diff options
| author | Eric Dumazet <eric.dumazet@gmail.com> | 2010-12-06 12:29:43 -0500 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2010-12-06 12:29:43 -0500 |
| commit | 46bcf14f44d8f31ecfdc8b6708ec15a3b33316d9 (patch) | |
| tree | 4d2a200387242e1ed2d95ccd367c77750379e8cc /net | |
| parent | e7dfc8dbdf9a7fa1ef04c63100a71f4102b82ed3 (diff) | |
filter: fix sk_filter rcu handling
Pavel Emelyanov tried to fix a race between sk_filter_(de|at)tach and
sk_clone() in commit 47e958eac280c263397
Problem is we can have several clones sharing a common sk_filter, and
these clones might want to sk_filter_attach() their own filters at the
same time, and can overwrite old_filter->rcu, corrupting RCU queues.
We can not use filter->rcu without being sure no other thread could do
the same thing.
Switch code to a more conventional ref-counting technique : Do the
atomic decrement immediately and queue one rcu call back when last
reference is released.
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/core/filter.c | 19 |
1 files changed, 6 insertions, 13 deletions
diff --git a/net/core/filter.c b/net/core/filter.c index c1ee800bc080..ae21a0d3c4a2 100644 --- a/net/core/filter.c +++ b/net/core/filter.c | |||
| @@ -589,23 +589,16 @@ int sk_chk_filter(struct sock_filter *filter, int flen) | |||
| 589 | EXPORT_SYMBOL(sk_chk_filter); | 589 | EXPORT_SYMBOL(sk_chk_filter); |
| 590 | 590 | ||
| 591 | /** | 591 | /** |
| 592 | * sk_filter_rcu_release - Release a socket filter by rcu_head | 592 | * sk_filter_release_rcu - Release a socket filter by rcu_head |
| 593 | * @rcu: rcu_head that contains the sk_filter to free | 593 | * @rcu: rcu_head that contains the sk_filter to free |
| 594 | */ | 594 | */ |
| 595 | static void sk_filter_rcu_release(struct rcu_head *rcu) | 595 | void sk_filter_release_rcu(struct rcu_head *rcu) |
| 596 | { | 596 | { |
| 597 | struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); | 597 | struct sk_filter *fp = container_of(rcu, struct sk_filter, rcu); |
| 598 | 598 | ||
| 599 | sk_filter_release(fp); | 599 | kfree(fp); |
| 600 | } | ||
| 601 | |||
| 602 | static void sk_filter_delayed_uncharge(struct sock *sk, struct sk_filter *fp) | ||
| 603 | { | ||
| 604 | unsigned int size = sk_filter_len(fp); | ||
| 605 | |||
| 606 | atomic_sub(size, &sk->sk_omem_alloc); | ||
| 607 | call_rcu_bh(&fp->rcu, sk_filter_rcu_release); | ||
| 608 | } | 600 | } |
| 601 | EXPORT_SYMBOL(sk_filter_release_rcu); | ||
| 609 | 602 | ||
| 610 | /** | 603 | /** |
| 611 | * sk_attach_filter - attach a socket filter | 604 | * sk_attach_filter - attach a socket filter |
| @@ -649,7 +642,7 @@ int sk_attach_filter(struct sock_fprog *fprog, struct sock *sk) | |||
| 649 | rcu_assign_pointer(sk->sk_filter, fp); | 642 | rcu_assign_pointer(sk->sk_filter, fp); |
| 650 | 643 | ||
| 651 | if (old_fp) | 644 | if (old_fp) |
| 652 | sk_filter_delayed_uncharge(sk, old_fp); | 645 | sk_filter_uncharge(sk, old_fp); |
| 653 | return 0; | 646 | return 0; |
| 654 | } | 647 | } |
| 655 | EXPORT_SYMBOL_GPL(sk_attach_filter); | 648 | EXPORT_SYMBOL_GPL(sk_attach_filter); |
| @@ -663,7 +656,7 @@ int sk_detach_filter(struct sock *sk) | |||
| 663 | sock_owned_by_user(sk)); | 656 | sock_owned_by_user(sk)); |
| 664 | if (filter) { | 657 | if (filter) { |
| 665 | rcu_assign_pointer(sk->sk_filter, NULL); | 658 | rcu_assign_pointer(sk->sk_filter, NULL); |
| 666 | sk_filter_delayed_uncharge(sk, filter); | 659 | sk_filter_uncharge(sk, filter); |
| 667 | ret = 0; | 660 | ret = 0; |
| 668 | } | 661 | } |
| 669 | return ret; | 662 | return ret; |