mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-12-27 14:41:22 -05:00
006a5035b4
We have been seeing occasional deadlocks on pernet_ops_rwsem since
September in NIPA. The stuck task was usually modprobe (often loading
a driver like ipvlan), trying to take the lock as a Writer.
lockdep does not track readers for rwsems so the read wasn't obvious
from the reports.
On closer inspection the Reader holding the lock was conntrack looping
forever in nf_conntrack_cleanup_net_list(). Based on past experience
with occasional NIPA crashes I looked thru the tests which run before
the crash and noticed that the crash follows ip_defrag.sh. An immediate
red flag. Scouring thru (de)fragmentation queues reveals skbs sitting
around, holding conntrack references.
The problem is that since conntrack depends on nf_defrag_ipv6,
nf_defrag_ipv6 will load first. Since nf_defrag_ipv6 loads first its
netns exit hooks run _after_ conntrack's netns exit hook.
Flush all fragment queue SKBs during fqdir_pre_exit() to release
conntrack references before conntrack cleanup runs. Also flush
the queues in timer expiry handlers when they discover fqdir->dead
is set, in case packet sneaks in while we're running the pre_exit
flush.
The commit under Fixes is not exactly the culprit, but I think
previously the timer firing would eventually unblock the spinning
conntrack.
Fixes: d5dd88794a ("inet: fix various use-after-free in defrags units")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251207010942.1672972-4-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
183 lines
4.9 KiB
C
183 lines
4.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0 */
|
|
#ifndef __NET_FRAG_H__
|
|
#define __NET_FRAG_H__
|
|
|
|
#include <linux/rhashtable-types.h>
|
|
#include <linux/completion.h>
|
|
#include <linux/in6.h>
|
|
#include <linux/rbtree_types.h>
|
|
#include <linux/refcount.h>
|
|
#include <net/dropreason-core.h>
|
|
|
|
/* Per netns frag queues directory */
|
|
struct fqdir {
|
|
/* sysctls */
|
|
long high_thresh;
|
|
long low_thresh;
|
|
int timeout;
|
|
int max_dist;
|
|
struct inet_frags *f;
|
|
struct net *net;
|
|
bool dead;
|
|
|
|
struct rhashtable rhashtable ____cacheline_aligned_in_smp;
|
|
|
|
/* Keep atomic mem on separate cachelines in structs that include it */
|
|
atomic_long_t mem ____cacheline_aligned_in_smp;
|
|
struct work_struct destroy_work;
|
|
struct llist_node free_list;
|
|
};
|
|
|
|
/**
|
|
* enum: fragment queue flags
|
|
*
|
|
* @INET_FRAG_FIRST_IN: first fragment has arrived
|
|
* @INET_FRAG_LAST_IN: final fragment has arrived
|
|
* @INET_FRAG_COMPLETE: frag queue has been processed and is due for destruction
|
|
* @INET_FRAG_HASH_DEAD: inet_frag_kill() has not removed fq from rhashtable
|
|
* @INET_FRAG_DROP: if skbs must be dropped (instead of being consumed)
|
|
*/
|
|
enum {
|
|
INET_FRAG_FIRST_IN = BIT(0),
|
|
INET_FRAG_LAST_IN = BIT(1),
|
|
INET_FRAG_COMPLETE = BIT(2),
|
|
INET_FRAG_HASH_DEAD = BIT(3),
|
|
INET_FRAG_DROP = BIT(4),
|
|
};
|
|
|
|
struct frag_v4_compare_key {
|
|
__be32 saddr;
|
|
__be32 daddr;
|
|
u32 user;
|
|
u32 vif;
|
|
__be16 id;
|
|
u16 protocol;
|
|
};
|
|
|
|
struct frag_v6_compare_key {
|
|
struct in6_addr saddr;
|
|
struct in6_addr daddr;
|
|
u32 user;
|
|
__be32 id;
|
|
u32 iif;
|
|
};
|
|
|
|
/**
|
|
* struct inet_frag_queue - fragment queue
|
|
*
|
|
* @node: rhash node
|
|
* @key: keys identifying this frag.
|
|
* @timer: queue expiration timer
|
|
* @lock: spinlock protecting this frag
|
|
* @refcnt: reference count of the queue
|
|
* @rb_fragments: received fragments rb-tree root
|
|
* @fragments_tail: received fragments tail
|
|
* @last_run_head: the head of the last "run". see ip_fragment.c
|
|
* @stamp: timestamp of the last received fragment
|
|
* @len: total length of the original datagram
|
|
* @meat: length of received fragments so far
|
|
* @tstamp_type: stamp has a mono delivery time (EDT)
|
|
* @flags: fragment queue flags
|
|
* @max_size: maximum received fragment size
|
|
* @fqdir: pointer to struct fqdir
|
|
* @rcu: rcu head for freeing deferall
|
|
*/
|
|
struct inet_frag_queue {
|
|
struct rhash_head node;
|
|
union {
|
|
struct frag_v4_compare_key v4;
|
|
struct frag_v6_compare_key v6;
|
|
} key;
|
|
struct timer_list timer;
|
|
spinlock_t lock;
|
|
refcount_t refcnt;
|
|
struct rb_root rb_fragments;
|
|
struct sk_buff *fragments_tail;
|
|
struct sk_buff *last_run_head;
|
|
ktime_t stamp;
|
|
int len;
|
|
int meat;
|
|
u8 tstamp_type;
|
|
__u8 flags;
|
|
u16 max_size;
|
|
struct fqdir *fqdir;
|
|
struct rcu_head rcu;
|
|
};
|
|
|
|
struct inet_frags {
|
|
unsigned int qsize;
|
|
|
|
void (*constructor)(struct inet_frag_queue *q,
|
|
const void *arg);
|
|
void (*destructor)(struct inet_frag_queue *);
|
|
void (*frag_expire)(struct timer_list *t);
|
|
struct kmem_cache *frags_cachep;
|
|
const char *frags_cache_name;
|
|
struct rhashtable_params rhash_params;
|
|
refcount_t refcnt;
|
|
struct completion completion;
|
|
};
|
|
|
|
int inet_frags_init(struct inet_frags *);
|
|
void inet_frags_fini(struct inet_frags *);
|
|
|
|
int fqdir_init(struct fqdir **fqdirp, struct inet_frags *f, struct net *net);
|
|
|
|
void fqdir_pre_exit(struct fqdir *fqdir);
|
|
void fqdir_exit(struct fqdir *fqdir);
|
|
|
|
void inet_frag_kill(struct inet_frag_queue *q, int *refs);
|
|
void inet_frag_destroy(struct inet_frag_queue *q);
|
|
struct inet_frag_queue *inet_frag_find(struct fqdir *fqdir, void *key);
|
|
|
|
void inet_frag_queue_flush(struct inet_frag_queue *q,
|
|
enum skb_drop_reason reason);
|
|
|
|
static inline void inet_frag_putn(struct inet_frag_queue *q, int refs)
|
|
{
|
|
if (refs && refcount_sub_and_test(refs, &q->refcnt))
|
|
inet_frag_destroy(q);
|
|
}
|
|
|
|
/* Memory Tracking Functions. */
|
|
|
|
static inline long frag_mem_limit(const struct fqdir *fqdir)
|
|
{
|
|
return atomic_long_read(&fqdir->mem);
|
|
}
|
|
|
|
static inline void sub_frag_mem_limit(struct fqdir *fqdir, long val)
|
|
{
|
|
atomic_long_sub(val, &fqdir->mem);
|
|
}
|
|
|
|
static inline void add_frag_mem_limit(struct fqdir *fqdir, long val)
|
|
{
|
|
atomic_long_add(val, &fqdir->mem);
|
|
}
|
|
|
|
/* RFC 3168 support :
|
|
* We want to check ECN values of all fragments, do detect invalid combinations.
|
|
* In ipq->ecn, we store the OR value of each ip4_frag_ecn() fragment value.
|
|
*/
|
|
#define IPFRAG_ECN_NOT_ECT 0x01 /* one frag had ECN_NOT_ECT */
|
|
#define IPFRAG_ECN_ECT_1 0x02 /* one frag had ECN_ECT_1 */
|
|
#define IPFRAG_ECN_ECT_0 0x04 /* one frag had ECN_ECT_0 */
|
|
#define IPFRAG_ECN_CE 0x08 /* one frag had ECN_CE */
|
|
|
|
extern const u8 ip_frag_ecn_table[16];
|
|
|
|
/* Return values of inet_frag_queue_insert() */
|
|
#define IPFRAG_OK 0
|
|
#define IPFRAG_DUP 1
|
|
#define IPFRAG_OVERLAP 2
|
|
int inet_frag_queue_insert(struct inet_frag_queue *q, struct sk_buff *skb,
|
|
int offset, int end);
|
|
void *inet_frag_reasm_prepare(struct inet_frag_queue *q, struct sk_buff *skb,
|
|
struct sk_buff *parent);
|
|
void inet_frag_reasm_finish(struct inet_frag_queue *q, struct sk_buff *head,
|
|
void *reasm_data, bool try_coalesce);
|
|
struct sk_buff *inet_frag_pull_head(struct inet_frag_queue *q);
|
|
|
|
#endif
|