From: Daniel Drake <dsd@gentoo.org>
To: netdev@vger.kernel.org
Cc: David Brownell <david-b@pacbell.net>
Subject: netif_tx_disable vs netif_stop_queue (possible races?)
Date: Fri, 09 Jun 2006 00:14:05 +0100 [thread overview]
Message-ID: <4488AF3D.2040601@gentoo.org> (raw)
Hi,
In order to avoid disconnect races in ZD1211, I'm trying to convince
myself that other USB network drivers are race-free (and why).
I brought up a possible issue in usbnet with David Brownell, but it
appears neither of us are 100% clear on the details, so it would be good
to get some extra clarification.
USB devices can be yanked out by the user at *any* time, and typically
free_netdev is called in the disconnect handler, which frees all
device-specific structures.
The issue I brought up is that code using these structures may be
running concurrently on another CPU when the disconnect handler is
invoked, resulting in access to freed data.
More specifically, we're talking about drivers/usb/net/usbnet.c and the
usbnet_disconnect() function. The race I am highlighting is that
usbnet's hard_start_xmit handler (usbnet_start_xmit) may be running when
the disconnect happens.
Is this a possible scenario?
My thoughts on avoiding this are to ensure that the TX queue is stopped
and all current transmissions in usbnet_stop (the netdev->stop hook). I
understand that the stop function is called during disconnect, because
usbnet_disconnect() calls unregister_netdev(). The stop function already
has a call to netif_stop_queue but (based on my knowledge from LDD3)
this is not enough.
My understanding is that netif_stop_queue() should be used only inside a
hard_start_xmit function, when it wants to make sure that no more
transmissions are started until the queue is reopened.
I suggested that we use netif_tx_disable here, which is effectively the
same but because it takes the lock, it guarantees that no
hard_start_xmit transmissions are running on any CPU when it returns.
David pointed out that netif_tx_disable is rarely used, and a large
number of drivers call netif_stop_queue in their stop function, so if
what I suggest is true, there may be many such potential races
elsewhere. Am I missing something simple?
Thanks,
Daniel
next reply other threads:[~2006-06-08 23:13 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-06-08 23:14 Daniel Drake [this message]
2006-06-09 4:41 ` netif_tx_disable vs netif_stop_queue (possible races?) Herbert Xu
2006-06-09 15:29 ` Daniel Drake
2006-06-09 23:35 ` Herbert Xu
2006-06-10 12:42 ` Daniel Drake
2006-06-10 12:59 ` Evgeniy Polyakov
2006-06-10 16:40 ` Daniel Drake
2006-06-10 17:15 ` Evgeniy Polyakov
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4488AF3D.2040601@gentoo.org \
--to=dsd@gentoo.org \
--cc=david-b@pacbell.net \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).