From: David Miller <davem@davemloft.net>
To: eric.dumazet@gmail.com
Cc: pstaszewski@itcare.pl, weiwan@google.com,
xiyou.wangcong@gmail.com, netdev@vger.kernel.org,
edumazet@google.com
Subject: Re: [PATCH net] net: prevent dst uses after free
Date: Thu, 21 Sep 2017 20:42:48 -0700 (PDT) [thread overview]
Message-ID: <20170921.204248.634064806877379720.davem@davemloft.net> (raw)
In-Reply-To: <1506010546.29839.148.camel@edumazet-glaptop3.roam.corp.google.com>
From: Eric Dumazet <eric.dumazet@gmail.com>
Date: Thu, 21 Sep 2017 09:15:46 -0700
> From: Eric Dumazet <edumazet@google.com>
>
> In linux-4.13, Wei worked hard to convert dst to a traditional
> refcounted model, removing GC.
>
> We now want to make sure a dst refcount can not transition from 0 back
> to 1.
>
> The problem here is that input path attached a not refcounted dst to an
> skb. Then later, because packet is forwarded and hits skb_dst_force()
> before exiting RCU section, we might try to take a refcount on one dst
> that is about to be freed, if another cpu saw 1 -> 0 transition in
> dst_release() and queued the dst for freeing after one RCU grace period.
>
> Lets unify skb_dst_force() and skb_dst_force_safe(), since we should
> always perform the complete check against dst refcount, and not assume
> it is not zero.
>
> Bugzilla : https://bugzilla.kernel.org/show_bug.cgi?id=197005
...
> Similarly dst_clone() can use dst_hold() helper to have additional
> debugging, as a follow up to commit 44ebe79149ff ("net: add debug
> atomic_inc_not_zero() in dst_hold()")
>
> In net-next we will convert dst atomic_t to refcount_t for peace of
> mind.
>
> Fixes: a4c2fd7f7891 ("net: remove DST_NOCACHE flag")
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Wei Wang <weiwan@google.com>
> Reported-by: Paweł Staszewski <pstaszewski@itcare.pl>
> Bisected-by: Paweł Staszewski <pstaszewski@itcare.pl>
Applied and queued up for -stable, thanks Eric.
prev parent reply other threads:[~2017-09-22 3:42 UTC|newest]
Thread overview: 52+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4745525f-18e4-7f69-fe21-8e507e407b33@itcare.pl>
2017-09-19 22:35 ` Latest net-next from GIT panic Paweł Staszewski
2017-09-19 23:45 ` Paweł Staszewski
2017-09-20 0:01 ` Paweł Staszewski
2017-09-20 0:06 ` Paweł Staszewski
2017-09-20 0:26 ` Paweł Staszewski
2017-09-20 3:24 ` Eric Dumazet
2017-09-20 7:58 ` Paweł Staszewski
2017-09-20 8:44 ` Paweł Staszewski
2017-09-20 9:45 ` Paweł Staszewski
2017-09-20 10:21 ` Paweł Staszewski
2017-09-20 10:22 ` Paweł Staszewski
2017-09-20 11:02 ` Paweł Staszewski
2017-09-20 12:23 ` Paweł Staszewski
2017-09-20 12:49 ` Paweł Staszewski
2017-09-20 13:05 ` Paweł Staszewski
2017-09-20 13:09 ` Paweł Staszewski
2017-09-20 13:11 ` Eric Dumazet
2017-09-20 13:16 ` Paweł Staszewski
2017-09-20 13:34 ` Eric Dumazet
2017-09-20 13:37 ` Eric Dumazet
2017-09-20 13:39 ` Paweł Staszewski
2017-09-20 13:44 ` Eric Dumazet
2017-09-20 14:03 ` Paweł Staszewski
2017-09-20 14:40 ` Eric Dumazet
2017-09-20 15:05 ` Paweł Staszewski
2017-09-20 17:46 ` Wei Wang
2017-09-20 17:58 ` Paweł Staszewski
2017-09-20 17:50 ` Cong Wang
2017-09-20 17:59 ` Eric Dumazet
[not found] ` <3c227be7-a954-a406-1987-24e908cf214c@itcare.pl>
2017-09-20 18:22 ` Cong Wang
2017-09-20 18:30 ` Eric Dumazet
2017-09-20 18:36 ` Cong Wang
2017-09-20 19:13 ` Paweł Staszewski
2017-09-20 19:23 ` Paweł Staszewski
2017-09-20 21:10 ` Paweł Staszewski
2017-09-20 21:24 ` Paweł Staszewski
2017-09-20 21:25 ` Paweł Staszewski
2017-09-20 21:27 ` Paweł Staszewski
2017-09-20 22:09 ` Wei Wang
2017-09-21 1:09 ` Wei Wang
2017-09-21 1:17 ` Eric Dumazet
2017-09-21 9:06 ` Paweł Staszewski
2017-09-21 11:03 ` Eric Dumazet
2017-09-21 11:12 ` Paweł Staszewski
2017-09-21 11:14 ` Paweł Staszewski
2017-09-21 11:31 ` Paweł Staszewski
2017-09-21 13:18 ` Paweł Staszewski
2017-09-21 14:56 ` Eric Dumazet
2017-09-21 16:15 ` [PATCH net] net: prevent dst uses after free Eric Dumazet
2017-09-21 16:49 ` Wei Wang
2017-09-21 17:12 ` Martin KaFai Lau
2017-09-22 3:42 ` David Miller [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170921.204248.634064806877379720.davem@davemloft.net \
--to=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=pstaszewski@itcare.pl \
--cc=weiwan@google.com \
--cc=xiyou.wangcong@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).