From: Jiri Pirko <jiri@resnulli.us>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Linux Kernel Network Developers <netdev@vger.kernel.org>,
Jiri Pirko <jiri@mellanox.com>,
Jakub Kicinski <jakub.kicinski@netronome.com>,
Jamal Hadi Salim <jhs@mojatatu.com>,
Eric Dumazet <edumazet@google.com>
Subject: Re: [Patch net v3 1/3] net_sched: get rid of tcfa_rcu
Date: Tue, 12 Sep 2017 23:36:34 +0200 [thread overview]
Message-ID: <20170912213634.GS2036@nanopsycho> (raw)
In-Reply-To: <CAM_iQpWN+OFdWZgKsm8qk58jFKqssOMMW8JM7N6FConHumQXxg@mail.gmail.com>
Tue, Sep 12, 2017 at 11:10:22PM CEST, xiyou.wangcong@gmail.com wrote:
>On Tue, Sep 12, 2017 at 3:40 AM, Jiri Pirko <jiri@resnulli.us> wrote:
>> Tue, Sep 12, 2017 at 11:42:15AM CEST, jiri@resnulli.us wrote:
>>>Tue, Sep 12, 2017 at 01:33:30AM CEST, xiyou.wangcong@gmail.com wrote:
>>>>gen estimator has been rewritten in commit 1c0d32fde5bd
>>>>("net_sched: gen_estimator: complete rewrite of rate estimators"),
>>>>the caller is no longer needed to wait for a grace period.
>>>>So this patch gets rid of it.
>>>>
>>>>This also completely closes a race condition between action free
>>>>path and filter chain add/remove path for the following patch.
>>>>Because otherwise the nested RCU callback can't be caught by
>>>>rcu_barrier().
>>>>
>>>>Please see also the comments in code.
>>>
>>>Looks like this is causing a null pointer dereference bug for me, 100%
>>>of the time. Just add and remove any rule with action and you get:
>>>
>>
>> [...]
>>
>>>
>>>Looks like you need to save owner of the module before you call
>>>__tcf_idr_release so you can later on use it for module_put
>
>Why do you believe it is this patch introduces the bug?
>
>That code has been there since the beginning of git history:
>
>+ for (a = act; a; a = act) {
>+ if (a->ops && a->ops->cleanup) {
>+ DPRINTK("tcf_action_destroy destroying %p next %p\n",
>+ a, a->next);
>+ if (a->ops->cleanup(a, bind) == ACT_P_DELETED)
>+ module_put(a->ops->owner);
>+ act = act->next;
>
>Seems to be a very old one. The reason why it exposes, I guess,
>is call_rcu() somehow delays the free after module_put().
Yeah, looks like the race was just hard to hit. However with your patch,
it is very easy to hit.
>
>
>>
>> This patch helps:
>
>Looks good to me. Please feel free to submit a formal patch.
Okay, I will send the patch to you formally so you can add it as a first
patch of your patchset.
next prev parent reply other threads:[~2017-09-12 21:36 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-09-11 23:33 [Patch net v3 0/3] net_sched: fix filter chain reference counting Cong Wang
2017-09-11 23:33 ` [Patch net v3 1/3] net_sched: get rid of tcfa_rcu Cong Wang
2017-09-12 9:42 ` Jiri Pirko
2017-09-12 10:40 ` Jiri Pirko
2017-09-12 21:10 ` Cong Wang
2017-09-12 21:36 ` Jiri Pirko [this message]
2017-09-12 21:53 ` Cong Wang
2017-09-13 6:13 ` Jiri Pirko
2017-09-11 23:33 ` [Patch net v3 2/3] net_sched: fix reference counting of tc filter chain Cong Wang
2017-09-12 10:43 ` Jiri Pirko
2017-09-11 23:33 ` [Patch net v3 3/3] net_sched: carefully handle tcf_block_put() Cong Wang
2017-09-12 10:43 ` Jiri Pirko
2017-09-13 3:41 ` [Patch net v3 0/3] net_sched: fix filter chain reference counting David Miller
2017-09-13 6:13 ` Jiri Pirko
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170912213634.GS2036@nanopsycho \
--to=jiri@resnulli.us \
--cc=edumazet@google.com \
--cc=jakub.kicinski@netronome.com \
--cc=jhs@mojatatu.com \
--cc=jiri@mellanox.com \
--cc=netdev@vger.kernel.org \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.