[Devel] [PATCH rh7] net: Use {get, put}_net() in inet_twsk_{alloc, free}()
Andrew Vagin
avagin at odin.com
Thu May 28 08:56:12 PDT 2015
On Wed, May 27, 2015 at 02:32:22PM +0300, Kirill Tkhai wrote:
> hold_net() doesn't increment net refcounter if NETNS_REFCNT_DEBUG
> is not defined. In this case inet_twdr_do_twkill_work() may happen
> after network is destoyed and lead to memory corruption like this
> happened in https://jira.sw.ru/browse/PSBM-33755.
>
> The patch replaces {hold,release}_net with {get,put}_net, which
> makes refcounters be incremented always.
In this case a netns will not be destroyed while it has time wait
sockets. It isn't expected behaviour.
I don't understand why do we need tcp_v4_kill_ve_sockets().
>
> Such object changes, which extends its lifetime, should be checked
> for safety of refcouter waiters, who wait for 0 refcounter. I mean
> the sequence of net device shutdown for example, see
> netdev_wait_allrefs() for details.
>
> Luckily, we don't have the same issues with struct net, because nobody
> waits for it.
>
> PCS6 also needs the same patch.
>
> Signed-off-by: Kirill Tkhai <ktkhai at odin.com>
> ---
> net/ipv4/inet_timewait_sock.c | 4 ++--
> 1 file changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/net/ipv4/inet_timewait_sock.c b/net/ipv4/inet_timewait_sock.c
> index e2bda07..526e3b5 100644
> --- a/net/ipv4/inet_timewait_sock.c
> +++ b/net/ipv4/inet_timewait_sock.c
> @@ -103,7 +103,7 @@ void inet_twsk_free(struct inet_timewait_sock *tw)
> #ifdef CONFIG_BEANCOUNTERS
> put_beancounter(tw->tw_ub);
> #endif
> - release_net(twsk_net(tw));
> + put_net(twsk_net(tw));
> kmem_cache_free(tw->tw_prot->twsk_prot->twsk_slab, tw);
> module_put(owner);
> }
> @@ -202,7 +202,7 @@ struct inet_timewait_sock *inet_twsk_alloc(const struct sock *sk, const int stat
> tw->tw_ipv6only = 0;
> tw->tw_transparent = inet->transparent;
> tw->tw_prot = sk->sk_prot_creator;
> - twsk_net_set(tw, hold_net(sock_net(sk)));
> + twsk_net_set(tw, get_net(sock_net(sk)));
> /*
> * Because we use RCU lookups, we should not set tw_refcnt
> * to a non null value before everything is setup for this
>
More information about the Devel
mailing list