@@ -1292,24 +1292,27 @@ static int netlink_release(struct socket *sock)
static int netlink_autobind(struct socket *sock)
{
struct sock *sk = sock->sk;
+ struct sock *sk2;
struct net *net = sock_net(sk);
struct netlink_table *table = &nl_table[sk->sk_protocol];
s32 portid = task_tgid_vnr(current);
int err;
- static s32 rover = -4097;
+ static atomic_t rover = ATOMIC_INIT(-4096);
retry:
cond_resched();
rcu_read_lock();
- if (__netlink_lookup(table, portid, net)) {
+ sk2 = __netlink_lookup(table, portid, net);
+ rcu_read_unlock();
+ if (sk2) {
/* Bind collision, search negative portid values. */
- portid = rover--;
- if (rover > -4097)
- rover = -4097;
- rcu_read_unlock();
+ portid = atomic_dec_return(&rover);
+ if (unlikely(portid > -4097)) {
+ atomic_set(&rover, -4097);
+ portid = -4097;
+ }
goto retry;
}
- rcu_read_unlock();
err = netlink_insert(sk, portid);
if (err == -EADDRINUSE)
The commit 21e4902aea80ef35afc00ee8d2abdea4f519b7f7 ("netlink: Lockless lookup with RCU grace period in socket release") removed the locks around the autobind rover without making the rover itself safe for use by multiple threads. This patch converts rover to an atomic_t to make it at least somewhat safe to use locklessly. The tricky bit is when the rover wraps around. This patch simply deals with it by blindly doing an atomic_set. So if many threads encounter the wraparound simultaneously then they'll all step on each other's toes and all try to bind to -4097. But this should eventually sort itself out as they loop around and try the atomic_dec_return after the last thread does an atomic_set. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>