Thread (12 messages) 12 messages, 4 authors, 2015-08-12

RE: [PATCH net] udp: fix dst races with multicast early demux

From: Gregory Hoggarth <hidden>
Date: 2015-08-03 22:44:00
Subsystem: networking [general], the rest, user datagram protocol (udp) · Maintainers: "David S. Miller", Eric Dumazet, Jakub Kicinski, Paolo Abeni, Linus Torvalds, Willem de Bruijn 

Hi,

I have included this patch into my code and re-run our tests overnight, out of 644 iterations we did not see the kernel crash. Previous reproduction rate we would have expected 4-6 crashes in this time.

So I think this fixes the issue we are seeing.

Thanks,
Greg

________________________________________
From: netdev-owner@vger.kernel.org <redacted> on behalf of Eric Dumazet <redacted>
Sent: Saturday, 1 August 2015 10:14 p.m.
To: Gregory Hoggarth
Cc: Shawn Bohrer; netdev@vger.kernel.org; alexgartrell@gmail.com; Michal Kubeček
Subject: [PATCH net] udp: fix dst races with multicast early demux

From: Eric Dumazet <edumazet@google.com>

Multicast dst are not cached. They carry DST_NOCACHE.

As mentioned in commit f8864972126899 ("ipv4: fix dst race in
sk_dst_get()"), these dst need special care before caching them
into a socket.

Caching them is allowed only if their refcnt was not 0, ie we
must use atomic_inc_not_zero()

Also, we must use READ_ONCE() to fetch sk->sk_rx_dst, as mentioned
in commit d0c294c53a771 ("tcp: prevent fetching dst twice in early demux
code")

Fixes: 421b3885bf6d ("udp: ipv4: Add udp early demux")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: Gregory Hoggarth <redacted>
Reported-by: Alex Gartrell <redacted>
Cc: Michal Kubeček <redacted>
---
David : I will be on vacation for following 7 days, no internet access.
Please wait for tests done by Gregory & Alex before merging this ?
Thanks !

 net/ipv4/udp.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 83aa604f9273..1b8c5ba7d5f7 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1995,12 +1995,19 @@ void udp_v4_early_demux(struct sk_buff *skb)

        skb->sk = sk;
        skb->destructor = sock_efree;
-       dst = sk->sk_rx_dst;
+       dst = READ_ONCE(sk->sk_rx_dst);

        if (dst)
                dst = dst_check(dst, 0);
-       if (dst)
-               skb_dst_set_noref(skb, dst);
+       if (dst) {
+               /* DST_NOCACHE can not be used without taking a reference */
+               if (dst->flags & DST_NOCACHE) {
+                       if (likely(atomic_inc_not_zero(&dst->__refcnt)))
+                               skb_dst_set(skb, dst);
+               } else {
+                       skb_dst_set_noref(skb, dst);
+               }
+       }
 }

 int udp_rcv(struct sk_buff *skb)
Other recent patches touching these files
Keyboard shortcuts
hback out one level
jnext message in thread
kprevious message in thread
ldrill in
Escclose help / fold thread tree
?toggle this help