lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 28 Apr 2019 07:57:54 -0700 From: Eric Dumazet <eric.dumazet@...il.com> To: David Ahern <dsahern@...il.com>, Networking <netdev@...r.kernel.org> Subject: Re: About ip6_dst_destroy() On 4/27/19 8:22 PM, David Ahern wrote: > On 4/27/19 5:56 PM, Eric Dumazet wrote: >> David >> >> I am staring at ip6_dst_destroy() and the last part makes really no sense to me. >> >> How rcu_read_lock()/rcu_read_unnlock() can help in a writer side ??? >> >> Changlog of a68886a691804d3f6d479ebf6825480fbafb6a00 ("net/ipv6: Make from in rt6_info rcu protected") >> does not make sense either. >> >> <quote> >> There is a race window when a FIB entry is deleted and the 'from' on the >> pcpu route is dropped and the pcpu route hits a cookie check. Handle >> this race using rcu on from. >> </quote> >> > > A FIB entry (fib6_info) is deleted, but resources are not cleaned up as > there are outstanding references to the entry. Specifically, the > references are the 'from' on pcpu routes. Commit (93531c6743157) added > code to release those references as otherwise there is nothing that > forces it. Further testing hit the condition noted in a68886a69180. > > I presume you are asking about ip6_dst_destroy vs all of the other > 'from' references because of the fib6_info_release - which would result > in an underflow when it is released twice. I guess something like a > rmb() / wmb() pair is needed for this case. I do not see how rmb/wmb pair will help. Writers need to use a stronger synchronization between themselves. This can be some spinlock, a xchg() or cmpxchg() The problem here is that nothing prevent ip6_dst_destroy() being called concurrently with another writer like fib6_drop_pcpu_from() fib6_drop_pcpu_from() uses &table->tb6_lock, which is not held in ip6_dst_destroy() I will submit a patch switching all writers to xchg()
Powered by blists - more mailing lists