diff options
| author | David S. Miller <davem@davemloft.net> | 2014-10-10 15:37:36 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2014-10-10 15:37:36 -0400 |
| commit | 35b7a1915aa33da812074744647db0d9262a555c (patch) | |
| tree | 85ca97083049de5acf67f1a1b467b1db209e7cdc | |
| parent | 1fadee0c364572f2b2e098b34001fbaa82ee2e00 (diff) | |
| parent | 4c450583d9d0a8241f0f62b80038ac47b43ff843 (diff) | |
Merge branch 'net-drivers-pgcnt'
Eric Dumazet says:
====================
net: fix races accessing page->_count
This is illegal to use atomic_set(&page->_count, ...) even if we 'own'
the page. Other entities in the kernel need to use get_page_unless_zero()
to get a reference to the page before testing page properties, so we could
loose a refcount increment.
The only case it is valid is when page->_count is 0, we can use this in
__netdev_alloc_frag()
Note that I never seen crashes caused by these races, the issue was reported
by Andres Lagar-Cavilla and Hugh Dickins.
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | drivers/net/ethernet/intel/fm10k/fm10k_main.c | 7 | ||||
| -rw-r--r-- | drivers/net/ethernet/intel/igb/igb_main.c | 7 | ||||
| -rw-r--r-- | drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | 8 | ||||
| -rw-r--r-- | drivers/net/ethernet/mellanox/mlx4/en_rx.c | 6 | ||||
| -rw-r--r-- | net/core/skbuff.c | 25 |
5 files changed, 30 insertions, 23 deletions
diff --git a/drivers/net/ethernet/intel/fm10k/fm10k_main.c b/drivers/net/ethernet/intel/fm10k/fm10k_main.c index 6c800a330d66..9d7118a0d67a 100644 --- a/drivers/net/ethernet/intel/fm10k/fm10k_main.c +++ b/drivers/net/ethernet/intel/fm10k/fm10k_main.c | |||
| @@ -219,11 +219,10 @@ static bool fm10k_can_reuse_rx_page(struct fm10k_rx_buffer *rx_buffer, | |||
| 219 | /* flip page offset to other buffer */ | 219 | /* flip page offset to other buffer */ |
| 220 | rx_buffer->page_offset ^= FM10K_RX_BUFSZ; | 220 | rx_buffer->page_offset ^= FM10K_RX_BUFSZ; |
| 221 | 221 | ||
| 222 | /* since we are the only owner of the page and we need to | 222 | /* Even if we own the page, we are not allowed to use atomic_set() |
| 223 | * increment it, just set the value to 2 in order to avoid | 223 | * This would break get_page_unless_zero() users. |
| 224 | * an unnecessary locked operation | ||
| 225 | */ | 224 | */ |
| 226 | atomic_set(&page->_count, 2); | 225 | atomic_inc(&page->_count); |
| 227 | #else | 226 | #else |
| 228 | /* move offset up to the next cache line */ | 227 | /* move offset up to the next cache line */ |
| 229 | rx_buffer->page_offset += truesize; | 228 | rx_buffer->page_offset += truesize; |
diff --git a/drivers/net/ethernet/intel/igb/igb_main.c b/drivers/net/ethernet/intel/igb/igb_main.c index ae59c0b108c5..a21b14495ebd 100644 --- a/drivers/net/ethernet/intel/igb/igb_main.c +++ b/drivers/net/ethernet/intel/igb/igb_main.c | |||
| @@ -6545,11 +6545,10 @@ static bool igb_can_reuse_rx_page(struct igb_rx_buffer *rx_buffer, | |||
| 6545 | /* flip page offset to other buffer */ | 6545 | /* flip page offset to other buffer */ |
| 6546 | rx_buffer->page_offset ^= IGB_RX_BUFSZ; | 6546 | rx_buffer->page_offset ^= IGB_RX_BUFSZ; |
| 6547 | 6547 | ||
| 6548 | /* since we are the only owner of the page and we need to | 6548 | /* Even if we own the page, we are not allowed to use atomic_set() |
| 6549 | * increment it, just set the value to 2 in order to avoid | 6549 | * This would break get_page_unless_zero() users. |
| 6550 | * an unnecessary locked operation | ||
| 6551 | */ | 6550 | */ |
| 6552 | atomic_set(&page->_count, 2); | 6551 | atomic_inc(&page->_count); |
| 6553 | #else | 6552 | #else |
| 6554 | /* move offset up to the next cache line */ | 6553 | /* move offset up to the next cache line */ |
| 6555 | rx_buffer->page_offset += truesize; | 6554 | rx_buffer->page_offset += truesize; |
diff --git a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c index d677b5a23b58..fec5212d4337 100644 --- a/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c +++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_main.c | |||
| @@ -1865,12 +1865,10 @@ static bool ixgbe_add_rx_frag(struct ixgbe_ring *rx_ring, | |||
| 1865 | /* flip page offset to other buffer */ | 1865 | /* flip page offset to other buffer */ |
| 1866 | rx_buffer->page_offset ^= truesize; | 1866 | rx_buffer->page_offset ^= truesize; |
| 1867 | 1867 | ||
| 1868 | /* | 1868 | /* Even if we own the page, we are not allowed to use atomic_set() |
| 1869 | * since we are the only owner of the page and we need to | 1869 | * This would break get_page_unless_zero() users. |
| 1870 | * increment it, just set the value to 2 in order to avoid | ||
| 1871 | * an unecessary locked operation | ||
| 1872 | */ | 1870 | */ |
| 1873 | atomic_set(&page->_count, 2); | 1871 | atomic_inc(&page->_count); |
| 1874 | #else | 1872 | #else |
| 1875 | /* move offset up to the next cache line */ | 1873 | /* move offset up to the next cache line */ |
| 1876 | rx_buffer->page_offset += truesize; | 1874 | rx_buffer->page_offset += truesize; |
diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c index a33048ee9621..01660c595f5c 100644 --- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c +++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c | |||
| @@ -76,10 +76,10 @@ static int mlx4_alloc_pages(struct mlx4_en_priv *priv, | |||
| 76 | page_alloc->dma = dma; | 76 | page_alloc->dma = dma; |
| 77 | page_alloc->page_offset = frag_info->frag_align; | 77 | page_alloc->page_offset = frag_info->frag_align; |
| 78 | /* Not doing get_page() for each frag is a big win | 78 | /* Not doing get_page() for each frag is a big win |
| 79 | * on asymetric workloads. | 79 | * on asymetric workloads. Note we can not use atomic_set(). |
| 80 | */ | 80 | */ |
| 81 | atomic_set(&page->_count, | 81 | atomic_add(page_alloc->page_size / frag_info->frag_stride - 1, |
| 82 | page_alloc->page_size / frag_info->frag_stride); | 82 | &page->_count); |
| 83 | return 0; | 83 | return 0; |
| 84 | } | 84 | } |
| 85 | 85 | ||
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index a30d750647e7..829d013745ab 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -360,18 +360,29 @@ refill: | |||
| 360 | goto end; | 360 | goto end; |
| 361 | } | 361 | } |
| 362 | nc->frag.size = PAGE_SIZE << order; | 362 | nc->frag.size = PAGE_SIZE << order; |
| 363 | recycle: | 363 | /* Even if we own the page, we do not use atomic_set(). |
| 364 | atomic_set(&nc->frag.page->_count, NETDEV_PAGECNT_MAX_BIAS); | 364 | * This would break get_page_unless_zero() users. |
| 365 | */ | ||
| 366 | atomic_add(NETDEV_PAGECNT_MAX_BIAS - 1, | ||
| 367 | &nc->frag.page->_count); | ||
| 365 | nc->pagecnt_bias = NETDEV_PAGECNT_MAX_BIAS; | 368 | nc->pagecnt_bias = NETDEV_PAGECNT_MAX_BIAS; |
| 366 | nc->frag.offset = 0; | 369 | nc->frag.offset = 0; |
| 367 | } | 370 | } |
| 368 | 371 | ||
| 369 | if (nc->frag.offset + fragsz > nc->frag.size) { | 372 | if (nc->frag.offset + fragsz > nc->frag.size) { |
| 370 | /* avoid unnecessary locked operations if possible */ | 373 | if (atomic_read(&nc->frag.page->_count) != nc->pagecnt_bias) { |
| 371 | if ((atomic_read(&nc->frag.page->_count) == nc->pagecnt_bias) || | 374 | if (!atomic_sub_and_test(nc->pagecnt_bias, |
| 372 | atomic_sub_and_test(nc->pagecnt_bias, &nc->frag.page->_count)) | 375 | &nc->frag.page->_count)) |
| 373 | goto recycle; | 376 | goto refill; |
| 374 | goto refill; | 377 | /* OK, page count is 0, we can safely set it */ |
| 378 | atomic_set(&nc->frag.page->_count, | ||
| 379 | NETDEV_PAGECNT_MAX_BIAS); | ||
| 380 | } else { | ||
| 381 | atomic_add(NETDEV_PAGECNT_MAX_BIAS - nc->pagecnt_bias, | ||
| 382 | &nc->frag.page->_count); | ||
| 383 | } | ||
| 384 | nc->pagecnt_bias = NETDEV_PAGECNT_MAX_BIAS; | ||
| 385 | nc->frag.offset = 0; | ||
| 375 | } | 386 | } |
| 376 | 387 | ||
| 377 | data = page_address(nc->frag.page) + nc->frag.offset; | 388 | data = page_address(nc->frag.page) + nc->frag.offset; |