net: Fix hlist corruptions in inet_evict_bucket()
authorKirill Tkhai <ktkhai@virtuozzo.com>
Tue, 6 Mar 2018 15:46:39 +0000 (18:46 +0300)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Sat, 31 Mar 2018 16:10:40 +0000 (18:10 +0200)
[ Upstream commit a560002437d3646dafccecb1bf32d1685112ddda ]

inet_evict_bucket() iterates global list, and
several tasks may call it in parallel. All of
them hash the same fq->list_evictor to different
lists, which leads to list corruption.

This patch makes fq be hashed to expired list
only if this has not been made yet by another
task. Since inet_frag_alloc() allocates fq
using kmem_cache_zalloc(), we may rely on
list_evictor is initially unhashed.

The problem seems to exist before async
pernet_operations, as there was possible to have
exit method to be executed in parallel with
inet_frags::frags_work, so I add two Fixes tags.
This also may go to stable.

Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor"
Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()"
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
net/ipv4/inet_fragment.c

index af74d0433453d9751e1b6e26bcbe251d173bee4b..e691705f0a85a1a43a331063bb4ff571651af759 100644 (file)
@@ -119,6 +119,9 @@ out:
 
 static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
 {
+       if (!hlist_unhashed(&q->list_evictor))
+               return false;
+
        return q->net->low_thresh == 0 ||
               frag_mem_limit(q->net) >= q->net->low_thresh;
 }