net: ipv4: fix RCU races on dst refcounts (404e0a8b) · Commits · e / devices / android_kernel_teracube_emerald

include/net/dst.h

+1 −6

Original line number	Diff line number	Diff line
		@@ -61,6 +61,7 @@ struct dst_entry {
		#define DST_NOPEER 0x0040
		#define DST_FAKE_RTABLE 0x0080
		#define DST_XFRM_TUNNEL 0x0100
		#define DST_RCU_FREE 0x0200

		unsigned short pending_confirm;

		@@ -382,12 +383,6 @@ static inline void dst_free(struct dst_entry *dst)
		__dst_free(dst);
		}

		static inline void dst_rcu_free(struct rcu_head *head)
		{
		struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head);
		dst_free(dst);
		}

		static inline void dst_confirm(struct dst_entry *dst)
		{
		dst->pending_confirm = 1;

+13 −0

Original line number	Diff line number	Diff line
		@@ -249,4 +249,17 @@ static inline __u8 inet_sk_flowi_flags(const struct sock *sk)
		return flags;
		}

		static inline void inet_sk_rx_dst_set(struct sock sk, const struct sk_buff skb)
		{
		struct dst_entry *dst = skb_dst(skb);

		if (atomic_inc_not_zero(&dst->__refcnt)) {
		if (!(dst->flags & DST_RCU_FREE))
		dst->flags \|= DST_RCU_FREE;

		sk->sk_rx_dst = dst;
		inet_sk(sk)->rx_dst_ifindex = skb->skb_iif;
		}
		}

		#endif /* _INET_SOCK_H */

+21 −5

Original line number	Diff line number	Diff line
		@@ -258,6 +258,15 @@ struct dst_entry dst_destroy(struct dst_entry dst)
		}
		EXPORT_SYMBOL(dst_destroy);

		static void dst_rcu_destroy(struct rcu_head *head)
		{
		struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head);

		dst = dst_destroy(dst);
		if (dst)
		__dst_free(dst);
		}

		void dst_release(struct dst_entry *dst)
		{
		if (dst) {
		@@ -265,13 +274,17 @@ void dst_release(struct dst_entry *dst)

		newrefcnt = atomic_dec_return(&dst->__refcnt);
		WARN_ON(newrefcnt < 0);
		if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) {
		if (unlikely(dst->flags & (DST_NOCACHE \| DST_RCU_FREE)) && !newrefcnt) {
		if (dst->flags & DST_RCU_FREE) {
		call_rcu_bh(&dst->rcu_head, dst_rcu_destroy);
		} else {
		dst = dst_destroy(dst);
		if (dst)
		__dst_free(dst);
		}
		}
		}
		}
		EXPORT_SYMBOL(dst_release);

		u32 dst_cow_metrics_generic(struct dst_entry dst, unsigned long old)
		@@ -320,11 +333,14 @@ EXPORT_SYMBOL(__dst_destroy_metrics_generic);
		*/
		void skb_dst_set_noref(struct sk_buff skb, struct dst_entry dst)
		{
		bool hold;

		WARN_ON(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
		/* If dst not in cache, we must take a reference, because
		* dst_release() will destroy dst as soon as its refcount becomes zero
		*/
		if (unlikely(dst->flags & DST_NOCACHE)) {
		hold = (dst->flags & (DST_NOCACHE \| DST_RCU_FREE)) == DST_NOCACHE;
		if (unlikely(hold)) {
		dst_hold(dst);
		skb_dst_set(skb, dst);
		} else {

+6 −0

Original line number	Diff line number	Diff line
		@@ -184,6 +184,12 @@ static __inline__ unsigned int dn_hash(__le16 src, __le16 dst)
		return dn_rt_hash_mask & (unsigned int)tmp;
		}

		static inline void dst_rcu_free(struct rcu_head *head)
		{
		struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head);
		dst_free(dst);
		}

		static inline void dnrt_free(struct dn_route *rt)
		{
		call_rcu_bh(&rt->dst.rcu_head, dst_rcu_free);

+2 −2

Original line number	Diff line number	Diff line
		@@ -172,9 +172,9 @@ static void free_fib_info_rcu(struct rcu_head *head)
		if (nexthop_nh->nh_exceptions)
		free_nh_exceptions(nexthop_nh);
		if (nexthop_nh->nh_rth_output)
		dst_free(&nexthop_nh->nh_rth_output->dst);
		dst_release(&nexthop_nh->nh_rth_output->dst);
		if (nexthop_nh->nh_rth_input)
		dst_free(&nexthop_nh->nh_rth_input->dst);
		dst_release(&nexthop_nh->nh_rth_input->dst);
		} endfor_nexthops(fi);

		release_net(fi->fib_net);