aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNikolay Aleksandrov <nikolay@redhat.com>2013-06-11 18:07:02 -0400
committerDavid S. Miller <davem@davemloft.net>2013-06-13 05:33:37 -0400
commit4f5474e7fd68988cb11373fc698bf10b35b49e31 (patch)
tree99c4f8a2c6313182ed3016dad8b7288e9ae9b672
parentb8fad459f9cc8417b74f71c6c229eef7412163d1 (diff)
bonding: fix igmp_retrans type and two related races
First the type of igmp_retrans (which is the actual counter of igmp_resend parameter) is changed to u8 to be able to store values up to 255 (as per documentation). There are two races that were hidden there and which are easy to trigger after the previous fix, the first is between bond_resend_igmp_join_requests and bond_change_active_slave where igmp_retrans is set and can be altered by the periodic. The second race condition is between multiple running instances of the periodic (upon execution it can be scheduled again for immediate execution which can cause the counter to go < 0 which in the unsigned case leads to unnecessary igmp retransmissions). Since in bond_change_active_slave bond->lock is held for reading and curr_slave_lock for writing, we use curr_slave_lock for mutual exclusion. We can't drop them as there're cases where RTNL is not held when bond_change_active_slave is called. RCU is unlocked in bond_resend_igmp_join_requests before getting curr_slave_lock since we don't need it there and it's pointless to delay. The decrement is moved inside the "if" block because if we decrement unconditionally there's still a possibility for a race condition although it is much more difficult to hit (many changes have to happen in a very short period in order to trigger) which in the case of 3 parallel running instances of this function and igmp_retrans == 1 (with check bond->igmp_retrans-- > 1) is: f1 passes, doesn't re-schedule, but decrements - igmp_retrans = 0 f2 then passes, doesn't re-schedule, but decrements - igmp_retrans = 255 f3 does the unnecessary retransmissions. Signed-off-by: Nikolay Aleksandrov <nikolay@redhat.com> Signed-off-by: Jay Vosburgh <fubar@us.ibm.com> Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r--drivers/net/bonding/bond_main.c15
-rw-r--r--drivers/net/bonding/bonding.h2
2 files changed, 12 insertions, 5 deletions
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 473633ab5f56..02d9ae7d527e 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -764,8 +764,8 @@ static void bond_resend_igmp_join_requests(struct bonding *bond)
764 struct net_device *bond_dev, *vlan_dev, *upper_dev; 764 struct net_device *bond_dev, *vlan_dev, *upper_dev;
765 struct vlan_entry *vlan; 765 struct vlan_entry *vlan;
766 766
767 rcu_read_lock();
768 read_lock(&bond->lock); 767 read_lock(&bond->lock);
768 rcu_read_lock();
769 769
770 bond_dev = bond->dev; 770 bond_dev = bond->dev;
771 771
@@ -787,12 +787,19 @@ static void bond_resend_igmp_join_requests(struct bonding *bond)
787 if (vlan_dev) 787 if (vlan_dev)
788 __bond_resend_igmp_join_requests(vlan_dev); 788 __bond_resend_igmp_join_requests(vlan_dev);
789 } 789 }
790 rcu_read_unlock();
790 791
791 if (--bond->igmp_retrans > 0) 792 /* We use curr_slave_lock to protect against concurrent access to
793 * igmp_retrans from multiple running instances of this function and
794 * bond_change_active_slave
795 */
796 write_lock_bh(&bond->curr_slave_lock);
797 if (bond->igmp_retrans > 1) {
798 bond->igmp_retrans--;
792 queue_delayed_work(bond->wq, &bond->mcast_work, HZ/5); 799 queue_delayed_work(bond->wq, &bond->mcast_work, HZ/5);
793 800 }
801 write_unlock_bh(&bond->curr_slave_lock);
794 read_unlock(&bond->lock); 802 read_unlock(&bond->lock);
795 rcu_read_unlock();
796} 803}
797 804
798static void bond_resend_igmp_join_requests_delayed(struct work_struct *work) 805static void bond_resend_igmp_join_requests_delayed(struct work_struct *work)
diff --git a/drivers/net/bonding/bonding.h b/drivers/net/bonding/bonding.h
index 2baec24388b1..f989e1529a29 100644
--- a/drivers/net/bonding/bonding.h
+++ b/drivers/net/bonding/bonding.h
@@ -225,7 +225,7 @@ struct bonding {
225 rwlock_t curr_slave_lock; 225 rwlock_t curr_slave_lock;
226 u8 send_peer_notif; 226 u8 send_peer_notif;
227 s8 setup_by_slave; 227 s8 setup_by_slave;
228 s8 igmp_retrans; 228 u8 igmp_retrans;
229#ifdef CONFIG_PROC_FS 229#ifdef CONFIG_PROC_FS
230 struct proc_dir_entry *proc_entry; 230 struct proc_dir_entry *proc_entry;
231 char proc_file_name[IFNAMSIZ]; 231 char proc_file_name[IFNAMSIZ];