diff options
author | Christoph Paasch <christoph.paasch@uclouvain.be> | 2014-01-21 16:30:26 +0400 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2014-01-23 09:26:16 +0400 |
commit | 00ca9c5b2b11d44eaf20a4b647efc999734323ec (patch) | |
tree | fbcafcdcc52950691a0430ad377448216fbcfd84 /net/ipv4 | |
parent | 7705b10463622006dce368a47fa9d4dd7b6489ec (diff) | |
download | linux-00ca9c5b2b11d44eaf20a4b647efc999734323ec.tar.xz |
tcp: metrics: Fix rcu-race when deleting multiple entries
In bbf852b96ebdc6d1 I introduced the tmlist, which allows to delete
multiple entries from the cache that match a specified destination if no
source-IP is specified.
However, as the cache is an RCU-list, we should not create this tmlist, as
it will change the tcpm_next pointer of the element that will be deleted
and so a thread iterating over the cache's entries while holding the
RCU-lock might get "redirected" to this tmlist.
This patch fixes this, by reverting back to the old behavior prior to
bbf852b96ebdc6d1, which means that we simply change the tcpm_next
pointer of the previous element (pp) to jump over the one we are
deleting.
The difference is that we call kfree_rcu() directly on the cache entry,
which allows us to delete multiple entries from the list.
Fixes: bbf852b96ebdc6d1 (tcp: metrics: Delete all entries matching a certain destination)
Signed-off-by: Christoph Paasch <christoph.paasch@uclouvain.be>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r-- | net/ipv4/tcp_metrics.c | 14 |
1 files changed, 5 insertions, 9 deletions
diff --git a/net/ipv4/tcp_metrics.c b/net/ipv4/tcp_metrics.c index fa950941de65..9ae48b4a37d1 100644 --- a/net/ipv4/tcp_metrics.c +++ b/net/ipv4/tcp_metrics.c @@ -1019,13 +1019,13 @@ static int tcp_metrics_flush_all(struct net *net) static int tcp_metrics_nl_cmd_del(struct sk_buff *skb, struct genl_info *info) { struct tcpm_hash_bucket *hb; - struct tcp_metrics_block *tm, *tmlist = NULL; + struct tcp_metrics_block *tm; struct tcp_metrics_block __rcu **pp; struct inetpeer_addr saddr, daddr; unsigned int hash; struct net *net = genl_info_net(info); int ret; - bool src = true; + bool src = true, found = false; ret = parse_nl_addr(info, &daddr, &hash, 1); if (ret < 0) @@ -1044,19 +1044,15 @@ static int tcp_metrics_nl_cmd_del(struct sk_buff *skb, struct genl_info *info) if (addr_same(&tm->tcpm_daddr, &daddr) && (!src || addr_same(&tm->tcpm_saddr, &saddr))) { *pp = tm->tcpm_next; - tm->tcpm_next = tmlist; - tmlist = tm; + kfree_rcu(tm, rcu_head); + found = true; } else { pp = &tm->tcpm_next; } } spin_unlock_bh(&tcp_metrics_lock); - if (!tmlist) + if (!found) return -ESRCH; - for (tm = tmlist; tm; tm = tmlist) { - tmlist = tm->tcpm_next; - kfree_rcu(tm, rcu_head); - } return 0; } |