[PATCH net] net: Fix hlist corruptions in inet_evict

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH net] net: Fix hlist corruptions in inet_evict_bucket()
@ 2018-03-06 15:46 Kirill Tkhai
  2018-03-07 18:29 ` David Miller
  0 siblings, 1 reply; 2+ messages in thread
From: Kirill Tkhai @ 2018-03-06 15:46 UTC (permalink / raw)
  To: fw, davem, yoshfuji, netdev, ktkhai

inet_evict_bucket() iterates global list, and
several tasks may call it in parallel. All of
them hash the same fq->list_evictor to different
lists, which leads to list corruption.

This patch makes fq be hashed to expired list
only if this has not been made yet by another
task. Since inet_frag_alloc() allocates fq
using kmem_cache_zalloc(), we may rely on
list_evictor is initially unhashed.

The problem seems to exist before async
pernet_operations, as there was possible to have
exit method to be executed in parallel with
inet_frags::frags_work, so I add two Fixes tags.
This also may go to stable.

Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor"
Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()"
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
---
 net/ipv4/inet_fragment.c |    3 +++
 1 file changed, 3 insertions(+)

diff --git a/net/ipv4/inet_fragment.c b/net/ipv4/inet_fragment.c
index 26a3d0315728..e8ec28999f5c 100644
--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -119,6 +119,9 @@ static void inet_frag_secret_rebuild(struct inet_frags *f)

 static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
 {
+	if (!hlist_unhashed(&q->list_evictor))
+		return false;
+
 	return q->net->low_thresh == 0 ||
 	       frag_mem_limit(q->net) >= q->net->low_thresh;
 }

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* Re: [PATCH net] net: Fix hlist corruptions in inet_evict_bucket()
  2018-03-06 15:46 [PATCH net] net: Fix hlist corruptions in inet_evict_bucket() Kirill Tkhai
@ 2018-03-07 18:29 ` David Miller
  0 siblings, 0 replies; 2+ messages in thread
From: David Miller @ 2018-03-07 18:29 UTC (permalink / raw)
  To: ktkhai; +Cc: fw, yoshfuji, netdev

From: Kirill Tkhai <ktkhai@virtuozzo.com>
Date: Tue, 06 Mar 2018 18:46:39 +0300

> inet_evict_bucket() iterates global list, and
> several tasks may call it in parallel. All of
> them hash the same fq->list_evictor to different
> lists, which leads to list corruption.
> 
> This patch makes fq be hashed to expired list
> only if this has not been made yet by another
> task. Since inet_frag_alloc() allocates fq
> using kmem_cache_zalloc(), we may rely on
> list_evictor is initially unhashed.
> 
> The problem seems to exist before async
> pernet_operations, as there was possible to have
> exit method to be executed in parallel with
> inet_frags::frags_work, so I add two Fixes tags.
> This also may go to stable.
> 
> Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor"
> Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()"
> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>

Applied and queued up for -stable, thank you.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2018-03-07 18:29 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2018-03-06 15:46 [PATCH net] net: Fix hlist corruptions in inet_evict_bucket() Kirill Tkhai
2018-03-07 18:29 ` David Miller

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).