Re: [Patch net-next] vxlan: do real refcnt for vn_sock

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Cong Wang <amwang@redhat.com>
To: Stephen Hemminger <stephen@networkplumber.org>
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>
Subject: Re: [Patch net-next] vxlan: do real refcnt for vn_sock
Date: Wed, 29 May 2013 12:34:16 +0800	[thread overview]
Message-ID: <1369802056.12227.11.camel@cr0> (raw)
In-Reply-To: <20130528212200.798261d7@nehalam.linuxnetplumber.net>

On Tue, 2013-05-28 at 21:22 -0700, Stephen Hemminger wrote:
> On Wed, 29 May 2013 10:08:53 +0800
> Cong Wang <amwang@redhat.com> wrote:
> 
> > On Tue, 2013-05-28 at 08:22 -0700, Stephen Hemminger wrote:
> > > On Tue, 28 May 2013 19:07:22 +0800
> > > Cong Wang <amwang@redhat.com> wrote:
> > > 
> > > > From: Cong Wang <amwang@redhat.com>
> > > > 
> > > > In commit 553675fb5e9ce3d71a (vxlan: listen on multiple ports),
> > > > we use kfree_rcu() to free ->vn_sock, but a) there is no use
> > > > of RCU API to access this filed, b) RCU is not enough to do refcnt
> > > > here, because in vxlan_leave_group() we drop RTNL lock before
> > > > locking the socket, it could be possible that this field is
> > > > freed during this period.
> > > > 
> > > > So, instead making things complex, just do basic refcnt for
> > > > the ->vn_sock, like we do for others.
> > > > 
> > ...
> > > 
> > > Not needed all access is under RTNL
> > 
> > I know, this is why I had a patch (not posted) which adds the missing
> > rtnl_dereference(), but even if we had these, it is still not correct.
> > 
> > As I explained in the changelog, vxlan_leave_group() has a problem,
> > because it releases rtnl lock before locking the socket, _and_ it is
> > called after vxlan_dellink() which schedules a work to cleanup the
> > struct. Therefore the ->vn_sock could be freed right after rtnl lock is
> > released.
> > 
> > Am I miss anything?
> 
> Ignoring your IPv6 code for now...
> 
> With IPV4:
>    refcnt is incremented when socket is incremented in newlink (RTNL held).
>    refcnt is decremented in by dellink (RTNL held) and socket is deleted from list
>    leave_group doesn't happen until work queue is fired.
> 
> rtnl_dereference is fine, but hardly necessary when the call hierarchy is so obvious.
> 
> The problem you describe won't be fixed by just converting it to atomic,

My patch is _not_ just converting it to atomic_t, but it takes a ref for
every usage of ->vn_sock, which current implementation misses.

> I think you need add a dev_hold()/dev_put to vxlan_stop to prevent
> device from being deleted when rtnl_lock is dropped.
> 

The crash is that lock_sock() got a NULL-def bug, which is not the
related with dev_hold() at all. I think it is due to the whole ->vn_sock
is freed before calling lock_sock(), thus vxlan->vn_sock->sock->sk
points to a freed memory area.

next prev parent reply	other threads:[~2013-05-29  4:34 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-05-28 11:07 [Patch net-next] vxlan: do real refcnt for vn_sock Cong Wang
2013-05-28 15:22 ` Stephen Hemminger
2013-05-29  2:08   ` Cong Wang
2013-05-29  4:22     ` Stephen Hemminger
2013-05-29  4:34       ` Cong Wang [this message]
2013-05-29  4:01 ` Cong Wang
2013-05-29  4:41 ` Stephen Hemminger
2013-05-29  5:14   ` Cong Wang
2013-05-29  8:39   ` Cong Wang
2013-05-31  2:55     ` Cong Wang
2013-05-31  3:56       ` Stephen Hemminger
2013-05-31  4:12         ` Cong Wang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1369802056.12227.11.camel@cr0 \
    --to=amwang@redhat.com \
    --cc=davem@davemloft.net \
    --cc=netdev@vger.kernel.org \
    --cc=stephen@networkplumber.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.