From: Stephen Hemminger <stephen@networkplumber.org>
To: Cong Wang <amwang@redhat.com>
Cc: netdev@vger.kernel.org, "David S. Miller" <davem@davemloft.net>
Subject: Re: [Patch net-next] vxlan: do real refcnt for vn_sock
Date: Tue, 28 May 2013 21:22:00 -0700 [thread overview]
Message-ID: <20130528212200.798261d7@nehalam.linuxnetplumber.net> (raw)
In-Reply-To: <1369793333.12227.4.camel@cr0>
On Wed, 29 May 2013 10:08:53 +0800
Cong Wang <amwang@redhat.com> wrote:
> On Tue, 2013-05-28 at 08:22 -0700, Stephen Hemminger wrote:
> > On Tue, 28 May 2013 19:07:22 +0800
> > Cong Wang <amwang@redhat.com> wrote:
> >
> > > From: Cong Wang <amwang@redhat.com>
> > >
> > > In commit 553675fb5e9ce3d71a (vxlan: listen on multiple ports),
> > > we use kfree_rcu() to free ->vn_sock, but a) there is no use
> > > of RCU API to access this filed, b) RCU is not enough to do refcnt
> > > here, because in vxlan_leave_group() we drop RTNL lock before
> > > locking the socket, it could be possible that this field is
> > > freed during this period.
> > >
> > > So, instead making things complex, just do basic refcnt for
> > > the ->vn_sock, like we do for others.
> > >
> ...
> >
> > Not needed all access is under RTNL
>
> I know, this is why I had a patch (not posted) which adds the missing
> rtnl_dereference(), but even if we had these, it is still not correct.
>
> As I explained in the changelog, vxlan_leave_group() has a problem,
> because it releases rtnl lock before locking the socket, _and_ it is
> called after vxlan_dellink() which schedules a work to cleanup the
> struct. Therefore the ->vn_sock could be freed right after rtnl lock is
> released.
>
> Am I miss anything?
Ignoring your IPv6 code for now...
With IPV4:
refcnt is incremented when socket is incremented in newlink (RTNL held).
refcnt is decremented in by dellink (RTNL held) and socket is deleted from list
leave_group doesn't happen until work queue is fired.
rtnl_dereference is fine, but hardly necessary when the call hierarchy is so obvious.
The problem you describe won't be fixed by just converting it to atomic,
I think you need add a dev_hold()/dev_put to vxlan_stop to prevent
device from being deleted when rtnl_lock is dropped.
next prev parent reply other threads:[~2013-05-29 4:22 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-28 11:07 [Patch net-next] vxlan: do real refcnt for vn_sock Cong Wang
2013-05-28 15:22 ` Stephen Hemminger
2013-05-29 2:08 ` Cong Wang
2013-05-29 4:22 ` Stephen Hemminger [this message]
2013-05-29 4:34 ` Cong Wang
2013-05-29 4:01 ` Cong Wang
2013-05-29 4:41 ` Stephen Hemminger
2013-05-29 5:14 ` Cong Wang
2013-05-29 8:39 ` Cong Wang
2013-05-31 2:55 ` Cong Wang
2013-05-31 3:56 ` Stephen Hemminger
2013-05-31 4:12 ` Cong Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130528212200.798261d7@nehalam.linuxnetplumber.net \
--to=stephen@networkplumber.org \
--cc=amwang@redhat.com \
--cc=davem@davemloft.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.