diff options
| author | Michal Kubeček <mkubecek@suse.cz> | 2017-06-29 05:13:36 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2017-06-29 15:54:13 -0400 |
| commit | e44699d2c28067f69698ccb68dd3ddeacfebc434 (patch) | |
| tree | 100559d942c9c465ed1362127051c89b16bcdfa6 | |
| parent | 6bdf6abc56b53103324dfd270a86580306e1a232 (diff) | |
net: handle NAPI_GRO_FREE_STOLEN_HEAD case also in napi_frags_finish()
Recently I started seeing warnings about pages with refcount -1. The
problem was traced to packets being reused after their head was merged into
a GRO packet by skb_gro_receive(). While bisecting the issue pointed to
commit c21b48cc1bbf ("net: adjust skb->truesize in ___pskb_trim()") and
I have never seen it on a kernel with it reverted, I believe the real
problem appeared earlier when the option to merge head frag in GRO was
implemented.
Handling NAPI_GRO_FREE_STOLEN_HEAD state was only added to GRO_MERGED_FREE
branch of napi_skb_finish() so that if the driver uses napi_gro_frags()
and head is merged (which in my case happens after the skb_condense()
call added by the commit mentioned above), the skb is reused including the
head that has been merged. As a result, we release the page reference
twice and eventually end up with negative page refcount.
To fix the problem, handle NAPI_GRO_FREE_STOLEN_HEAD in napi_frags_finish()
the same way it's done in napi_skb_finish().
Fixes: d7e8883cfcf4 ("net: make GRO aware of skb->head_frag")
Signed-off-by: Michal Kubecek <mkubecek@suse.cz>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/core/dev.c | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/net/core/dev.c b/net/core/dev.c index 91bb55070533..416137c64bf8 100644 --- a/net/core/dev.c +++ b/net/core/dev.c | |||
| @@ -4767,6 +4767,13 @@ struct packet_offload *gro_find_complete_by_type(__be16 type) | |||
| 4767 | } | 4767 | } |
| 4768 | EXPORT_SYMBOL(gro_find_complete_by_type); | 4768 | EXPORT_SYMBOL(gro_find_complete_by_type); |
| 4769 | 4769 | ||
| 4770 | static void napi_skb_free_stolen_head(struct sk_buff *skb) | ||
| 4771 | { | ||
| 4772 | skb_dst_drop(skb); | ||
| 4773 | secpath_reset(skb); | ||
| 4774 | kmem_cache_free(skbuff_head_cache, skb); | ||
| 4775 | } | ||
| 4776 | |||
| 4770 | static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb) | 4777 | static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb) |
| 4771 | { | 4778 | { |
| 4772 | switch (ret) { | 4779 | switch (ret) { |
| @@ -4780,13 +4787,10 @@ static gro_result_t napi_skb_finish(gro_result_t ret, struct sk_buff *skb) | |||
| 4780 | break; | 4787 | break; |
| 4781 | 4788 | ||
| 4782 | case GRO_MERGED_FREE: | 4789 | case GRO_MERGED_FREE: |
| 4783 | if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD) { | 4790 | if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD) |
| 4784 | skb_dst_drop(skb); | 4791 | napi_skb_free_stolen_head(skb); |
| 4785 | secpath_reset(skb); | 4792 | else |
| 4786 | kmem_cache_free(skbuff_head_cache, skb); | ||
| 4787 | } else { | ||
| 4788 | __kfree_skb(skb); | 4793 | __kfree_skb(skb); |
| 4789 | } | ||
| 4790 | break; | 4794 | break; |
| 4791 | 4795 | ||
| 4792 | case GRO_HELD: | 4796 | case GRO_HELD: |
| @@ -4858,10 +4862,16 @@ static gro_result_t napi_frags_finish(struct napi_struct *napi, | |||
| 4858 | break; | 4862 | break; |
| 4859 | 4863 | ||
| 4860 | case GRO_DROP: | 4864 | case GRO_DROP: |
| 4861 | case GRO_MERGED_FREE: | ||
| 4862 | napi_reuse_skb(napi, skb); | 4865 | napi_reuse_skb(napi, skb); |
| 4863 | break; | 4866 | break; |
| 4864 | 4867 | ||
| 4868 | case GRO_MERGED_FREE: | ||
| 4869 | if (NAPI_GRO_CB(skb)->free == NAPI_GRO_FREE_STOLEN_HEAD) | ||
| 4870 | napi_skb_free_stolen_head(skb); | ||
| 4871 | else | ||
| 4872 | napi_reuse_skb(napi, skb); | ||
| 4873 | break; | ||
| 4874 | |||
| 4865 | case GRO_MERGED: | 4875 | case GRO_MERGED: |
| 4866 | case GRO_CONSUMED: | 4876 | case GRO_CONSUMED: |
| 4867 | break; | 4877 | break; |