diff options
| author | Eric Dumazet <edumazet@google.com> | 2022-05-16 06:24:53 +0200 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2022-05-16 12:33:59 +0200 |
| commit | 97e719a82b43c6c2bb5eebdb3c5d479a332ac2ac (patch) | |
| tree | 7e38c6a88703169d84365cb91c9aaab5aabe0adb /net/ipv6/mip6.c | |
| parent | net: tulip: convert to devres (diff) | |
| download | linux-97e719a82b43c6c2bb5eebdb3c5d479a332ac2ac.tar.xz linux-97e719a82b43c6c2bb5eebdb3c5d479a332ac2ac.zip | |
net: fix possible race in skb_attempt_defer_free()
A cpu can observe sd->defer_count reaching 128,
and call smp_call_function_single_async()
Problem is that the remote CPU can clear sd->defer_count
before the IPI is run/acknowledged.
Other cpus can queue more packets and also decide
to call smp_call_function_single_async() while the pending
IPI was not yet delivered.
This is a common issue with smp_call_function_single_async().
Callers must ensure correct synchronization and serialization.
I triggered this issue while experimenting smaller threshold.
Performing the call to smp_call_function_single_async()
under sd->defer_lock protection did not solve the problem.
Commit 5a18ceca6350 ("smp: Allow smp_call_function_single_async()
to insert locked csd") replaced an informative WARN_ON_ONCE()
with a return of -EBUSY, which is often ignored.
Test of CSD_FLAG_LOCK presence is racy anyway.
Fixes: 68822bdf76f1 ("net: generalize skb freeing deferral to per-cpu lists")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv6/mip6.c')
0 files changed, 0 insertions, 0 deletions