From: Daniel Borkmann <dborkman@redhat.com>
To: David Miller <davem@davemloft.net>
Cc: netdev@vger.kernel.org, noureddine@aristanetworks.com,
greearb@candelatech.com
Subject: Re: [PATCH net] packet: fix use after free race in send path when dev is released
Date: Wed, 20 Nov 2013 09:30:17 +0100 [thread overview]
Message-ID: <528C7319.5050309@redhat.com> (raw)
In-Reply-To: <20131119.203451.358808893783927503.davem@davemloft.net>
On 11/20/2013 02:34 AM, David Miller wrote:
> From: Daniel Borkmann <dborkman@redhat.com>
> Date: Wed, 20 Nov 2013 00:08:23 +0100
>
>> To avoid reverting 827d9780 entirely, we could make use of po->running
>> member that gets reset when we're calling __unregister_prot_hook() in
>> packet_notifier() when we receive NETDEV_DOWN or NETDEV_UNREGISTER
>> notification. Plus, we still need to hold ref to the netdev, so
>> that we can assure it won't be released while we're in send path.
>
> The avoidance of the atomic ref counting of the network device is the
> main performance gain we get from that commit.
>
> Now we'll be doing the refcount _and_ taking a spinlock, it'll be
> worse than beforehand.
>
> And this is doubly silly because we already have a reference
> when we install the device into po->prot_hook.dev
>
> I bet you can fix this by just deferring the NETDEV_UNREGISTER
> AF_PACKET notifier work to RCU.
Yep, will try if this approach works, in other words doing the earlier
exit via !po->running, plus deferring the dev_put() et al to RCU.
next prev parent reply other threads:[~2013-11-20 8:30 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-11-19 23:08 [PATCH net] packet: fix use after free race in send path when dev is released Daniel Borkmann
2013-11-19 23:33 ` Eric Dumazet
2013-11-20 1:34 ` David Miller
2013-11-20 8:30 ` Daniel Borkmann [this message]
2013-11-20 20:07 ` David Miller
2013-11-20 20:15 ` Eric Dumazet
2013-11-20 20:21 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=528C7319.5050309@redhat.com \
--to=dborkman@redhat.com \
--cc=davem@davemloft.net \
--cc=greearb@candelatech.com \
--cc=netdev@vger.kernel.org \
--cc=noureddine@aristanetworks.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.