[Patch net] net_sched: close another race condition in tcf_mirred

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [Patch net] net_sched: close another race condition in tcf_mirred_release()
@ 2016-05-16 22:11 Cong Wang
  2016-05-17 12:08 ` Jamal Hadi Salim
  2016-05-17 18:22 ` David Miller
  0 siblings, 2 replies; 3+ messages in thread
From: Cong Wang @ 2016-05-16 22:11 UTC (permalink / raw)
  To: netdev; +Cc: Cong Wang, Jamal Hadi Salim

We saw the following extra refcount release on veth device:

  kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1

Since we heavily use mirred action to redirect packets to veth, I think
this is caused by the following race condition:

CPU0:
tcf_mirred_release(): (in RCU callback)
	struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);

CPU1:
mirred_device_event():
        spin_lock_bh(&mirred_list_lock);
        list_for_each_entry(m, &mirred_list, tcfm_list) {
                if (rcu_access_pointer(m->tcfm_dev) == dev) {
                        dev_put(dev);
                        /* Note : no rcu grace period necessary, as
                         * net_device are already rcu protected.
                         */
                        RCU_INIT_POINTER(m->tcfm_dev, NULL);
                }
        }
        spin_unlock_bh(&mirred_list_lock);

CPU0:
tcf_mirred_release():
        spin_lock_bh(&mirred_list_lock);
        list_del(&m->tcfm_list);
        spin_unlock_bh(&mirred_list_lock);
        if (dev)               // <======== Stil refers to the old m->tcfm_dev
                dev_put(dev);  // <======== dev_put() is called on it again

The action init code path is good because it is impossible to modify
an action that is being removed.

So, fix this by moving everything under the spinlock.

Fixes: 2ee22a90c7af ("net_sched: act_mirred: remove spinlock in fast path")
Fixes: 6bd00b850635 ("act_mirred: fix a race condition on mirred_list")
Cc: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
---
 net/sched/act_mirred.c | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c
index 8f3948d..78db6d4 100644
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -36,14 +36,15 @@ static DEFINE_SPINLOCK(mirred_list_lock);
 static void tcf_mirred_release(struct tc_action *a, int bind)
 {
 	struct tcf_mirred *m = to_mirred(a);
-	struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);
+	struct net_device *dev;
 
 	/* We could be called either in a RCU callback or with RTNL lock held. */
 	spin_lock_bh(&mirred_list_lock);
 	list_del(&m->tcfm_list);
-	spin_unlock_bh(&mirred_list_lock);
+	dev = rcu_dereference_protected(m->tcfm_dev, 1);
 	if (dev)
 		dev_put(dev);
+	spin_unlock_bh(&mirred_list_lock);
 }
 
 static const struct nla_policy mirred_policy[TCA_MIRRED_MAX + 1] = {
-- 
2.1.0

^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [Patch net] net_sched: close another race condition in tcf_mirred_release()
  2016-05-16 22:11 [Patch net] net_sched: close another race condition in tcf_mirred_release() Cong Wang
@ 2016-05-17 12:08 ` Jamal Hadi Salim
  2016-05-17 18:22 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: Jamal Hadi Salim @ 2016-05-17 12:08 UTC (permalink / raw)
  To: Cong Wang, netdev

On 16-05-16 06:11 PM, Cong Wang wrote:
> We saw the following extra refcount release on veth device:
>
>    kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1
>
> Since we heavily use mirred action to redirect packets to veth, I think
> this is caused by the following race condition:
>
> CPU0:
> tcf_mirred_release(): (in RCU callback)
> 	struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);
>
> CPU1:
> mirred_device_event():
>          spin_lock_bh(&mirred_list_lock);
>          list_for_each_entry(m, &mirred_list, tcfm_list) {
>                  if (rcu_access_pointer(m->tcfm_dev) == dev) {
>                          dev_put(dev);
>                          /* Note : no rcu grace period necessary, as
>                           * net_device are already rcu protected.
>                           */
>                          RCU_INIT_POINTER(m->tcfm_dev, NULL);
>                  }
>          }
>          spin_unlock_bh(&mirred_list_lock);
>
> CPU0:
> tcf_mirred_release():
>          spin_lock_bh(&mirred_list_lock);
>          list_del(&m->tcfm_list);
>          spin_unlock_bh(&mirred_list_lock);
>          if (dev)               // <======== Stil refers to the old m->tcfm_dev
>                  dev_put(dev);  // <======== dev_put() is called on it again
>
> The action init code path is good because it is impossible to modify
> an action that is being removed.
>
> So, fix this by moving everything under the spinlock.
>
> Fixes: 2ee22a90c7af ("net_sched: act_mirred: remove spinlock in fast path")
> Fixes: 6bd00b850635 ("act_mirred: fix a race condition on mirred_list")
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

LGTM.
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>


cheers,
jamal

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [Patch net] net_sched: close another race condition in tcf_mirred_release()
  2016-05-16 22:11 [Patch net] net_sched: close another race condition in tcf_mirred_release() Cong Wang
  2016-05-17 12:08 ` Jamal Hadi Salim
@ 2016-05-17 18:22 ` David Miller
  1 sibling, 0 replies; 3+ messages in thread
From: David Miller @ 2016-05-17 18:22 UTC (permalink / raw)
  To: xiyou.wangcong; +Cc: netdev, jhs

From: Cong Wang <xiyou.wangcong@gmail.com>
Date: Mon, 16 May 2016 15:11:18 -0700

> We saw the following extra refcount release on veth device:
> 
>   kernel: [7957821.463992] unregister_netdevice: waiting for mesos50284 to become free. Usage count = -1
> 
> Since we heavily use mirred action to redirect packets to veth, I think
> this is caused by the following race condition:
> 
> CPU0:
> tcf_mirred_release(): (in RCU callback)
> 	struct net_device *dev = rcu_dereference_protected(m->tcfm_dev, 1);
> 
> CPU1:
> mirred_device_event():
>         spin_lock_bh(&mirred_list_lock);
>         list_for_each_entry(m, &mirred_list, tcfm_list) {
>                 if (rcu_access_pointer(m->tcfm_dev) == dev) {
>                         dev_put(dev);
>                         /* Note : no rcu grace period necessary, as
>                          * net_device are already rcu protected.
>                          */
>                         RCU_INIT_POINTER(m->tcfm_dev, NULL);
>                 }
>         }
>         spin_unlock_bh(&mirred_list_lock);
> 
> CPU0:
> tcf_mirred_release():
>         spin_lock_bh(&mirred_list_lock);
>         list_del(&m->tcfm_list);
>         spin_unlock_bh(&mirred_list_lock);
>         if (dev)               // <======== Stil refers to the old m->tcfm_dev
>                 dev_put(dev);  // <======== dev_put() is called on it again
> 
> The action init code path is good because it is impossible to modify
> an action that is being removed.
> 
> So, fix this by moving everything under the spinlock.
> 
> Fixes: 2ee22a90c7af ("net_sched: act_mirred: remove spinlock in fast path")
> Fixes: 6bd00b850635 ("act_mirred: fix a race condition on mirred_list")
> Cc: Jamal Hadi Salim <jhs@mojatatu.com>
> Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>

Applied.

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2016-05-17 18:22 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-05-16 22:11 [Patch net] net_sched: close another race condition in tcf_mirred_release() Cong Wang
2016-05-17 12:08 ` Jamal Hadi Salim
2016-05-17 18:22 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).