From: Greg KH <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Yanmin Zhang <yanmin_zhang@linux.intel.com>,
Kun Jiang <kunx.jiang@intel.com>,
Eric Dumazet <edumazet@google.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [ 31/47] ipv4: fix the rcu race between free_fib_info and ip_route_output_slow
Date: Thu, 07 Jun 2012 13:14:29 +0900 [thread overview]
Message-ID: <20120607041402.633194282@linuxfoundation.org> (raw)
In-Reply-To: <20120607041504.GA13819@kroah.com>
3.0-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yanmin Zhang <yanmin_zhang@linux.intel.com>
[ Upstream commit e49cc0da7283088c5e03d475ffe2fdcb24a6d5b1 ]
We hit a kernel OOPS.
<3>[23898.789643] BUG: sleeping function called from invalid context at
/data/buildbot/workdir/ics/hardware/intel/linux-2.6/arch/x86/mm/fault.c:1103
<3>[23898.862215] in_atomic(): 0, irqs_disabled(): 0, pid: 10526, name:
Thread-6683
<4>[23898.967805] HSU serial 0000:00:05.1: 0000:00:05.2:HSU serial prevented me
to suspend...
<4>[23899.258526] Pid: 10526, comm: Thread-6683 Tainted: G W
3.0.8-137685-ge7742f9 #1
<4>[23899.357404] HSU serial 0000:00:05.1: 0000:00:05.2:HSU serial prevented me
to suspend...
<4>[23899.904225] Call Trace:
<4>[23899.989209] [<c1227f50>] ? pgtable_bad+0x130/0x130
<4>[23900.000416] [<c1238c2a>] __might_sleep+0x10a/0x110
<4>[23900.007357] [<c1228021>] do_page_fault+0xd1/0x3c0
<4>[23900.013764] [<c18e9ba9>] ? restore_all+0xf/0xf
<4>[23900.024024] [<c17c007b>] ? napi_complete+0x8b/0x690
<4>[23900.029297] [<c1227f50>] ? pgtable_bad+0x130/0x130
<4>[23900.123739] [<c1227f50>] ? pgtable_bad+0x130/0x130
<4>[23900.128955] [<c18ea0c3>] error_code+0x5f/0x64
<4>[23900.133466] [<c1227f50>] ? pgtable_bad+0x130/0x130
<4>[23900.138450] [<c17f6298>] ? __ip_route_output_key+0x698/0x7c0
<4>[23900.144312] [<c17f5f8d>] ? __ip_route_output_key+0x38d/0x7c0
<4>[23900.150730] [<c17f63df>] ip_route_output_flow+0x1f/0x60
<4>[23900.156261] [<c181de58>] ip4_datagram_connect+0x188/0x2b0
<4>[23900.161960] [<c18e981f>] ? _raw_spin_unlock_bh+0x1f/0x30
<4>[23900.167834] [<c18298d6>] inet_dgram_connect+0x36/0x80
<4>[23900.173224] [<c14f9e88>] ? _copy_from_user+0x48/0x140
<4>[23900.178817] [<c17ab9da>] sys_connect+0x9a/0xd0
<4>[23900.183538] [<c132e93c>] ? alloc_file+0xdc/0x240
<4>[23900.189111] [<c123925d>] ? sub_preempt_count+0x3d/0x50
Function free_fib_info resets nexthop_nh->nh_dev to NULL before releasing
fi. Other cpu might be accessing fi. Fixing it by delaying the releasing.
With the patch, we ran MTBF testing on Android mobile for 12 hours
and didn't trigger the issue.
Thank Eric for very detailed review/checking the issue.
Signed-off-by: Yanmin Zhang <yanmin_zhang@linux.intel.com>
Signed-off-by: Kun Jiang <kunx.jiang@intel.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/fib_semantics.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -142,6 +142,18 @@ const struct fib_prop fib_props[RTN_MAX
};
/* Release a nexthop info record */
+static void free_fib_info_rcu(struct rcu_head *head)
+{
+ struct fib_info *fi = container_of(head, struct fib_info, rcu);
+
+ change_nexthops(fi) {
+ if (nexthop_nh->nh_dev)
+ dev_put(nexthop_nh->nh_dev);
+ } endfor_nexthops(fi);
+
+ release_net(fi->fib_net);
+ kfree(fi);
+}
void free_fib_info(struct fib_info *fi)
{
@@ -149,14 +161,8 @@ void free_fib_info(struct fib_info *fi)
pr_warning("Freeing alive fib_info %p\n", fi);
return;
}
- change_nexthops(fi) {
- if (nexthop_nh->nh_dev)
- dev_put(nexthop_nh->nh_dev);
- nexthop_nh->nh_dev = NULL;
- } endfor_nexthops(fi);
fib_info_cnt--;
- release_net(fi->fib_net);
- kfree_rcu(fi, rcu);
+ call_rcu(&fi->rcu, free_fib_info_rcu);
}
void fib_release_info(struct fib_info *fi)
next prev parent reply other threads:[~2012-06-07 4:14 UTC|newest]
Thread overview: 48+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-06-07 4:15 [ 00/47] 3.0.34-stable review Greg KH
2012-06-07 4:13 ` [ 01/47] SCSI: fix scsi_wait_scan Greg KH
2012-06-07 4:14 ` [ 02/47] SCSI: Fix dm-multipath starvation when scsi host is busy Greg KH
2012-06-07 4:14 ` [ 03/47] mm: consider all swapped back pages in used-once logic Greg KH
2012-06-07 4:14 ` [ 04/47] mm: pmd_read_atomic: fix 32bit PAE pmd walk vs pmd_populate SMP race condition Greg KH
2012-06-07 4:14 ` [ 05/47] iwlwifi: update BT traffic load states correctly Greg KH
2012-06-07 4:14 ` [ 06/47] cifs: fix oops while traversing open file list (try #4) Greg KH
2012-06-07 4:14 ` [ 07/47] PARISC: fix boot failure on 32-bit systems caused by branch stubs placed before .text Greg KH
2012-06-07 4:14 ` [ 08/47] PARISC: fix TLB fault path on PA2.0 narrow systems Greg KH
2012-06-07 4:14 ` [ 09/47] solos-pci: Fix DMA support Greg KH
2012-06-07 4:14 ` [ 10/47] mac80211: fix ADDBA declined after suspend with wowlan Greg KH
2012-06-07 4:14 ` [ 11/47] NFSv4: Map NFS4ERR_SHARE_DENIED into an EACCES error instead of EIO Greg KH
2012-06-07 4:14 ` [ 12/47] drm/radeon: fix XFX quirk Greg KH
2012-06-07 4:14 ` [ 13/47] drm/i915: properly handle interlaced bit for sdvo dtd conversion Greg KH
2012-06-07 4:14 ` [ 14/47] drm/i915: wait for a vblank to pass after tv detect Greg KH
2012-06-07 4:14 ` [ 15/47] Bluetooth: Add support for Broadcom BCM20702A0 Greg KH
2012-06-07 4:14 ` [ 16/47] Bluetooth: Add support for BCM20702A0 [0a5c:21e3] Greg KH
2012-06-07 4:14 ` [ 17/47] Bluetooth: btusb: Add vendor specific ID (0a5c 21f3) for BCM20702A0 Greg KH
2012-06-07 4:14 ` [ 18/47] Bluetooth: btusb: add support for BCM20702A0 [0a5c:21e6] Greg KH
2012-06-07 4:14 ` [ 19/47] Bluetooth: btusb: Add USB device ID "0a5c 21e8" Greg KH
2012-06-07 4:14 ` [ 20/47] Bluetooth: btusb: Add vendor specific ID (0489 e042) for BCM20702A0 Greg KH
2012-06-07 4:14 ` [ 21/47] Bluetooth: btusb: typo in Broadcom SoftSailing id Greg KH
2012-06-07 4:14 ` [ 22/47] Add Foxconn / Hon Hai IDs for btusb module Greg KH
2012-06-07 4:14 ` [ 23/47] Bluetooth: Add support for Foxconn/Hon Hai AR5BBU22 0489:E03C Greg KH
2012-06-07 4:14 ` [ 24/47] ALSA: usb-audio: fix rate_list memory leak Greg KH
2012-06-07 4:14 ` [ 25/47] vfs: umount_tree() might be called on subtree that had never made it Greg KH
2012-06-07 4:14 ` [ 26/47] mtd: nand: fix scan_read_raw_oob Greg KH
2012-06-07 4:14 ` [ 27/47] drm/radeon: properly program gart on rv740, juniper, cypress, barts, hemlock Greg KH
2012-06-07 4:14 ` [ 28/47] drm/radeon: fix HD6790, HD6570 backend programming Greg KH
2012-06-07 4:14 ` [ 29/47] drm/ttm: Fix spinlock imbalance Greg KH
2012-06-07 4:14 ` [ 30/47] ipv4: Do not use dead fib_info entries Greg KH
2012-06-07 4:14 ` Greg KH [this message]
2012-06-07 4:14 ` [ 32/47] ipv6: fix incorrect ipsec fragment Greg KH
2012-06-07 4:14 ` [ 33/47] l2tp: fix oops in L2TP IP sockets for connect() AF_UNSPEC case Greg KH
2012-06-07 4:14 ` [ 34/47] pktgen: fix crash at module unload Greg KH
2012-06-07 4:14 ` [ 35/47] pktgen: fix module unload for good Greg KH
2012-06-07 4:14 ` [ 36/47] Revert "net: maintain namespace isolation between vlan and real device" Greg KH
2012-06-07 4:14 ` [ 37/47] sctp: check cached dst before using it Greg KH
2012-06-07 4:14 ` [ 38/47] skb: avoid unnecessary reallocations in __skb_cow Greg KH
2012-06-07 4:14 ` [ 39/47] xfrm: take net hdr len into account for esp payload size calculation Greg KH
2012-06-07 4:14 ` [ 40/47] ext4: force ro mount if ext4_setup_super() fails Greg KH
2012-06-07 4:14 ` [ 41/47] ext4: add missing save_error_info() to ext4_error() Greg KH
2012-06-07 4:14 ` [ 42/47] ext4: dont trash state flags in EXT4_IOC_SETFLAGS Greg KH
2012-06-07 4:14 ` [ 43/47] ext4: add ext4_mb_unload_buddy in the error path Greg KH
2012-06-07 4:14 ` [ 44/47] ext4: remove mb_groups before tearing down the buddy_cache Greg KH
2012-06-07 4:14 ` [ 45/47] drm/radeon/kms: add new BTC PCI ids Greg KH
2012-06-07 4:14 ` [ 46/47] ACPI battery: only refresh the sysfs files when pertinent information changes Greg KH
2012-06-07 4:14 ` [ 47/47] wl1251: fix oops on early interrupt Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120607041402.633194282@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kunx.jiang@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=yanmin_zhang@linux.intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).