[PATCH net] 6lowpan: add missing fragment list spinlock

[PATCH net] 6lowpan: add missing fragment list spinlock

[Alexander Aring]

This patch adds a missing spinlock hold in the timer expire function.
The timer expire function will occur after specific timeout for
fragmented 6lowpan packets which are still in the fragment list.

Signed-off-by: Alexander Aring <alex.aring@gmail.com>
---
Some little note:

Currently I working on patches for net-next to use the inet_frag api
for 6lowpan fragmentation. This api is also used in ipv4 and ipv6.
The upcomming patch series fix also some other in the current 6lowpan
fragmentation handling, I will send them soon.

This patch is for net and fix one of the main race condition in the
current fragmentation api of 6lowpan. Maybe there are some 6lowpan users
which use some older kernels.

 net/ieee802154/6lowpan.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/ieee802154/6lowpan.c b/net/ieee802154/6lowpan.c
index 48b25c0..757079d 100644
--- a/net/ieee802154/6lowpan.c
+++ b/net/ieee802154/6lowpan.c
@@ -197,7 +197,9 @@ static void lowpan_fragment_timer_expired(unsigned long entry_addr)
 
 	pr_debug("timer expired for frame with tag %d\n", entry->tag);
 
+	spin_lock_bh(&flist_lock);
 	list_del(&entry->list);
+	spin_unlock_bh(&flist_lock);
 	dev_kfree_skb(entry->skb);
 	kfree(entry);
 }
-- 
1.8.5.3

Re: [PATCH net] 6lowpan: add missing fragment list spinlock

[David Miller]

From: Alexander Aring <alex.aring@gmail.com>
Date: Tue,  4 Feb 2014 11:57:53 +0100

> @@ -197,7 +197,9 @@ static void lowpan_fragment_timer_expired(unsigned long entry_addr)
>  
>  	pr_debug("timer expired for frame with tag %d\n", entry->tag);
>  
> +	spin_lock_bh(&flist_lock);
>  	list_del(&entry->list);
> +	spin_unlock_bh(&flist_lock);
>  	dev_kfree_skb(entry->skb);
>  	kfree(entry);
>  }

This will deadlock, because the other code path holding flist_lock calls
del_timer_sync() to wait for this timer to return.

The synchornization in this code is really a big mess.

Re: [PATCH net] 6lowpan: add missing fragment list spinlock

[Alexander Aring]

Hi David,

thanks for your reply.

On Tue, Feb 04, 2014 at 08:32:03PM -0800, David Miller wrote:
> From: Alexander Aring <alex.aring-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
> Date: Tue,  4 Feb 2014 11:57:53 +0100
> 
> > @@ -197,7 +197,9 @@ static void lowpan_fragment_timer_expired(unsigned long entry_addr)
> >  
> >  	pr_debug("timer expired for frame with tag %d\n", entry->tag);
> >  
> > +	spin_lock_bh(&flist_lock);
> >  	list_del(&entry->list);
> > +	spin_unlock_bh(&flist_lock);
> >  	dev_kfree_skb(entry->skb);
> >  	kfree(entry);
> >  }
> 
> This will deadlock, because the other code path holding flist_lock calls
> del_timer_sync() to wait for this timer to return.
> 
ok. I detected this some months ago and I talked with Werner Almesberger
about that. He talked something about del_timer_sync too and other
issues, but I didn't understand that I open a new deadlock case. Now I
learned something new things, thanks. :-)

> The synchornization in this code is really a big mess.

That is one thing which I also detected so I decide to make a new
implementation based on net/ipv6/reassembly.c which also used the
inet_frag api.

I will bring these patches mainline and I hope it will remove the most
of the race condigition. But then it's only solved in net-next branch.

- Alex

------------------------------------------------------------------------------
Managing the Performance of Cloud-Based Applications
Take advantage of what the Cloud has to offer - Avoid Common Pitfalls.
Read the Whitepaper.
http://pubads.g.doubleclick.net/gampad/clk?id=121051231&iu=/4140/ostg.clktrk