diff options
| author | Eric Dumazet <edumazet@google.com> | 2014-06-24 13:05:11 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-06-25 20:41:44 -0400 |
| commit | f88649721268999bdff09777847080a52004f691 (patch) | |
| tree | 909bff5bf235780ccec651d41bfc8a370ba7ff27 /net/ipv4/ip_tunnel.c | |
| parent | 99e72a0fed07d118d329f3046ad2ec2ae9357d63 (diff) | |
ipv4: fix dst race in sk_dst_get()
When IP route cache had been removed in linux-3.6, we broke assumption
that dst entries were all freed after rcu grace period. DST_NOCACHE
dst were supposed to be freed from dst_release(). But it appears
we want to keep such dst around, either in UDP sockets or tunnels.
In sk_dst_get() we need to make sure dst refcount is not 0
before incrementing it, or else we might end up freeing a dst
twice.
DST_NOCACHE set on a dst does not mean this dst can not be attached
to a socket or a tunnel.
Then, before actual freeing, we need to observe a rcu grace period
to make sure all other cpus can catch the fact the dst is no longer
usable.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Dormando <dormando@rydia.net>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4/ip_tunnel.c')
| -rw-r--r-- | net/ipv4/ip_tunnel.c | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c index 097b3e7c1e8f..54b6731dab55 100644 --- a/net/ipv4/ip_tunnel.c +++ b/net/ipv4/ip_tunnel.c | |||
| @@ -73,12 +73,7 @@ static void __tunnel_dst_set(struct ip_tunnel_dst *idst, | |||
| 73 | { | 73 | { |
| 74 | struct dst_entry *old_dst; | 74 | struct dst_entry *old_dst; |
| 75 | 75 | ||
| 76 | if (dst) { | 76 | dst_clone(dst); |
| 77 | if (dst->flags & DST_NOCACHE) | ||
| 78 | dst = NULL; | ||
| 79 | else | ||
| 80 | dst_clone(dst); | ||
| 81 | } | ||
| 82 | old_dst = xchg((__force struct dst_entry **)&idst->dst, dst); | 77 | old_dst = xchg((__force struct dst_entry **)&idst->dst, dst); |
| 83 | dst_release(old_dst); | 78 | dst_release(old_dst); |
| 84 | } | 79 | } |
| @@ -108,13 +103,14 @@ static struct rtable *tunnel_rtable_get(struct ip_tunnel *t, u32 cookie) | |||
| 108 | 103 | ||
| 109 | rcu_read_lock(); | 104 | rcu_read_lock(); |
| 110 | dst = rcu_dereference(this_cpu_ptr(t->dst_cache)->dst); | 105 | dst = rcu_dereference(this_cpu_ptr(t->dst_cache)->dst); |
| 106 | if (dst && !atomic_inc_not_zero(&dst->__refcnt)) | ||
| 107 | dst = NULL; | ||
| 111 | if (dst) { | 108 | if (dst) { |
| 112 | if (dst->obsolete && dst->ops->check(dst, cookie) == NULL) { | 109 | if (dst->obsolete && dst->ops->check(dst, cookie) == NULL) { |
| 113 | rcu_read_unlock(); | ||
| 114 | tunnel_dst_reset(t); | 110 | tunnel_dst_reset(t); |
| 115 | return NULL; | 111 | dst_release(dst); |
| 112 | dst = NULL; | ||
| 116 | } | 113 | } |
| 117 | dst_hold(dst); | ||
| 118 | } | 114 | } |
| 119 | rcu_read_unlock(); | 115 | rcu_read_unlock(); |
| 120 | return (struct rtable *)dst; | 116 | return (struct rtable *)dst; |