git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Thu, 23 Jul 2015 10:05:37 +0000 (12:05 +0200)
committer	David S. Miller <davem@davemloft.net>
	Mon, 27 Jul 2015 04:00:14 +0000 (21:00 -0700)
commit	ec5658d5ee2c7f7224865c8c6e189d700e141bfc
tree	d71cf0c7d0e7bd2ab28c68bb189e73826cbb0681	tree \| snapshot
parent	a7bbee67fb0235e79cd41a5031f0763e754ccec9	commit \| diff

inet: frag: don't re-use chainlist for evictor

commit a8126af801ca5 ("inet: frags: fix a race between inet_evict_bucket
and inet_frag_kill") describes the bug, but the fix doesn't work reliably.

Problem is that ->flags member can be set on other cpu without chainlock
being held by that task, i.e. the RMW-Cycle can clear INET_FRAG_EVICTED
bit after we put the element on the evictor private list.

We can crash when walking the 'private' evictor list since an element can
be deleted from list underneath the evictor.

Join work with Nikolay Alexandrov.

Fixes: 62b8ccb703e9 ("inet: frag: move eviction of queues to work queue")
Reported-by: Johan Schuijt <johan@transip.nl>
Tested-by: Frank Schreuder <fschreuder@transip.nl>
Signed-off-by: Nikolay Alexandrov <nikolay@cumulusnetworks.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/inet_frag.h		diff \| blob \| history
net/ipv4/inet_fragment.c		diff \| blob \| history