packet: free packet_rollover after synchronize_net

Destruction of the po->rollover must be delayed until there are no
more packets in flight that can access it. The field is destroyed in
packet_release, before synchronize_net. Delay using rcu.

Fixes: 0648ab70afe6 ("packet: rollover prepare: per-socket state")
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Acked-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index fd5164139bf08358ba649505fb72c33b1f9411d7..20e8c40da90d6454d5a0d326337dc7d5c849dfc2 100644 (file)
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1634,7 +1634,8 @@ static void fanout_release(struct sock *sk)
        }
        mutex_unlock(&fanout_mutex);
 
-       kfree(po->rollover);
+       if (po->rollover)
+               kfree_rcu(po->rollover, rcu);
 }
 
 static const struct proto_ops packet_ops;

diff --git a/net/packet/internal.h b/net/packet/internal.h
index c035d263c1e8d119267633971920106b3bf627f3..e20b3e8829b8acac25b74d7bbc23636b089d1ff4 100644 (file)
--- a/net/packet/internal.h
+++ b/net/packet/internal.h
@@ -89,6 +89,7 @@ struct packet_fanout {
 
 struct packet_rollover {
        int                     sock;
+       struct rcu_head         rcu;
        atomic_long_t           num;
        atomic_long_t           num_huge;
        atomic_long_t           num_failed;