[PATCH net] decnet: always not take dst->__refcnt when inserting dst into hash table

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] decnet: always not take dst->__refcnt when inserting dst into hash table
@ 2017-06-16 17:46 Wei Wang
  2017-06-16 19:00 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Wei Wang @ 2017-06-16 17:46 UTC (permalink / raw)
  To: David Miller, netdev; +Cc: Eric Dumazet, Martin KaFai Lau, Wei Wang

From: Wei Wang <weiwan@google.com>

In the existing dn_route.c code, dn_route_output_slow() takes
dst->__refcnt before calling dn_insert_route() while dn_route_input_slow()
does not take dst->__refcnt before calling dn_insert_route().
This makes the whole routing code very buggy.
In dn_dst_check_expire(), dnrt_free() is called when rt expires. This
makes the routes inserted by dn_route_output_slow() not able to be
freed as the refcnt is not released.
In dn_dst_gc(), dnrt_drop() is called to release rt which could
potentially cause the dst->__refcnt to be dropped to -1.
In dn_run_flush(), dst_free() is called to release all the dst. Again,
it makes the dst inserted by dn_route_output_slow() not able to be
released and also, it does not wait on the rcu and could potentially
cause crash in the path where other users still refer to this dst.

This patch makes sure both input and output path do not take
dst->__refcnt before calling dn_insert_route() and also makes sure
dnrt_free()/dst_free() is called when removing dst from the hash table.
The only difference between those 2 calls is that dnrt_free() waits on
the rcu while dst_free() does not.

Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
---
 net/decnet/dn_route.c | 14 ++++----------
 1 file changed, 4 insertions(+), 10 deletions(-)

diff --git a/net/decnet/dn_route.c b/net/decnet/dn_route.c
index 4b9518a0d248..6f95612b4d32 100644
--- a/net/decnet/dn_route.c
+++ b/net/decnet/dn_route.c
@@ -188,12 +188,6 @@ static inline void dnrt_free(struct dn_route *rt)
 	call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
 }

-static inline void dnrt_drop(struct dn_route *rt)
-{
-	dst_release(&rt->dst);
-	call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);
-}
-
 static void dn_dst_check_expire(unsigned long dummy)
 {
 	int i;
@@ -248,7 +242,7 @@ static int dn_dst_gc(struct dst_ops *ops)
 			}
 			*rtp = rt->dst.dn_next;
 			rt->dst.dn_next = NULL;
-			dnrt_drop(rt);
+			dnrt_free(rt);
 			break;
 		}
 		spin_unlock_bh(&dn_rt_hash_table[i].lock);
@@ -350,7 +344,7 @@ static int dn_insert_route(struct dn_route *rt, unsigned int hash, struct dn_rou
 			dst_use(&rth->dst, now);
 			spin_unlock_bh(&dn_rt_hash_table[hash].lock);

-			dnrt_drop(rt);
+			dst_free(&rt->dst);
 			*rp = rth;
 			return 0;
 		}
@@ -380,7 +374,7 @@ static void dn_run_flush(unsigned long dummy)
 		for(; rt; rt = next) {
 			next = rcu_dereference_raw(rt->dst.dn_next);
 			RCU_INIT_POINTER(rt->dst.dn_next, NULL);
-			dst_free((struct dst_entry *)rt);
+			dnrt_free(rt);
 		}

 nothing_to_declare:
@@ -1187,7 +1181,7 @@ static int dn_route_output_slow(struct dst_entry **pprt, const struct flowidn *o
 	if (dev_out->flags & IFF_LOOPBACK)
 		flags |= RTCF_LOCAL;

-	rt = dst_alloc(&dn_dst_ops, dev_out, 1, DST_OBSOLETE_NONE, DST_HOST);
+	rt = dst_alloc(&dn_dst_ops, dev_out, 0, DST_OBSOLETE_NONE, DST_HOST);
 	if (rt == NULL)
 		goto e_nobufs;

-- 
2.13.1.518.g3df882009-goog

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] decnet: always not take dst->__refcnt when inserting dst into hash table
  2017-06-16 17:46 [PATCH net] decnet: always not take dst->__refcnt when inserting dst into hash table Wei Wang
@ 2017-06-16 19:00 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2017-06-16 19:00 UTC (permalink / raw)
  To: tracywwnj; +Cc: netdev, edumazet, kafai, weiwan

From: Wei Wang <tracywwnj@gmail.com>
Date: Fri, 16 Jun 2017 10:46:37 -0700

> From: Wei Wang <weiwan@google.com>
> 
> In the existing dn_route.c code, dn_route_output_slow() takes
> dst->__refcnt before calling dn_insert_route() while dn_route_input_slow()
> does not take dst->__refcnt before calling dn_insert_route().
> This makes the whole routing code very buggy.
> In dn_dst_check_expire(), dnrt_free() is called when rt expires. This
> makes the routes inserted by dn_route_output_slow() not able to be
> freed as the refcnt is not released.
> In dn_dst_gc(), dnrt_drop() is called to release rt which could
> potentially cause the dst->__refcnt to be dropped to -1.
> In dn_run_flush(), dst_free() is called to release all the dst. Again,
> it makes the dst inserted by dn_route_output_slow() not able to be
> released and also, it does not wait on the rcu and could potentially
> cause crash in the path where other users still refer to this dst.
> 
> This patch makes sure both input and output path do not take
> dst->__refcnt before calling dn_insert_route() and also makes sure
> dnrt_free()/dst_free() is called when removing dst from the hash table.
> The only difference between those 2 calls is that dnrt_free() waits on
> the rcu while dst_free() does not.
> 
> Signed-off-by: Wei Wang <weiwan@google.com>
> Acked-by: Martin KaFai Lau <kafai@fb.com>

Applied and queued up for -stable, thanks.

I've also applied it to net-next for the sake of your dst gc removal
series.

Thanks again.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2017-06-16 19:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-16 17:46 [PATCH net] decnet: always not take dst->__refcnt when inserting dst into hash table Wei Wang
2017-06-16 19:00 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).