From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Maoyi Xie <maoyixie.tju@gmail.com>,
"David S . Miller" <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
Eric Dumazet <edumazet@google.com>,
David Ahern <dsahern@kernel.org>,
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
Willem de Bruijn <willemb@google.com>,
Willem de Bruijn <willemdebruijn.kernel@gmail.com>,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
stable@vger.kernel.org
Subject: Re: [PATCH net v7 1/2] ipv6: flowlabel: take ip6_fl_lock across mem_check and fl_intern
Date: Tue, 05 May 2026 12:11:34 -0400 [thread overview]
Message-ID: <willemdebruijn.kernel.2b6abb6aae1d8@gmail.com> (raw)
In-Reply-To: <20260505072015.1672730-2-maoyi.xie@ntu.edu.sg>
Maoyi Xie wrote:
> mem_check() in net/ipv6/ip6_flowlabel.c reads fl_size without
> holding ip6_fl_lock. fl_intern() takes the lock immediately
> afterwards. The two checks therefore race against concurrent
> fl_intern, ip6_fl_gc and ip6_fl_purge writers, which makes the
> mem_check budget check approximate.
>
> Move spin_lock_bh(&ip6_fl_lock) and the matching unlock from
> fl_intern() into its only caller ipv6_flowlabel_get(). The
> mem_check() call now runs under the same critical section as the
> fl_intern() insert, so the budget check is exact.
>
> With all writers and the read of fl_size under ip6_fl_lock,
> convert fl_size from atomic_t to plain int. The four sites that
> update or read fl_size are fl_intern (insert path), ip6_fl_gc
> (garbage collector, the !sched check and the per-entry decrement),
> ip6_fl_purge (per-netns purge), and mem_check (budget check), and
> all four now run under ip6_fl_lock.
>
> This is a prerequisite for adding a per-netns budget alongside
> fl_size. The follow-up patch adds netns_ipv6::flowlabel_count and
> folds it into mem_check().
>
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Suggested-by: Willem de Bruijn <willemb@google.com>
> Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Please update either your git config name or Signed-off-by to make
sure that the two are the same. Not sure whether that requires a
respin.
With those asides
Reviewed-by: Willem de Bruijn <willemb@google.com>
Thanks for fixing this along with your main fix.
> ---
> net/ipv6/ip6_flowlabel.c | 33 ++++++++++++++++++++-------------
> 1 file changed, 20 insertions(+), 13 deletions(-)
>
> diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
> index c92f98c6f..43b5e9ce9 100644
> --- a/net/ipv6/ip6_flowlabel.c
> +++ b/net/ipv6/ip6_flowlabel.c
> @@ -40,7 +40,7 @@
> #define FL_HASH_MASK 255
> #define FL_HASH(l) (ntohl(l)&FL_HASH_MASK)
>
> -static atomic_t fl_size = ATOMIC_INIT(0);
> +static int fl_size;
> static struct ip6_flowlabel __rcu *fl_ht[FL_HASH_MASK+1];
>
> static void ip6_fl_gc(struct timer_list *unused);
> @@ -163,7 +163,7 @@ static void ip6_fl_gc(struct timer_list *unused)
> if (time_after_eq(now, ttd)) {
> *flp = fl->next;
> fl_free(fl);
> - atomic_dec(&fl_size);
> + fl_size--;
> continue;
> }
> if (!sched || time_before(ttd, sched))
> @@ -172,7 +172,7 @@ static void ip6_fl_gc(struct timer_list *unused)
> flp = &fl->next;
> }
> }
> - if (!sched && atomic_read(&fl_size))
> + if (!sched && fl_size)
> sched = now + FL_MAX_LINGER;
> if (sched) {
> mod_timer(&ip6_fl_gc_timer, sched);
> @@ -196,7 +196,7 @@ static void __net_exit ip6_fl_purge(struct net *net)
> atomic_read(&fl->users) == 0) {
> *flp = fl->next;
> fl_free(fl);
> - atomic_dec(&fl_size);
> + fl_size--;
> continue;
> }
> flp = &fl->next;
> @@ -205,6 +205,7 @@ static void __net_exit ip6_fl_purge(struct net *net)
> spin_unlock_bh(&ip6_fl_lock);
> }
>
> +/* Caller must hold ip6_fl_lock. */
nit: lockdep_assert_held as used below is preferable over comments
> @@ -464,10 +459,14 @@ fl_create(struct net *net, struct sock *sk, struct in6_flowlabel_req *freq,
>
> static int mem_check(struct sock *sk)
> {
> - int room = FL_MAX_SIZE - atomic_read(&fl_size);
> + int room;
> struct ipv6_fl_socklist *sfl;
> int count = 0;
>
> + lockdep_assert_held(&ip6_fl_lock);
> +
> + room = FL_MAX_SIZE - fl_size;
> +
> if (room > FL_MAX_SIZE - FL_MAX_PER_SOCK)
> return 0;
>
next prev parent reply other threads:[~2026-05-05 16:11 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-05 7:20 [PATCH net v7 0/2] ipv6: flowlabel: per-netns budget for unprivileged callers Maoyi Xie
2026-05-05 7:20 ` [PATCH net v7 1/2] ipv6: flowlabel: take ip6_fl_lock across mem_check and fl_intern Maoyi Xie
2026-05-05 16:11 ` Willem de Bruijn [this message]
2026-05-06 7:03 ` Maoyi Xie
2026-05-05 7:20 ` [PATCH net v7 2/2] ipv6: flowlabel: enforce per-netns limit for unprivileged callers Maoyi Xie
2026-05-05 15:58 ` Willem de Bruijn
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.2b6abb6aae1d8@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=kuznet@ms2.inr.ac.ru \
--cc=linux-kernel@vger.kernel.org \
--cc=maoyixie.tju@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=stable@vger.kernel.org \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.