net: rfs: fix crash in get_rps_cpus()

Commit 567e4b79731c ("net: rfs: add hash collision detection") had one mistake : RPS_NO_CPU is no longer the marker for invalid cpu in set_rps_cpu() and get_rps_cpu(), as @next_cpu was the result of an AND with rps_cpu_mask This bug showed up on a host with 72 cpus : next_cpu was 0x7f, and the code was trying to access percpu data of an non existent cpu. In a follow up patch, we might get rid of compares against nr_cpu_ids, if we init the tables with 0. This is silly to test for a very unlikely condition that exists only shortly after table initialization, as we got rid of rps_reset_sock_flow() and similar functions that were writing this RPS_NO_CPU magic value at flow dismantle : When table is old enough, it never contains this value anymore. Fixes: 567e4b79731c ("net: rfs: add hash collision detection") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Tom Herbert <tom@herbertland.com> Cc: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Eric Dumazet <edumazet@google.com> 2015-04-25 12:35:24 -0400
committer: David S. Miller <davem@davemloft.net> 2015-04-26 16:07:57 -0400
commit: a31196b07f8034eba6a3487a1ad1bb5ec5cd58a5 (patch)
tree: 7f870304863599f718850712a8c02e51359f0897 /net/core/dev.c
parent: 7cdbc6f74f8e6c06304b69b4e944fbd669581c7c (diff)
1 files changed, 6 insertions, 6 deletions
diff --git a/net/core/dev.c b/net/core/dev.c
index 1796cef55ab5..c7ba0388f1be 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3079,7 +3079,7 @@ static struct rps_dev_flow *
 set_rps_cpu(struct net_device *dev, struct sk_buff *skb,
            struct rps_dev_flow *rflow, u16 next_cpu)
 {
-        if (next_cpu != RPS_NO_CPU) {
+        if (next_cpu < nr_cpu_ids) {
 #ifdef CONFIG_RFS_ACCEL
                struct netdev_rx_queue *rxqueue;
                struct rps_dev_flow_table *flow_table;
@@ -3184,7 +3184,7 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                 * If the desired CPU (where last recvmsg was done) is
                 * different from current CPU (one in the rx-queue flow
                 * table entry), switch if one of the following holds:
-                 *   - Current CPU is unset (equal to RPS_NO_CPU).
+                 *   - Current CPU is unset (>= nr_cpu_ids).
                 *   - Current CPU is offline.
                 *   - The current CPU's queue tail has advanced beyond the
                 *     last packet that was enqueued using this table entry.
@@ -3192,14 +3192,14 @@ static int get_rps_cpu(struct net_device *dev, struct sk_buff *skb,
                 *     have been dequeued, thus preserving in order delivery.
                 */
                if (unlikely(tcpu != next_cpu) &&
-                    (tcpu == RPS_NO_CPU || !cpu_online(tcpu) ||
+                    (tcpu >= nr_cpu_ids || !cpu_online(tcpu) ||
                     ((int)(per_cpu(softnet_data, tcpu).input_queue_head -
                      rflow->last_qtail)) >= 0)) {
                        tcpu = next_cpu;
                        rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
                }
-                if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {
+                if (tcpu < nr_cpu_ids && cpu_online(tcpu)) {
                        *rflowp = rflow;
                        cpu = tcpu;
                        goto done;
@@ -3240,14 +3240,14 @@ bool rps_may_expire_flow(struct net_device *dev, u16 rxq_index,
        struct rps_dev_flow_table *flow_table;
        struct rps_dev_flow *rflow;
        bool expire = true;
-        int cpu;
+        unsigned int cpu;
        rcu_read_lock();
        flow_table = rcu_dereference(rxqueue->rps_flow_table);
        if (flow_table && flow_id <= flow_table->mask) {
                rflow = &flow_table->flows[flow_id];
                cpu = ACCESS_ONCE(rflow->cpu);
-                if (rflow->filter == filter_id && cpu != RPS_NO_CPU &&
+                if (rflow->filter == filter_id && cpu < nr_cpu_ids &&
                    ((int)(per_cpu(softnet_data, cpu).input_queue_head -
                           rflow->last_qtail) <
                     (int)(10 * flow_table->mask)))
author	Eric Dumazet <edumazet@google.com>	2015-04-25 12:35:24 -0400
committer	David S. Miller <davem@davemloft.net>	2015-04-26 16:07:57 -0400
commit	a31196b07f8034eba6a3487a1ad1bb5ec5cd58a5 (patch)
tree	7f870304863599f718850712a8c02e51359f0897 /net/core/dev.c
parent	7cdbc6f74f8e6c06304b69b4e944fbd669581c7c (diff)

diff --git a/net/core/dev.c b/net/core/dev.c index 1796cef55ab5..c7ba0388f1be 100644 --- a/net/core/dev.c +++ b/net/core/dev.c
@@ -3079,7 +3079,7 @@ static struct rps_dev_flow *
3079	set_rps_cpu(struct net_device dev, struct sk_buff skb,	3079	set_rps_cpu(struct net_device dev, struct sk_buff skb,
3080	struct rps_dev_flow *rflow, u16 next_cpu)	3080	struct rps_dev_flow *rflow, u16 next_cpu)
3081	{	3081	{
3082	if (next_cpu != RPS_NO_CPU) {	3082	if (next_cpu < nr_cpu_ids) {
3083	#ifdef CONFIG_RFS_ACCEL	3083	#ifdef CONFIG_RFS_ACCEL
3084	struct netdev_rx_queue *rxqueue;	3084	struct netdev_rx_queue *rxqueue;
3085	struct rps_dev_flow_table *flow_table;	3085	struct rps_dev_flow_table *flow_table;
@@ -3184,7 +3184,7 @@ static int get_rps_cpu(struct net_device dev, struct sk_buff skb,
3184	* If the desired CPU (where last recvmsg was done) is	3184	* If the desired CPU (where last recvmsg was done) is
3185	* different from current CPU (one in the rx-queue flow	3185	* different from current CPU (one in the rx-queue flow
3186	* table entry), switch if one of the following holds:	3186	* table entry), switch if one of the following holds:
3187	* - Current CPU is unset (equal to RPS_NO_CPU).	3187	* - Current CPU is unset (>= nr_cpu_ids).
3188	* - Current CPU is offline.	3188	* - Current CPU is offline.
3189	* - The current CPU's queue tail has advanced beyond the	3189	* - The current CPU's queue tail has advanced beyond the
3190	* last packet that was enqueued using this table entry.	3190	* last packet that was enqueued using this table entry.
@@ -3192,14 +3192,14 @@ static int get_rps_cpu(struct net_device dev, struct sk_buff skb,
3192	* have been dequeued, thus preserving in order delivery.	3192	* have been dequeued, thus preserving in order delivery.
3193	*/	3193	*/
3194	if (unlikely(tcpu != next_cpu) &&	3194	if (unlikely(tcpu != next_cpu) &&
3195	(tcpu == RPS_NO_CPU \|\| !cpu_online(tcpu) \|\|	3195	(tcpu >= nr_cpu_ids \|\| !cpu_online(tcpu) \|\|
3196	((int)(per_cpu(softnet_data, tcpu).input_queue_head -	3196	((int)(per_cpu(softnet_data, tcpu).input_queue_head -
3197	rflow->last_qtail)) >= 0)) {	3197	rflow->last_qtail)) >= 0)) {
3198	tcpu = next_cpu;	3198	tcpu = next_cpu;
3199	rflow = set_rps_cpu(dev, skb, rflow, next_cpu);	3199	rflow = set_rps_cpu(dev, skb, rflow, next_cpu);
3200	}	3200	}
3201		3201
3202	if (tcpu != RPS_NO_CPU && cpu_online(tcpu)) {	3202	if (tcpu < nr_cpu_ids && cpu_online(tcpu)) {
3203	*rflowp = rflow;	3203	*rflowp = rflow;
3204	cpu = tcpu;	3204	cpu = tcpu;
3205	goto done;	3205	goto done;
@@ -3240,14 +3240,14 @@ bool rps_may_expire_flow(struct net_device *dev, u16 rxq_index,
3240	struct rps_dev_flow_table *flow_table;	3240	struct rps_dev_flow_table *flow_table;
3241	struct rps_dev_flow *rflow;	3241	struct rps_dev_flow *rflow;
3242	bool expire = true;	3242	bool expire = true;
3243	int cpu;	3243	unsigned int cpu;
3244		3244
3245	rcu_read_lock();	3245	rcu_read_lock();
3246	flow_table = rcu_dereference(rxqueue->rps_flow_table);	3246	flow_table = rcu_dereference(rxqueue->rps_flow_table);
3247	if (flow_table && flow_id <= flow_table->mask) {	3247	if (flow_table && flow_id <= flow_table->mask) {
3248	rflow = &flow_table->flows[flow_id];	3248	rflow = &flow_table->flows[flow_id];
3249	cpu = ACCESS_ONCE(rflow->cpu);	3249	cpu = ACCESS_ONCE(rflow->cpu);
3250	if (rflow->filter == filter_id && cpu != RPS_NO_CPU &&	3250	if (rflow->filter == filter_id && cpu < nr_cpu_ids &&
3251	((int)(per_cpu(softnet_data, cpu).input_queue_head -	3251	((int)(per_cpu(softnet_data, cpu).input_queue_head -
3252	rflow->last_qtail) <	3252	rflow->last_qtail) <
3253	(int)(10 * flow_table->mask)))	3253	(int)(10 * flow_table->mask)))