL)) |
1630 | sk->sk_rx_dst = dst_clone(skb_dst(skb)); | 1631 | inet_sk_rx_dst_set(sk, skb); |
1631 | inet_sk(sk)->rx_dst_ifindex = skb->skb_iif; | 1632 | |
1632 | } | ||
1633 | if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) { | 1633 | if (tcp_rcv_established(sk, skb, tcp_hdr(skb), skb->len)) { |
1634 | rsk = sk; | 1634 | rsk = sk; |
1635 | goto reset; | 1635 | goto reset; |
diff --git a/net/ipv4/tcp_minisocks.c b/net/ipv4/tcp_minisocks.c index 3f1cc2028edd..232a90c3ec86 100644 --- a/net/ipv4/tcp_minisocks.c +++ b/net/ipv4/tcp_minisocks.c | |||
@@ -387,8 +387,7 @@ struct sock *tcp_create_openreq_child(struct sock *sk, struct request_sock *req, | |||
387 | struct tcp_sock *oldtp = tcp_sk(sk); | 387 | struct tcp_sock *oldtp = tcp_sk(sk); |
388 | struct tcp_cookie_values *oldcvp = oldtp->cookie_values; | 388 | struct tcp_cookie_values *oldcvp = oldtp->cookie_values; |
389 | 389 | ||
390 | newsk->sk_rx_dst = dst_clone(skb_dst(skb)); | 390 | inet_sk_rx_dst_set(newsk, skb); |
391 | inet_sk(newsk)->rx_dst_ifindex = skb->skb_iif; | ||
392 | 391 | ||
393 | /* TCP Cookie Transactions require space for the cookie pair, | 392 | /* TCP Cookie Transactions require space for the cookie pair, |
394 | * as it differs for each connection. There is no need to | 393 | * as it differs for each connection. There is no need to |