于 2012年06月05日 16:57, Eric Dumazet 写道:
> On Tue, 2012-06-05 at 15:52 +0800, Gao feng wrote:
>
>> +static void __net_exit inetpeer_net_exit(struct net *net)
>> +{
>> + inetpeer_invalidate_tree(net, AF_INET);
>> + kfree(net->ipv4.peers);
>> +
>> + inetpeer_invalidate_tree(net, AF_INET6);
>> + kfree(net->ipv6.peers);
>> +}
>> +
>
> Are we 1000% sure no code ever run in inetpeer land after this call ?
I am not sure,I need more time to research it.
I just do kfree peers here without set NULL pointer is
beacuse there is the same code with fib6_main_tbl in fib6_net_exit
and it seems work well.
Anyway, I will research it.
>
> I would add
> net->ipv4.peers = NULL;
> net->ipv6.peers = NULL;
>
> to catch NULL deref instead of strange errors, just in case.
>
> By the way, I think we have a bug in inetpeer_gc_worker()
>
> Steffen ?
>
> We have no rcu grace period to make sure the following is safe :
>
> if (!atomic_read(&p->refcnt)) {
> list_del(&p->gc_list);
> kmem_cache_free(peer_cachep, p);
> }
>
> I'll post a fix like :
>
> diff --git a/net/ipv4/inetpeer.c b/net/ipv4/inetpeer.c
> index d4d61b6..07731b5 100644
> --- a/net/ipv4/inetpeer.c
> +++ b/net/ipv4/inetpeer.c
> @@ -137,7 +137,7 @@ static void inetpeer_gc_worker(struct work_struct *work)
>
> n = list_entry(p->gc_list.next, struct inet_peer, gc_list);
>
> - if (!atomic_read(&p->refcnt)) {
> + if (atomic_cmpxchg(&p->refcnt, 0, -1) == 0) {
> list_del(&p->gc_list);
> kmem_cache_free(peer_cachep, p);
> }
>
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
>
_______________________________________________
Containers mailing list
Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx
https://lists.linuxfoundation.org/mailman/listinfo/containers
