Re: [PATCH net] net: neighbour: add neighbour dead check for neigh_timer_handler()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Ding Tianhong <dingtianhong@huawei.com>
To: David Miller <davem@davemloft.net>
Cc: <gaofeng@cn.fujitsu.com>, <yoshfuji@linux-ipv6.org>,
	<joe@perches.com>, <vfalico@redhat.com>, <netdev@vger.kernel.org>
Subject: Re: [PATCH net] net: neighbour: add neighbour dead check for neigh_timer_handler()
Date: Wed, 4 Dec 2013 14:19:06 +0800	[thread overview]
Message-ID: <529EC95A.5080908@huawei.com> (raw)
In-Reply-To: <20131203.232122.852236751455974887.davem@davemloft.net>

On 2013/12/4 12:21, David Miller wrote:
> From: Ding Tianhong <dingtianhong@huawei.com>
> Date: Wed, 4 Dec 2013 12:04:31 +0800
> 
>> The destroying neigh could be trigger by userspace, just like set the ip address which
>> in arp table to the local device ip, some I could not control it, it maybe anytime,
>> but the timer handler is execute by logic, this is normal, so I think the logic
>> is no problem, and the process of destroying neigh may conflict with the timer handler,
>> it is a synchronous problem to make sure the timer should be finished before the
>> reference neigh is freed.
> 
> The more I think about this, the more none of the explanations for this bug
> make any sense.
> 
> neigh_destroy() _ONLY_ runs when:
> 
> 	if (atomic_dec_and_test(&neigh->refcnt))
> 
> triggers in neigh_release().
> 
> This means it triggers if, and only if, neigh_refcnt goes to zero.
> 
> If the refcnt goes to zero, NO TIMER can be running.  If the timer is
> running, then there refcnt must be at least '1'.

Hi David:

Yes, you are right, but when the timer is running and prior to get the neigh->lock, the refcnt
could be dec to 0, you could not stop it by existing mechanism.

the refcnt of neighbour could only be inc by these actions:

1.create neighbour, the refcnt will be set to 1.
2.add timer, the refcnt++.
3.neigh_lookup, if found the neigh, refcnt++.

I can show the whole process of my analysis:

		CPU 0				CPU 1
		-----				-----
	create_neigh() => refcnt = 1;		
	add timer =>	refcnt++;
						<SOFTIRQ>
						base->running_timer = neigh->timer;
						neigh_timer_handler() => at this time, refcnt is 2;

user->	neigh_changeaddr()
	neigh_flush_dev();
	neigh_del_imer, refcnt dec to 1;
	release_neigh(), refcnt is 0,
	destroy_neigh()
	kfree(neighbour);
						write(neigh->lock)

So in my opinion, the point of the problem is that I should not kfree the neighbour until
the timer is not running on CPUs and not pending.

If I miss someghing, pls point out.

Regards
Ding

> 
> The only plausible theory would be that something is releasing a neigh
> too early, when references to the neigh still actually exist.
> 
> And that's a bug that should be fixed.
> 
>

next prev parent reply	other threads:[~2013-12-04  6:19 UTC|newest]

Thread overview: 30+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-12-03 13:48 [PATCH net] net: neighbour: add neighbour dead check for neigh_timer_handler() Ding Tianhong
2013-12-03 15:03 ` Hannes Frederic Sowa
2013-12-04  1:36   ` Ding Tianhong
2013-12-03 16:28 ` Eric Dumazet
2013-12-04  1:59   ` Ding Tianhong
2013-12-03 16:37 ` David Miller
2013-12-04  2:37 ` Gao feng
2013-12-04  4:04   ` Ding Tianhong
2013-12-04  4:21     ` David Miller
2013-12-04  6:19       ` Ding Tianhong [this message]
2013-12-04  6:27         ` Eric Dumazet
2013-12-04  9:16           ` Ding Tianhong
2013-12-04 10:10             ` Gao feng
2013-12-04 15:24             ` Eric Dumazet
2013-12-05  0:32               ` Gao feng
2013-12-05  3:17                 ` Ding Tianhong
2013-12-18  6:37                   ` Ding Tianhong
2013-12-18  7:51                     ` Hannes Frederic Sowa
2013-12-18  8:19                       ` Ding Tianhong
2013-12-18  8:41                         ` Hannes Frederic Sowa
2013-12-18  8:57                           ` Ding Tianhong
2013-12-18  9:28                             ` Hannes Frederic Sowa
2013-12-18 10:02                               ` Ding Tianhong
2013-12-18 10:21                                 ` Hannes Frederic Sowa
2013-12-18 11:57                                   ` Ding Tianhong
2013-12-18 14:27                                     ` Hannes Frederic Sowa
2013-12-18 15:12                                       ` Ding Tianhong
2013-12-18 15:46                                         ` Hannes Frederic Sowa
2013-12-19  3:32                                           ` Ding Tianhong
2013-12-04  6:36         ` David Miller

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=529EC95A.5080908@huawei.com \
    --to=dingtianhong@huawei.com \
    --cc=davem@davemloft.net \
    --cc=gaofeng@cn.fujitsu.com \
    --cc=joe@perches.com \
    --cc=netdev@vger.kernel.org \
    --cc=vfalico@redhat.com \
    --cc=yoshfuji@linux-ipv6.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.