From: Ying Xue <ying.xue@windriver.com>
To: Herbert Xu <herbert@gondor.apana.org.au>
Cc: <xemul@openvz.org>, <den@openvz.org>, <davem@davemloft.net>,
<avagin@gmail.com>, <netdev@vger.kernel.org>
Subject: Re: [RFC PATCH net-next] netlink: avoid namespace change while creating socket
Date: Tue, 5 May 2015 10:25:09 +0800 [thread overview]
Message-ID: <55482A05.1020809@windriver.com> (raw)
In-Reply-To: <20150505015204.GA4993@gondor.apana.org.au>
On 05/05/2015 09:52 AM, Herbert Xu wrote:
> On Mon, May 04, 2015 at 05:22:19PM +0800, Ying Xue wrote:
>> Commit 23fe18669e7f ("[NETNS]: Fix race between put_net() and
>> netlink_kernel_create().") attempts to fix the following race
>> scenario:
>>
>> put_net()
>> if (atomic_dec_and_test(&net->refcnt))
>> /* true */
>> __put_net(net);
>> queue_work(...);
>>
>> /*
>> * note: the net now has refcnt 0, but still in
>> * the global list of net namespaces
>> */
>>
>> == re-schedule ==
>>
>> register_pernet_subsys(&some_ops);
>> register_pernet_operations(&some_ops);
>> (*some_ops)->init(net);
>> /*
>> * we call netlink_kernel_create() here
>> * in some places
>> */
>> netlink_kernel_create();
>> sk_alloc();
>> get_net(net); /* refcnt = 1 */
>> /*
>> * now we drop the net refcount not to
>> * block the net namespace exit in the
>> * future (or this can be done on the
>> * error path)
>> */
>> put_net(sk->sk_net);
>> if (atomic_dec_and_test(&...))
>> /*
>> * true. BOOOM! The net is
>> * scheduled for release twice
>> */
>
> Surely the problem here is that the caller of netlink_kernel_create
> should hold a ref count on net, so why doesn't it?
>
I guess the main reason is because calling netlink_kernel_create() just happens
on the path of registering a network namespace subsystem. When
__register_pernet_operations() iterates the global list of net namespace(ie,
net_namespace_list) with for_each_net() to call each net's ops_init(ops, net),
it's supposed that it's safe to touch net instance without holding its refcount
as the net_namespace_list is being protected by net_mutex lock. More
importantly, even if the net refcount is decremented to 0 in putnet(), the net
is still in the global list of net namesapces(ie, net_namespace_list). This is
why the race happens.
Regards,
Ying
> Cheers,
>
next prev parent reply other threads:[~2015-05-05 2:26 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-05-04 9:22 [RFC PATCH net-next] netlink: avoid namespace change while creating socket Ying Xue
2015-05-05 1:52 ` Herbert Xu
2015-05-05 2:25 ` Ying Xue [this message]
2015-05-05 2:38 ` Ying Xue
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=55482A05.1020809@windriver.com \
--to=ying.xue@windriver.com \
--cc=avagin@gmail.com \
--cc=davem@davemloft.net \
--cc=den@openvz.org \
--cc=herbert@gondor.apana.org.au \
--cc=netdev@vger.kernel.org \
--cc=xemul@openvz.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.