Commit 2e56571d authored by David S. Miller's avatar David S. Miller

Merge branch 'inet-frags-followup'

Eric Dumazet says:

====================
inet: frags: followup to 'inet-frags-avoid-possible-races-at-netns-dismantle'

Latest patch series ('inet-frags-avoid-possible-races-at-netns-dismantle')
brought another syzbot report shown in the third patch changelog.

While fixing the issue, I had to call inet_frags_fini() later
in IPv6 and ilowpan.

Also I believe a completion is needed to ensure proper dismantle
at module removal.
====================
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parents 3fb321fd dc93f46b
...@@ -3,6 +3,7 @@ ...@@ -3,6 +3,7 @@
#define __NET_FRAG_H__ #define __NET_FRAG_H__
#include <linux/rhashtable-types.h> #include <linux/rhashtable-types.h>
#include <linux/completion.h>
/* Per netns frag queues directory */ /* Per netns frag queues directory */
struct fqdir { struct fqdir {
...@@ -104,30 +105,14 @@ struct inet_frags { ...@@ -104,30 +105,14 @@ struct inet_frags {
struct kmem_cache *frags_cachep; struct kmem_cache *frags_cachep;
const char *frags_cache_name; const char *frags_cache_name;
struct rhashtable_params rhash_params; struct rhashtable_params rhash_params;
refcount_t refcnt;
struct completion completion;
}; };
int inet_frags_init(struct inet_frags *); int inet_frags_init(struct inet_frags *);
void inet_frags_fini(struct inet_frags *); void inet_frags_fini(struct inet_frags *);
static inline int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, struct net *net);
struct net *net)
{
struct fqdir *fqdir = kzalloc(sizeof(*fqdir), GFP_KERNEL);
int res;
if (!fqdir)
return -ENOMEM;
fqdir->f = f;
fqdir->net = net;
res = rhashtable_init(&fqdir->rhashtable, &fqdir->f->rhash_params);
if (res < 0) {
kfree(fqdir);
return res;
}
*fqdirp = fqdir;
return 0;
}
void fqdir_exit(struct fqdir *fqdir); void fqdir_exit(struct fqdir *fqdir);
void inet_frag_kill(struct inet_frag_queue *q); void inet_frag_kill(struct inet_frag_queue *q);
......
...@@ -540,7 +540,7 @@ int __init lowpan_net_frag_init(void) ...@@ -540,7 +540,7 @@ int __init lowpan_net_frag_init(void)
void lowpan_net_frag_exit(void) void lowpan_net_frag_exit(void)
{ {
inet_frags_fini(&lowpan_frags);
lowpan_frags_sysctl_unregister(); lowpan_frags_sysctl_unregister();
unregister_pernet_subsys(&lowpan_frags_ops); unregister_pernet_subsys(&lowpan_frags_ops);
inet_frags_fini(&lowpan_frags);
} }
...@@ -110,14 +110,18 @@ int inet_frags_init(struct inet_frags *f) ...@@ -110,14 +110,18 @@ int inet_frags_init(struct inet_frags *f)
if (!f->frags_cachep) if (!f->frags_cachep)
return -ENOMEM; return -ENOMEM;
refcount_set(&f->refcnt, 1);
init_completion(&f->completion);
return 0; return 0;
} }
EXPORT_SYMBOL(inet_frags_init); EXPORT_SYMBOL(inet_frags_init);
void inet_frags_fini(struct inet_frags *f) void inet_frags_fini(struct inet_frags *f)
{ {
/* We must wait that all inet_frag_destroy_rcu() have completed. */ if (refcount_dec_and_test(&f->refcnt))
rcu_barrier(); complete(&f->completion);
wait_for_completion(&f->completion);
kmem_cache_destroy(f->frags_cachep); kmem_cache_destroy(f->frags_cachep);
f->frags_cachep = NULL; f->frags_cachep = NULL;
...@@ -149,11 +153,42 @@ static void fqdir_rwork_fn(struct work_struct *work) ...@@ -149,11 +153,42 @@ static void fqdir_rwork_fn(struct work_struct *work)
{ {
struct fqdir *fqdir = container_of(to_rcu_work(work), struct fqdir *fqdir = container_of(to_rcu_work(work),
struct fqdir, destroy_rwork); struct fqdir, destroy_rwork);
struct inet_frags *f = fqdir->f;
rhashtable_free_and_destroy(&fqdir->rhashtable, inet_frags_free_cb, NULL); rhashtable_free_and_destroy(&fqdir->rhashtable, inet_frags_free_cb, NULL);
/* We need to make sure all ongoing call_rcu(..., inet_frag_destroy_rcu)
* have completed, since they need to dereference fqdir.
* Would it not be nice to have kfree_rcu_barrier() ? :)
*/
rcu_barrier();
if (refcount_dec_and_test(&f->refcnt))
complete(&f->completion);
kfree(fqdir); kfree(fqdir);
} }
int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, struct net *net)
{
struct fqdir *fqdir = kzalloc(sizeof(*fqdir), GFP_KERNEL);
int res;
if (!fqdir)
return -ENOMEM;
fqdir->f = f;
fqdir->net = net;
res = rhashtable_init(&fqdir->rhashtable, &fqdir->f->rhash_params);
if (res < 0) {
kfree(fqdir);
return res;
}
refcount_inc(&f->refcnt);
*fqdirp = fqdir;
return 0;
}
EXPORT_SYMBOL(fqdir_init);
void fqdir_exit(struct fqdir *fqdir) void fqdir_exit(struct fqdir *fqdir)
{ {
fqdir->high_thresh = 0; /* prevent creation of new frags */ fqdir->high_thresh = 0; /* prevent creation of new frags */
......
...@@ -583,8 +583,8 @@ int __init ipv6_frag_init(void) ...@@ -583,8 +583,8 @@ int __init ipv6_frag_init(void)
void ipv6_frag_exit(void) void ipv6_frag_exit(void)
{ {
inet_frags_fini(&ip6_frags);
ip6_frags_sysctl_unregister(); ip6_frags_sysctl_unregister();
unregister_pernet_subsys(&ip6_frags_ops); unregister_pernet_subsys(&ip6_frags_ops);
inet6_del_protocol(&frag_protocol, IPPROTO_FRAGMENT); inet6_del_protocol(&frag_protocol, IPPROTO_FRAGMENT);
inet_frags_fini(&ip6_frags);
} }
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment