net: rfs: fix crash in get_rps_cpus()

Commit 567e4b79731c ("net: rfs: add hash collision detection") had one mistake : RPS_NO_CPU is no longer the marker for invalid cpu in set_rps_cpu() and get_rps_cpu(), as @next_cpu was the result of an AND with rps_cpu_mask This bug showed up on a host with 72 cpus : next_cpu was 0x7f, and the code was trying to access percpu data of an non existent cpu. In a follow up patch, we might get rid of compares against nr_cpu_ids, if we init the tables with 0. This is silly to test for a very unlikely condition that exists only shortly after table initialization, as we got rid of rps_reset_sock_flow() and similar functions that were writing this RPS_NO_CPU magic value at flow dismantle : When table is old enough, it never contains this value anymore. Fixes: 567e4b79731c ("net: rfs: add hash collision detection") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Tom Herbert <tom@herbertland.com> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <edumazet@google.com> 2015-04-25 12:35:24 -0400
committer: David S. Miller <davem@davemloft.net> 2015-04-26 16:07:57 -0400
commit: a31196b07f8034eba6a3487a1ad1bb5ec5cd58a5 (patch)
tree: 7f870304863599f718850712a8c02e51359f0897
parent: 7cdbc6f74f8e6c06304b69b4e944fbd669581c7c (diff)
2 files changed, 7 insertions, 7 deletions
diff --git a/Documentation/networking/scaling.txt b/Documentation/networking/scaling.txt
index cbfac0949635..59f4db2a0c85 100644
--- a/Documentation/networking/scaling.txt
+++ b/Documentation/networking/scaling.txt
@@ -282,7 +282,7 @@ following is true:
 - The current CPU's queue head counter >= the recorded tail counter
  value in rps_dev_flow[i]
- The current CPU is unset (equal to RPS_NO_CPU)
+- The current CPU is unset (>= nr_cpu_ids)
 - The current CPU is offline
 After this check, the packet is sent to the (possibly updated) current
diff --git a/net/core/dev.c b/net/core/dev.c
index 1796cef55ab5..c7ba0388f1be 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3079,7 +3079,7 @@ static struct rps_dev_flow *
 set_rps_cpu(struct net_device *dev, struct sk_buff *skb,
            struct rps_dev_flow *rflow, u16 next_cpu)
 {
-        if (next_cpu != RPS_NO_CPU) {
+        if (next_cpu < nr_cpu_ids) {
 #ifdef CONFIG_RFS_ACCEL
                struct netdev_rx_queue *rxqueue;
                struct rps_dev_flow_table *flow_table;
@@ -3184,7 +3184,7 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                 * If the desired CPU (where last recvmsg was done) is
                 * different from current CPU (one in the rx-queue flow
                 * table entry), switch if one of the following holds:
-                 *   - Current CPU is unset (equal to RPS_NO_CPU).
+                 *   - Current CPU is unset (>= nr_cpu_ids).
                 *   - Current CPU is offline.
                 *   - The current CPU's queue tail has advanced beyond the
                 *     last packet that was enqueued using this table entry.
@@ -3192,14 +3192,14 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                 *     have been dequeued, thus preserving in order delivery.
                 */
                if (unlikely(tcpu != next_cpu) &&
-                    (tcpu == RPS_NO_CPU || !cpu_online(tcpu) ||
+                    (tcpu >= nr_cpu_ids || !cpu_online(tcpu) ||
                     ((int)(per_cpu(softnet_data, tcpu).input_queue_head -
                      rflow->last_qtail)) >= 0)) {
                        tcpu = next_cpu;
                        rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
                }
-                if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {
+                if (tcpu < nr_cpu_ids && cpu_online(tcpu)) {
                        *rflowp = rflow;
                        cpu = tcpu;
                        goto done;
@@ -3240,14 +3240,14 @@ bool rps_may_expire_flow(struct net_device *dev, u16 rxq_index,
        struct rps_dev_flow_table *flow_table;
        struct rps_dev_flow *rflow;
        bool expire = true;
-        int cpu;
+        unsigned int cpu;
        rcu_read_lock();
        flow_table = rcu_dereference(rxqueue->rps_flow_table);
        if (flow_table && flow_id <= flow_table->mask) {
                rflow = &flow_table->flows[flow_id];
                cpu = ACCESS_ONCE(rflow->cpu);
-                if (rflow->filter == filter_id && cpu != RPS_NO_CPU &&
+                if (rflow->filter == filter_id && cpu < nr_cpu_ids &&
                    ((int)(per_cpu(softnet_data, cpu).input_queue_head -
                           rflow->last_qtail) <
                     (int)(10 * flow_table->mask)))
author	Eric Dumazet <edumazet@google.com>	2015-04-25 12:35:24 -0400
committer	David S. Miller <davem@davemloft.net>	2015-04-26 16:07:57 -0400
commit	a31196b07f8034eba6a3487a1ad1bb5ec5cd58a5 (patch)
tree	7f870304863599f718850712a8c02e51359f0897
parent	7cdbc6f74f8e6c06304b69b4e944fbd669581c7c (diff)

diff --git a/Documentation/networking/scaling.txt b/Documentation/networking/scaling.txt index cbfac0949635..59f4db2a0c85 100644 --- a/Documentation/networking/scaling.txt +++ b/Documentation/networking/scaling.txt
@@ -282,7 +282,7 @@ following is true:
282		282
283	- The current CPU's queue head counter >= the recorded tail counter	283	- The current CPU's queue head counter >= the recorded tail counter
284	value in rps_dev_flow[i]	284	value in rps_dev_flow[i]
285	- The current CPU is unset (equal to RPS_NO_CPU)	285	- The current CPU is unset (>= nr_cpu_ids)
286	- The current CPU is offline	286	- The current CPU is offline
287		287
288	After this check, the packet is sent to the (possibly updated) current	288	After this check, the packet is sent to the (possibly updated) current


diff --git a/net/core/dev.c b/net/core/dev.c index 1796cef55ab5..c7ba0388f1be 100644 --- a/net/core/dev.c +++ b/net/core/dev.c
@@ -3079,7 +3079,7 @@ static struct rps_dev_flow *
3079	set_rps_cpu(struct net_device dev, struct sk_buff skb,	3079	set_rps_cpu(struct net_device dev, struct sk_buff skb,
3080	struct rps_dev_flow *rflow, u16 next_cpu)	3080	struct rps_dev_flow *rflow, u16 next_cpu)
3081	{	3081	{
3082	if (next_cpu != RPS_NO_CPU) {	3082	if (next_cpu < nr_cpu_ids) {
3083	#ifdef CONFIG_RFS_ACCEL	3083	#ifdef CONFIG_RFS_ACCEL
3084	struct netdev_rx_queue *rxqueue;	3084	struct netdev_rx_queue *rxqueue;
3085	struct rps_dev_flow_table *flow_table;	3085	struct rps_dev_flow_table *flow_table;
@@ -3184,7 +3184,7 @@ static int get_rps_cpu(struct net_device dev, struct sk_buff skb,
3184	* If the desired CPU (where last recvmsg was done) is	3184	* If the desired CPU (where last recvmsg was done) is
3185	* different from current CPU (one in the rx-queue flow	3185	* different from current CPU (one in the rx-queue flow
3186	* table entry), switch if one of the following holds:	3186	* table entry), switch if one of the following holds:
3187	* - Current CPU is unset (equal to RPS_NO_CPU).	3187	* - Current CPU is unset (>= nr_cpu_ids).
3188	* - Current CPU is offline.	3188	* - Current CPU is offline.
3189	* - The current CPU's queue tail has advanced beyond the	3189	* - The current CPU's queue tail has advanced beyond the
3190	* last packet that was enqueued using this table entry.	3190	* last packet that was enqueued using this table entry.
@@ -3192,14 +3192,14 @@ static int get_rps_cpu(struct net_device dev, struct sk_buff skb,
3192	* have been dequeued, thus preserving in order delivery.	3192	* have been dequeued, thus preserving in order delivery.
3193	*/	3193	*/
3194	if (unlikely(tcpu != next_cpu) &&	3194	if (unlikely(tcpu != next_cpu) &&
3195	(tcpu == RPS_NO_CPU \|\| !cpu_online(tcpu) \|\|	3195	(tcpu >= nr_cpu_ids \|\| !cpu_online(tcpu) \|\|
3196	((int)(per_cpu(softnet_data, tcpu).input_queue_head -	3196	((int)(per_cpu(softnet_data, tcpu).input_queue_head -
3197	rflow->last_qtail)) >= 0)) {	3197	rflow->last_qtail)) >= 0)) {
3198	tcpu = next_cpu;	3198	tcpu = next_cpu;
3199	rflow = set_rps_cpu(dev, skb, rflow, next_cpu);	3199	rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
3200	}	3200	}
3201		3201
3202	if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {	3202	if (tcpu < nr_cpu_ids && cpu_online(tcpu)) {
3203	*rflowp = rflow;	3203	*rflowp = rflow;
3204	cpu = tcpu;	3204	cpu = tcpu;
3205	goto done;	3205	goto done;
@@ -3240,14 +3240,14 @@ bool rps_may_expire_flow(struct net_device *dev, u16 rxq_index,
3240	struct rps_dev_flow_table *flow_table;	3240	struct rps_dev_flow_table *flow_table;
3241	struct rps_dev_flow *rflow;	3241	struct rps_dev_flow *rflow;
3242	bool expire = true;	3242	bool expire = true;
3243	int cpu;	3243	unsigned int cpu;
3244		3244
3245	rcu_read_lock();	3245	rcu_read_lock();
3246	flow_table = rcu_dereference(rxqueue->rps_flow_table);	3246	flow_table = rcu_dereference(rxqueue->rps_flow_table);
3247	if (flow_table && flow_id <= flow_table->mask) {	3247	if (flow_table && flow_id <= flow_table->mask) {
3248	rflow = &flow_table->flows[flow_id];	3248	rflow = &flow_table->flows[flow_id];
3249	cpu = ACCESS_ONCE(rflow->cpu);	3249	cpu = ACCESS_ONCE(rflow->cpu);
3250	if (rflow->filter == filter_id && cpu != RPS_NO_CPU &&	3250	if (rflow->filter == filter_id && cpu < nr_cpu_ids &&
3251	((int)(per_cpu(softnet_data, cpu).input_queue_head -	3251	((int)(per_cpu(softnet_data, cpu).input_queue_head -
3252	rflow->last_qtail) <	3252	rflow->last_qtail) <
3253	(int)(10 * flow_table->mask)))	3253	(int)(10 * flow_table->mask)))