From: Wei Wang <weiwan@google.com>
Date: Sat, 17 Jun 2017 10:42:33 -0700
Subject: ipv6: take dst->__refcnt for insertion into fib6 tree
Patch-mainline: v4.13-rc1
Git-commit: 1cfb71eeb12047bcdbd3e6730ffed66e810a0855
References: bsc#1061739
In IPv6 routing code, struct rt6_info is created for each static route
and RTF_CACHE route and inserted into fib6 tree. In both cases, dst
ref count is not taken.
As explained in the previous patch, this leads to the need of the dst
garbage collector.
This patch holds ref count of dst before inserting the route into fib6
tree and properly releases the dst when deleting it from the fib6 tree
as a preparation in order to fully get rid of dst gc later.
Also, correct fib6_age() logic to check dst->__refcnt to be 1 to indicate
no user is referencing the dst.
And remove dst_hold() in vrf_rt6_create() as ip6_dst_alloc() already puts
dst->__refcnt to 1.
Signed-off-by: Wei Wang <weiwan@google.com>
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Acked-by: Michal Kubecek <mkubecek@suse.cz>
---
drivers/net/vrf.c | 4 ----
net/ipv6/ip6_fib.c | 8 +++++++-
net/ipv6/route.c | 55 ++++++++++++++++++++++++++++++++++++++----------------
3 files changed, 46 insertions(+), 21 deletions(-)
diff --git a/drivers/net/vrf.c b/drivers/net/vrf.c
index 9a90af4a67fd..e7d380b9dd65 100644
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -583,8 +583,6 @@ static int vrf_rt6_create(struct net_device *dev)
if (!rt6)
goto out;
- dst_hold(&rt6->dst);
-
rt6->rt6i_table = rt6i_table;
rt6->dst.output = vrf_output6;
@@ -597,8 +595,6 @@ static int vrf_rt6_create(struct net_device *dev)
goto out;
}
- dst_hold(&rt6_local->dst);
-
rt6_local->rt6i_idev = in6_dev_get(dev);
rt6_local->rt6i_flags = RTF_UP | RTF_NONEXTHOP | RTF_LOCAL;
rt6_local->rt6i_table = rt6i_table;
diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c
index fa03fa469f92..4bc6272eb12a 100644
--- a/net/ipv6/ip6_fib.c
+++ b/net/ipv6/ip6_fib.c
@@ -184,6 +184,7 @@ static void rt6_free_pcpu(struct rt6_info *non_pcpu_rt)
ppcpu_rt = per_cpu_ptr(non_pcpu_rt->rt6i_pcpu, cpu);
pcpu_rt = *ppcpu_rt;
if (pcpu_rt) {
+ dst_release(&pcpu_rt->dst);
rt6_rcu_free(pcpu_rt);
*ppcpu_rt = NULL;
}
@@ -197,6 +198,7 @@ static void rt6_release(struct rt6_info *rt)
{
if (atomic_dec_and_test(&rt->rt6i_ref)) {
rt6_free_pcpu(rt);
+ dst_release(&rt->dst);
rt6_rcu_free(rt);
}
}
@@ -1124,6 +1126,10 @@ int fib6_add(struct fib6_node *root, struct rt6_info *rt,
*/
if (fn && !(fn->fn_flags & (RTN_RTINFO|RTN_ROOT)))
fib6_repair_tree(info->nl_net, fn);
+ /* Always release dst as dst->__refcnt is guaranteed
+ * to be taken before entering this function
+ */
+ dst_release(&rt->dst);
if (!(rt->dst.flags & DST_NOCACHE))
dst_free(&rt->dst);
return err;
@@ -1798,7 +1804,7 @@ static int fib6_age(struct rt6_info *rt, void *arg)
} else if (rt->rt6i_flags & RTF_CACHE) {
if (time_after_eq(now, rt->dst.lastuse + gc_args->timeout))
rt->dst.obsolete = DST_OBSOLETE_KILL;
- if (atomic_read(&rt->dst.__refcnt) == 0 &&
+ if (atomic_read(&rt->dst.__refcnt) == 1 &&
rt->dst.obsolete == DST_OBSOLETE_KILL) {
RT6_TRACE("aging clone %p\n", rt);
return -1;
diff --git a/net/ipv6/route.c b/net/ipv6/route.c
index 98f44f5bad99..cb40ec109363 100644
--- a/net/ipv6/route.c
+++ b/net/ipv6/route.c
@@ -354,7 +354,7 @@ static struct rt6_info *__ip6_dst_alloc(struct net *net,
int flags)
{
struct rt6_info *rt = dst_alloc(&net->ipv6.ip6_dst_ops, dev,
- 0, DST_OBSOLETE_FORCE_CHK, flags);
+ 1, DST_OBSOLETE_FORCE_CHK, flags);
if (rt)
rt6_info_init(rt);
@@ -381,7 +381,9 @@ struct rt6_info *ip6_dst_alloc(struct net *net,
*p = NULL;
}
} else {
- dst_destroy((struct dst_entry *)rt);
+ dst_release(&rt->dst);
+ if (!(flags & DST_NOCACHE))
+ dst_destroy((struct dst_entry *)rt);
return NULL;
}
}
@@ -933,9 +935,9 @@ struct rt6_info *rt6_lookup(struct net *net, const struct in6_addr *daddr,
EXPORT_SYMBOL(rt6_lookup);
/* ip6_ins_rt is called with FREE table->tb6_lock.
- It takes new route entry, the addition fails by any reason the
- route is freed. In any case, if caller does not hold it, it may
- be destroyed.
+ * It takes new route entry, the addition fails by any reason the
+ * route is released.
+ * Caller must hold dst before calling it.
*/
static int __ip6_ins_rt(struct rt6_info *rt, struct nl_info *info,
@@ -957,6 +959,8 @@ int ip6_ins_rt(struct rt6_info *rt)
struct nl_info info = { .nl_net = dev_net(rt->dst.dev), };
struct mx6_config mxc = { .mx = NULL, };
+ /* Hold dst to account for the reference from the fib6 tree */
+ dst_hold(&rt->dst);
return __ip6_ins_rt(rt, &info, &mxc);
}
@@ -1049,6 +1053,7 @@ static struct rt6_info *rt6_make_pcpu_route(struct rt6_info *rt)
prev = cmpxchg(p, NULL, pcpu_rt);
if (prev) {
/* If someone did it before us, return prev instead */
+ dst_release(&pcpu_rt->dst);
dst_destroy(&pcpu_rt->dst);
pcpu_rt = prev;
}
@@ -1059,6 +1064,7 @@ static struct rt6_info *rt6_make_pcpu_route(struct rt6_info *rt)
* since rt is going away anyway. The next
* dst_check() will trigger a re-lookup.
*/
+ dst_release(&pcpu_rt->dst);
dst_destroy(&pcpu_rt->dst);
pcpu_rt = rt;
}
@@ -1129,12 +1135,15 @@ struct rt6_info *ip6_pol_route(struct net *net, struct fib6_table *table,
uncached_rt = ip6_rt_cache_alloc(rt, &fl6->daddr, NULL);
dst_release(&rt->dst);
- if (uncached_rt)
+ if (uncached_rt) {
+ /* Uncached_rt's refcnt is taken during ip6_rt_cache_alloc()
+ * No need for another dst_hold()
+ */
rt6_uncached_list_add(uncached_rt);
- else
+ } else {
uncached_rt = net->ipv6.ip6_null_entry;
-
- dst_hold(&uncached_rt->dst);
+ dst_hold(&uncached_rt->dst);
+ }
trace_fib6_table_lookup(net, uncached_rt, table->tb6_id, fl6);
return uncached_rt;
@@ -1431,6 +1440,10 @@ static void __ip6_rt_update_pmtu(struct dst_entry *dst, const struct sock *sk,
* invalidate the sk->sk_dst_cache.
*/
ip6_ins_rt(nrt6);
+ /* Release the reference taken in
+ * ip6_rt_cache_alloc()
+ */
+ dst_release(&nrt6->dst);
}
}
}
@@ -1682,7 +1695,6 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev,
rt->dst.flags |= DST_HOST;
rt->dst.output = ip6_output;
- atomic_set(&rt->dst.__refcnt, 1);
rt->rt6i_gateway = fl6->daddr;
rt->rt6i_dst.addr = fl6->daddr;
rt->rt6i_dst.plen = 128;
@@ -2116,8 +2128,10 @@ static struct rt6_info *ip6_route_info_create(struct fib6_config *cfg)
dev_put(dev);
if (idev)
in6_dev_put(idev);
- if (rt)
+ if (rt) {
+ dst_release(&rt->dst);
dst_free(&rt->dst);
+ }
return ERR_PTR(err);
}
@@ -2145,8 +2159,10 @@ int ip6_route_add(struct fib6_config *cfg)
return err;
out:
- if (rt)
+ if (rt) {
+ dst_release(&rt->dst);
dst_free(&rt->dst);
+ }
return err;
}
@@ -2381,7 +2397,7 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
nrt->rt6i_gateway = *(struct in6_addr *)neigh->primary_key;
if (ip6_ins_rt(nrt))
- goto out;
+ goto out_release;
netevent.old = &rt->dst;
netevent.new = &nrt->dst;
@@ -2394,6 +2410,12 @@ static void rt6_do_redirect(struct dst_entry *dst, struct sock *sk, struct sk_bu
ip6_del_rt(rt);
}
+out_release:
+ /* Release the reference taken in
+ * ip6_rt_cache_alloc()
+ */
+ dst_release(&nrt->dst);
+
out:
neigh_release(neigh);
}
@@ -2745,8 +2767,6 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev,
rt->rt6i_table = fib6_get_table(net, tb_id);
rt->dst.flags |= DST_NOCACHE;
- atomic_set(&rt->dst.__refcnt, 1);
-
return rt;
}
@@ -3163,6 +3183,7 @@ static int ip6_route_multipath_add(struct fib6_config *cfg)
err = ip6_route_info_append(&rt6_nh_list, rt, &r_cfg);
if (err) {
+ dst_release(&rt->dst);
dst_free(&rt->dst);
goto cleanup;
}
@@ -3226,8 +3247,10 @@ static int ip6_route_multipath_add(struct fib6_config *cfg)
cleanup:
list_for_each_entry_safe(nh, nh_safe, &rt6_nh_list, next) {
- if (nh->rt6_info)
+ if (nh->rt6_info) {
+ dst_release(&nh->rt6_info->dst);
dst_free(&nh->rt6_info->dst);
+ }
kfree(nh->mxc.mx);
list_del(&nh->next);
kfree(nh);
--
2.14.2