Received: by 10.213.65.68 with SMTP id h4csp1810760imn;
        Thu, 29 Mar 2018 11:27:49 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/H27h0thegq7wRBynbfqbW+OupYCy1PgT17kb1EXoU6PC+HLbM8L3abr4er+pjSRuR4juo
X-Received: by 10.98.52.133 with SMTP id b127mr7309196pfa.17.1522348069463;
        Thu, 29 Mar 2018 11:27:49 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522348069; cv=none;
        d=google.com; s=arc-20160816;
        b=TwDsfeoAuzcEX/gkyLTcr0pnaoyu1uKG02KXsPhtoLdO7kNl1UbB5dyXMWG3iRB3So
         3BQYi0w0PJZydilV5Ym5NyZgVvLQjmUNNLO1g5cDBIoTuDcpNh/gS20ZcWr5o7xSE5vY
         MByPHpYgToUGrc89xc1EXogh8Xz4V3rK7bWJmBgVR7tw6rVTktSrSEt1aNqpE0dkZRcA
         U9mnQhac93sUse/Wf8JoZRIBNnpbs+MhYB/QPuL+f3qU0IoYx/enXuWKfxBzpN4Z+/Fl
         yHlmel8W9wvuuR2TsJVNXDlgtsRmb/h/NkXbVSltDFY0z8+QfMbcP2ZhC+PYlrGFJy0C
         LmZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=IG8HK9JD9vw/X1orCcOh3EbuP5rqPsRdWLyAfeFNHd4=;
        b=AB+ce6TmuJ5uH9htuqV9sbzdFWjVTa0szCiR9fTjWKC9j4mL4Ksv9fkHBmoN07VhrC
         UB5R4iDYeJx2FipwHTV79SNjhD2AQRVXG+M+gtgPI2ZdbV9iHn672FCHq0f0IkBZk9w5
         UusmRF4QLxGy0jC2jC4BXd5BpovRImjZpJunYYQsALQPepCcnauwrKwozDzYffufHx4E
         6NH3e71jlmj+AESw2q6Jb4WtmHFNVIDlZtIH9jBQYkqovOG9sQHDTlbdl+S1NQhuGCRs
         A4UpU7dSVbSZa2WtHY4IGZPGKZndUa5I7RmhbNeHiUQnvhizuTdTnGaNv0+9dFMtAd9c
         5lyw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id t16-v6si6113434plo.358.2018.03.29.11.27.35;
        Thu, 29 Mar 2018 11:27:49 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1753456AbeC2S0S (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Thu, 29 Mar 2018 14:26:18 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:59004 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752762AbeC2SFE (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 29 Mar 2018 14:05:04 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id 90A1FCAA;
        Thu, 29 Mar 2018 18:05:03 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Kirill Tkhai <ktkhai@virtuozzo.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.14 21/43] net: Fix hlist corruptions in inet_evict_bucket()
Date:   Thu, 29 Mar 2018 20:00:16 +0200
Message-Id: <20180329175732.339446788@linuxfoundation.org>
X-Mailer: git-send-email 2.16.3
In-Reply-To: <20180329175730.190353692@linuxfoundation.org>
References: <20180329175730.190353692@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.14-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill Tkhai <ktkhai@virtuozzo.com>


[ Upstream commit a560002437d3646dafccecb1bf32d1685112ddda ]

inet_evict_bucket() iterates global list, and
several tasks may call it in parallel. All of
them hash the same fq->list_evictor to different
lists, which leads to list corruption.

This patch makes fq be hashed to expired list
only if this has not been made yet by another
task. Since inet_frag_alloc() allocates fq
using kmem_cache_zalloc(), we may rely on
list_evictor is initially unhashed.

The problem seems to exist before async
pernet_operations, as there was possible to have
exit method to be executed in parallel with
inet_frags::frags_work, so I add two Fixes tags.
This also may go to stable.

Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor"
Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()"
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/inet_fragment.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -119,6 +119,9 @@ out:
 
 static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
 {
+	if (!hlist_unhashed(&q->list_evictor))
+		return false;
+
 	return q->net->low_thresh == 0 ||
 	       frag_mem_limit(q->net) >= q->net->low_thresh;
 }