tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

inet: frags: avoid theoretical race in ip_frag_reinit()

In ip_frag_reinit() we want to move the frag timeout timer into
the future. If the timer fires in the meantime we inadvertently
scheduled it again, and since the timer assumes a ref on frag_queue
we need to acquire one to balance things out.

This is technically racy, we should have acquired the reference
_before_ we touch the timer, it may fire again before we take the ref.
Avoid this entire dance by using mod_timer_pending() which only modifies
the timer if its pending (and which exists since Linux v2.6.30)

Note that this was the only place we ever took a ref on frag_queue
since Eric's conversion to RCU. So we could potentially replace
the whole refcnt field with an atomic flag and a bit more RCU.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20251207010942.1672972-2-kuba@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 8ef522c8 2f6e056e

+4 -4
+3 -1
net/ipv4/inet_fragment.c
··· 327 327 328 328 timer_setup(&q->timer, f->frag_expire, 0); 329 329 spin_lock_init(&q->lock); 330 - /* One reference for the timer, one for the hash table. */ 330 + /* One reference for the timer, one for the hash table. 331 + * We never take any extra references, only decrement this field. 332 + */ 331 333 refcount_set(&q->refcnt, 2); 332 334 333 335 return q;
+1 -3
net/ipv4/ip_fragment.c
··· 242 242 { 243 243 unsigned int sum_truesize = 0; 244 244 245 - if (!mod_timer(&qp->q.timer, jiffies + qp->q.fqdir->timeout)) { 246 - refcount_inc(&qp->q.refcnt); 245 + if (!mod_timer_pending(&qp->q.timer, jiffies + qp->q.fqdir->timeout)) 247 246 return -ETIMEDOUT; 248 - } 249 247 250 248 sum_truesize = inet_frag_rbtree_purge(&qp->q.rb_fragments, 251 249 SKB_DROP_REASON_FRAG_TOO_FAR);