From: Eric Dumazet <eric.duma...@gmail.com> Date: Thu, 21 Sep 2017 09:15:46 -0700
> From: Eric Dumazet <eduma...@google.com> > > In linux-4.13, Wei worked hard to convert dst to a traditional > refcounted model, removing GC. > > We now want to make sure a dst refcount can not transition from 0 back > to 1. > > The problem here is that input path attached a not refcounted dst to an > skb. Then later, because packet is forwarded and hits skb_dst_force() > before exiting RCU section, we might try to take a refcount on one dst > that is about to be freed, if another cpu saw 1 -> 0 transition in > dst_release() and queued the dst for freeing after one RCU grace period. > > Lets unify skb_dst_force() and skb_dst_force_safe(), since we should > always perform the complete check against dst refcount, and not assume > it is not zero. > > Bugzilla : https://bugzilla.kernel.org/show_bug.cgi?id=197005 ... > Similarly dst_clone() can use dst_hold() helper to have additional > debugging, as a follow up to commit 44ebe79149ff ("net: add debug > atomic_inc_not_zero() in dst_hold()") > > In net-next we will convert dst atomic_t to refcount_t for peace of > mind. > > Fixes: a4c2fd7f7891 ("net: remove DST_NOCACHE flag") > Signed-off-by: Eric Dumazet <eduma...@google.com> > Cc: Wei Wang <wei...@google.com> > Reported-by: Paweł Staszewski <pstaszew...@itcare.pl> > Bisected-by: Paweł Staszewski <pstaszew...@itcare.pl> Applied and queued up for -stable, thanks Eric.
