net: ipv4: fix RCU races on dst refcounts
commit c6cffba4ff (ipv4: Fix input route performance regression.)
added various fatal races with dst refcounts.
crashes happen on tcp workloads if routes are added/deleted at the same
time.
The dst_free() calls from free_fib_info_rcu() are clearly racy.
We need instead regular dst refcounting (dst_release()) and make
sure dst_release() is aware of RCU grace periods :
Add DST_RCU_FREE flag so that dst_release() respects an RCU grace period
before dst destruction for cached dst
Introduce a new inet_sk_rx_dst_set() helper, using atomic_inc_not_zero()
to make sure we dont increase a zero refcount (On a dst currently
waiting an rcu grace period before destruction)
rt_cache_route() must take a reference on the new cached route, and
release it if was not able to install it.
With this patch, my machines survive various benchmarks.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Eric Dumazet
David S. Miller
parent
cca32e4bf9
commit
404e0a8b6a
9 changed files with 55 additions and 35 deletions
|
|
@ -258,6 +258,15 @@ again:
|
|||
}
|
||||
EXPORT_SYMBOL(dst_destroy);
|
||||
|
||||
static void dst_rcu_destroy(struct rcu_head *head)
|
||||
{
|
||||
struct dst_entry *dst = container_of(head, struct dst_entry, rcu_head);
|
||||
|
||||
dst = dst_destroy(dst);
|
||||
if (dst)
|
||||
__dst_free(dst);
|
||||
}
|
||||
|
||||
void dst_release(struct dst_entry *dst)
|
||||
{
|
||||
if (dst) {
|
||||
|
|
@ -265,10 +274,14 @@ void dst_release(struct dst_entry *dst)
|
|||
|
||||
newrefcnt = atomic_dec_return(&dst->__refcnt);
|
||||
WARN_ON(newrefcnt < 0);
|
||||
if (unlikely(dst->flags & DST_NOCACHE) && !newrefcnt) {
|
||||
dst = dst_destroy(dst);
|
||||
if (dst)
|
||||
__dst_free(dst);
|
||||
if (unlikely(dst->flags & (DST_NOCACHE | DST_RCU_FREE)) && !newrefcnt) {
|
||||
if (dst->flags & DST_RCU_FREE) {
|
||||
call_rcu_bh(&dst->rcu_head, dst_rcu_destroy);
|
||||
} else {
|
||||
dst = dst_destroy(dst);
|
||||
if (dst)
|
||||
__dst_free(dst);
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
|
@ -320,11 +333,14 @@ EXPORT_SYMBOL(__dst_destroy_metrics_generic);
|
|||
*/
|
||||
void skb_dst_set_noref(struct sk_buff *skb, struct dst_entry *dst)
|
||||
{
|
||||
bool hold;
|
||||
|
||||
WARN_ON(!rcu_read_lock_held() && !rcu_read_lock_bh_held());
|
||||
/* If dst not in cache, we must take a reference, because
|
||||
* dst_release() will destroy dst as soon as its refcount becomes zero
|
||||
*/
|
||||
if (unlikely(dst->flags & DST_NOCACHE)) {
|
||||
hold = (dst->flags & (DST_NOCACHE | DST_RCU_FREE)) == DST_NOCACHE;
|
||||
if (unlikely(hold)) {
|
||||
dst_hold(dst);
|
||||
skb_dst_set(skb, dst);
|
||||
} else {
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue