From: Jesper Dangaard Brouer <brouer@redhat.com>
To: Konstantin Khlebnikov <khlebnikov@openvz.org>
Cc: netdev@vger.kernel.org, Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>,
Florian Westphal <fw@strlen.de>,
linux-kernel@vger.kernel.org,
Jesper Dangaard Brouer <brouer@redhat.com>
Subject: Re: [PATCH] net: frag, fix race conditions in LRU list maintenance
Date: Mon, 6 May 2013 09:33:18 +0200 [thread overview]
Message-ID: <20130506093318.679f5557@redhat.com> (raw)
In-Reply-To: <20130505145622.9351.86587.stgit@zurg>
On Sun, 05 May 2013 18:56:22 +0400
Konstantin Khlebnikov <khlebnikov@openvz.org> wrote:
> This patch fixes race between inet_frag_lru_move() and
> inet_frag_lru_add() which was introduced in commit
> 3ef0eb0db4bf92c6d2510fe5c4dc51852746f206 ("net: frag, move LRU list
> maintenance outside of rwlock")
>
> One cpu already added new fragment queue into hash but not into LRU.
> Other cpu found it in hash and tries to move it to the end of LRU.
> This leads to NULL pointer dereference inside of list_move_tail().
I tried to address this in:
http://article.gmane.org/gmane.linux.network/266324 But it was never
applied, as we disagreed on other parts of the patchset and didn't think
this would happen with curr LRU scheme (which you have shown it can)
> Another possible race condition is between inet_frag_lru_move() and
> inet_frag_lru_del(): move can happens after deletion.
This should be very difficult to hit, because its protected with
the INET_FRAG_COMPLETE bit (checked in ip_frag_queue() before the LRU
move), which is set after removing it from LRU (all while protected
under the q->lock).
> This patch initializes LRU list head before adding fragment into hash
> and inet_frag_lru_move() doesn't touches it if it's empty.
This a good fix, and better than my earlier attempt at fixing this.
Thanks!
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
next prev parent reply other threads:[~2013-05-06 7:33 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-05 14:56 [PATCH] net: frag, fix race conditions in LRU list maintenance Konstantin Khlebnikov
2013-05-05 17:36 ` David Miller
2013-05-05 18:30 ` Florian Westphal
2013-05-06 7:33 ` Jesper Dangaard Brouer [this message]
2013-05-06 15:08 ` David Miller
2013-05-07 5:22 ` Konstantin Khlebnikov
2013-05-07 9:13 ` David Miller
2013-05-08 15:32 ` Jesper Dangaard Brouer
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130506093318.679f5557@redhat.com \
--to=brouer@redhat.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=khlebnikov@openvz.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).