Commit 9df16efa authored by Wei Wang's avatar Wei Wang Committed by David S. Miller

ipv4: call dst_hold_safe() properly

This patch checks all the calls to
dst_hold()/skb_dst_force()/dst_clone()/dst_use() to see if
dst_hold_safe() is needed to avoid double free issue if dst
gc is removed and dst_release() directly destroys dst when
dst->__refcnt drops to 0.

In tx path, TCP hold sk->sk_rx_dst ref count and also hold sock_lock().
UDP and other similar protocols always hold refcount for
skb->_skb_refdst. So both paths seem to be safe.

In rx path, as it is lockless and skb_dst_set_noref() is likely to be
used, dst_hold_safe() should always be used when trying to hold dst.

In the routing code, if dst is held during an rcu protected session, it
is necessary to call dst_hold_safe() as the current dst might be in its
rcu grace period.
Signed-off-by: default avatarWei Wang <weiwan@google.com>
Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 95c47f9c
...@@ -190,7 +190,9 @@ static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src, ...@@ -190,7 +190,9 @@ static inline int ip_route_input(struct sk_buff *skb, __be32 dst, __be32 src,
rcu_read_lock(); rcu_read_lock();
err = ip_route_input_noref(skb, dst, src, tos, devin); err = ip_route_input_noref(skb, dst, src, tos, devin);
if (!err) if (!err)
skb_dst_force(skb); skb_dst_force_safe(skb);
if (!skb_dst(skb))
err = -EINVAL;
rcu_read_unlock(); rcu_read_unlock();
return err; return err;
......
...@@ -2234,10 +2234,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res, ...@@ -2234,10 +2234,8 @@ static struct rtable *__mkroute_output(const struct fib_result *res,
rth = rcu_dereference(*prth); rth = rcu_dereference(*prth);
rt_cache: rt_cache:
if (rt_cache_valid(rth)) { if (rt_cache_valid(rth) && dst_hold_safe(&rth->dst))
dst_hold(&rth->dst);
return rth; return rth;
}
} }
add: add:
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment