Commit 00ca9c5b authored by Christoph Paasch's avatar Christoph Paasch Committed by David S. Miller

tcp: metrics: Fix rcu-race when deleting multiple entries

In bbf852b9 I introduced the tmlist, which allows to delete
multiple entries from the cache that match a specified destination if no
source-IP is specified.

However, as the cache is an RCU-list, we should not create this tmlist, as
it will change the tcpm_next pointer of the element that will be deleted
and so a thread iterating over the cache's entries while holding the
RCU-lock might get "redirected" to this tmlist.

This patch fixes this, by reverting back to the old behavior prior to
bbf852b9, which means that we simply change the tcpm_next
pointer of the previous element (pp) to jump over the one we are
deleting.
The difference is that we call kfree_rcu() directly on the cache entry,
which allows us to delete multiple entries from the list.

Fixes: bbf852b9 (tcp: metrics: Delete all entries matching a certain destination)
Signed-off-by: default avatarChristoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 7705b104
...@@ -1019,13 +1019,13 @@ static int tcp_metrics_flush_all(struct net *net) ...@@ -1019,13 +1019,13 @@ static int tcp_metrics_flush_all(struct net *net)
static int tcp_metrics_nl_cmd_del(struct sk_buff *skb, struct genl_info *info) static int tcp_metrics_nl_cmd_del(struct sk_buff *skb, struct genl_info *info)
{ {
struct tcpm_hash_bucket *hb; struct tcpm_hash_bucket *hb;
struct tcp_metrics_block *tm, *tmlist = NULL; struct tcp_metrics_block *tm;
struct tcp_metrics_block __rcu **pp; struct tcp_metrics_block __rcu **pp;
struct inetpeer_addr saddr, daddr; struct inetpeer_addr saddr, daddr;
unsigned int hash; unsigned int hash;
struct net *net = genl_info_net(info); struct net *net = genl_info_net(info);
int ret; int ret;
bool src = true; bool src = true, found = false;
ret = parse_nl_addr(info, &daddr, &hash, 1); ret = parse_nl_addr(info, &daddr, &hash, 1);
if (ret < 0) if (ret < 0)
...@@ -1044,19 +1044,15 @@ static int tcp_metrics_nl_cmd_del(struct sk_buff *skb, struct genl_info *info) ...@@ -1044,19 +1044,15 @@ static int tcp_metrics_nl_cmd_del(struct sk_buff *skb, struct genl_info *info)
if (addr_same(&tm->tcpm_daddr, &daddr) && if (addr_same(&tm->tcpm_daddr, &daddr) &&
(!src || addr_same(&tm->tcpm_saddr, &saddr))) { (!src || addr_same(&tm->tcpm_saddr, &saddr))) {
*pp = tm->tcpm_next; *pp = tm->tcpm_next;
tm->tcpm_next = tmlist; kfree_rcu(tm, rcu_head);
tmlist = tm; found = true;
} else { } else {
pp = &tm->tcpm_next; pp = &tm->tcpm_next;
} }
} }
spin_unlock_bh(&tcp_metrics_lock); spin_unlock_bh(&tcp_metrics_lock);
if (!tmlist) if (!found)
return -ESRCH; return -ESRCH;
for (tm = tmlist; tm; tm = tmlist) {
tmlist = tm->tcpm_next;
kfree_rcu(tm, rcu_head);
}
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment