• Wei Wang's avatar
    ipv4: call dst_hold_safe() properly · 9df16efa
    Wei Wang authored
    This patch checks all the calls to
    dst_hold()/skb_dst_force()/dst_clone()/dst_use() to see if
    dst_hold_safe() is needed to avoid double free issue if dst
    gc is removed and dst_release() directly destroys dst when
    dst->__refcnt drops to 0.
    
    In tx path, TCP hold sk->sk_rx_dst ref count and also hold sock_lock().
    UDP and other similar protocols always hold refcount for
    skb->_skb_refdst. So both paths seem to be safe.
    
    In rx path, as it is lockless and skb_dst_set_noref() is likely to be
    used, dst_hold_safe() should always be used when trying to hold dst.
    
    In the routing code, if dst is held during an rcu protected session, it
    is necessary to call dst_hold_safe() as the current dst might be in its
    rcu grace period.
    Signed-off-by: default avatarWei Wang <weiwan@google.com>
    Acked-by: default avatarMartin KaFai Lau <kafai@fb.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    9df16efa
route.c 76 KB