vxlan: Fix GRO cells race condition between receive and link delete
authorStefano Brivio <sbrivio@redhat.com>
Fri, 8 Mar 2019 15:40:57 +0000 (16:40 +0100)
committerDavid S. Miller <davem@davemloft.net>
Fri, 8 Mar 2019 19:27:21 +0000 (11:27 -0800)
If we receive a packet while deleting a VXLAN device, there's a chance
vxlan_rcv() is called at the same time as vxlan_dellink(). This is fine,
except that vxlan_dellink() should never ever touch stuff that's still in
use, such as the GRO cells list.

Otherwise, vxlan_rcv() crashes while queueing packets via
gro_cells_receive().

Move the gro_cells_destroy() to vxlan_uninit(), which runs after the RCU
grace period is elapsed and nothing needs the gro_cells anymore.

This is now done in the same way as commit 8e816df87997 ("geneve: Use GRO
cells infrastructure.") originally implemented for GENEVE.

Reported-by: Jianlin Shi <jishi@redhat.com>
Fixes: 58ce31cca1ff ("vxlan: GRO support at tunnel layer")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Reviewed-by: Sabrina Dubroca <sd@queasysnail.net>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
drivers/net/vxlan.c

index a3c46d78d216bf088545d7550170545c1771ab79..76abd31e8d56f0ae6567d86feaaac9f8a71c2893 100644 (file)
@@ -2767,6 +2767,8 @@ static void vxlan_uninit(struct net_device *dev)
 {
        struct vxlan_dev *vxlan = netdev_priv(dev);
 
+       gro_cells_destroy(&vxlan->gro_cells);
+
        vxlan_fdb_delete_default(vxlan, vxlan->cfg.vni);
 
        free_percpu(dev->tstats);
@@ -3942,7 +3944,6 @@ static void vxlan_dellink(struct net_device *dev, struct list_head *head)
 
        vxlan_flush(vxlan, true);
 
-       gro_cells_destroy(&vxlan->gro_cells);
        list_del(&vxlan->next);
        unregister_netdevice_queue(dev, head);
 }