Received: by 10.213.65.68 with SMTP id h4csp1822506imn;
        Thu, 29 Mar 2018 11:40:48 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4+g/rUCWQkGPcPKKYFM1m99tposgbEFA+Ux50qLYCmbXk1D4qy5IFGoOLtYr/Wsye8vOvEr
X-Received: by 2002:a17:902:8e83:: with SMTP id bg3-v6mr9778737plb.144.1522348848123;
        Thu, 29 Mar 2018 11:40:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1522348848; cv=none;
        d=google.com; s=arc-20160816;
        b=JU/l/1lv/CeB809AOK30qAd6CyDGdkjjYFE37mbFLTNgwOy28epM0d2e08XkYqWCKJ
         2jpgXTE6lTLEulVRWJTGdUqOCJmL8MSRMHFyQsxrBUnHaAxUdop5q2VTo5XYspfthkeS
         Rs7xefFnZK6tfvPuiMIaCvPesAw6LmvjAw4X2AIlVGx6H94vhlRtsZkkFwRzXMbot0qr
         OUwQYtzStBBvpynXCmWKnt9EdGAemEopQzZ8JSkYalGwSy3EVpNwWRq7+I6oSBoWNUXi
         A4m0/YHuxij8TL/b8NZebrw9jFWWv/S7DsDlvRL35cXvCYwIyNTjhaEct/2D+e1u24Go
         J1hA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:mime-version:user-agent:references
         :in-reply-to:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=HgjbtKV/UBaSzyukzsj27Y+V1C8X63ldn+XFQfJx5nE=;
        b=nEr18NIXQYf2nxqu9kL+q5myDZqTg1SUIILL2QvOuEcfqf9VcZt6l98KiREws8SPI5
         aPdvNqaAaQs4BaJC1f90pgNsfdQY66I+bauEhxY/y/R0wLKQjF/t75T2fgZBupOUbjcO
         IDA88soQfYgZIs/d4KS9VHsvvMHeGuerF/hIZHMKskMb+6+ZnPvR/gAMFtFuhppBSmEn
         ldbBZMXcYmk2cTyRcen23fsHeJKMoGsHr2XzC23cG0UEd3R3/CkHOZWlk6a8pOj0Pxud
         yXqZnkhbfVFr0sYxwsBUYh/DCyyKKYuCN25gE4hnagFAdHKcq0vNK4vrIpPdygVKet9a
         78Tw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id n2si319395pgv.789.2018.03.29.11.40.34;
        Thu, 29 Mar 2018 11:40:48 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752754AbeC2SiR (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Thu, 29 Mar 2018 14:38:17 -0400
Received: from mail.linuxfoundation.org ([140.211.169.12]:58246 "EHLO
        mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1752203AbeC2SCb (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 29 Mar 2018 14:02:31 -0400
Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202])
        by mail.linuxfoundation.org (Postfix) with ESMTPSA id C9326C19;
        Thu, 29 Mar 2018 18:02:30 +0000 (UTC)
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Kirill Tkhai <ktkhai@virtuozzo.com>,
        "David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.15 25/47] net: Fix hlist corruptions in inet_evict_bucket()
Date:   Thu, 29 Mar 2018 20:00:06 +0200
Message-Id: <20180329175731.120226973@linuxfoundation.org>
X-Mailer: git-send-email 2.16.3
In-Reply-To: <20180329175729.225211114@linuxfoundation.org>
References: <20180329175729.225211114@linuxfoundation.org>
User-Agent: quilt/0.65
X-stable: review
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

4.15-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Kirill Tkhai <ktkhai@virtuozzo.com>


[ Upstream commit a560002437d3646dafccecb1bf32d1685112ddda ]

inet_evict_bucket() iterates global list, and
several tasks may call it in parallel. All of
them hash the same fq->list_evictor to different
lists, which leads to list corruption.

This patch makes fq be hashed to expired list
only if this has not been made yet by another
task. Since inet_frag_alloc() allocates fq
using kmem_cache_zalloc(), we may rely on
list_evictor is initially unhashed.

The problem seems to exist before async
pernet_operations, as there was possible to have
exit method to be executed in parallel with
inet_frags::frags_work, so I add two Fixes tags.
This also may go to stable.

Fixes: d1fe19444d82 "inet: frag: don't re-use chainlist for evictor"
Fixes: f84c6821aa54 "net: Convert pernet_subsys, registered from inet_init()"
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/ipv4/inet_fragment.c |    3 +++
 1 file changed, 3 insertions(+)

--- a/net/ipv4/inet_fragment.c
+++ b/net/ipv4/inet_fragment.c
@@ -119,6 +119,9 @@ out:
 
 static bool inet_fragq_should_evict(const struct inet_frag_queue *q)
 {
+	if (!hlist_unhashed(&q->list_evictor))
+		return false;
+
 	return q->net->low_thresh == 0 ||
 	       frag_mem_limit(q->net) >= q->net->low_thresh;
 }