From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jason Wang Subject: Re: [PATCH net v2] tuntap: Fix for a race in accessing numqueues Date: Tue, 21 Jan 2014 10:41:07 +0800 Message-ID: <52DDDE43.7060009@redhat.com> References: <1390255158-9058-1-git-send-email-dominic.curran@citrix.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Cc: Maxim Krasnyansky To: Dominic Curran , netdev@vger.kernel.org Return-path: Received: from mx1.redhat.com ([209.132.183.28]:30286 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751859AbaAUCld (ORCPT ); Mon, 20 Jan 2014 21:41:33 -0500 In-Reply-To: <1390255158-9058-1-git-send-email-dominic.curran@citrix.com> Sender: netdev-owner@vger.kernel.org List-ID: On 01/21/2014 05:59 AM, Dominic Curran wrote: > A patch for fixing a race between queue selection and changing queues > was introduced in commit 92bb73ea2("tuntap: fix a possible race between > queue selection and changing queues"). > > The fix was to prevent the driver from re-reading the tun->numqueues > more than once within tun_select_queue() using ACCESS_ONCE(). > > We have been experiancing 'Divide-by-zero' errors in tun_net_xmit() > since we moved from 3.6 to 3.10, and believe that they come from a > simular source where the value of tun->numqueues changes to zero > between the first and a subsequent read of tun->numqueues. > > The fix is a simular use of ACCESS_ONCE(), as well as a multiply > instead of a divide in the if statement. > > Signed-off-by: Dominic Curran > Cc: Jason Wang > Cc: Maxim Krasnyansky > --- > V2: Use multiply instead of divide. Suggested by Eric Dumazet. > Fixed email address for maxk. Rebase against net tree. > --- > drivers/net/tun.c | 8 +++++--- > 1 file changed, 5 insertions(+), 3 deletions(-) > > Index: net/drivers/net/tun.c > =================================================================== > --- net.orig/drivers/net/tun.c 2014-01-20 20:22:06.000000000 +0000 > +++ net/drivers/net/tun.c 2014-01-20 20:54:54.000000000 +0000 > @@ -721,12 +721,14 @@ static netdev_tx_t tun_net_xmit(struct s > struct tun_struct *tun = netdev_priv(dev); > int txq = skb->queue_mapping; > struct tun_file *tfile; > + u32 numqueues = 0; > > rcu_read_lock(); > tfile = rcu_dereference(tun->tfiles[txq]); > + numqueues = ACCESS_ONCE(tun->numqueues); > > /* Drop packet if interface is not attached */ > - if (txq >= tun->numqueues) > + if (txq >= numqueues) > goto drop; > > tun_debug(KERN_INFO, tun, "tun_net_xmit %d\n", skb->len); > @@ -746,8 +748,8 @@ static netdev_tx_t tun_net_xmit(struct s > /* Limit the number of packets queued by dividing txq length with the > * number of queues. > */ > - if (skb_queue_len(&tfile->socket.sk->sk_receive_queue) > - >= dev->tx_queue_len / tun->numqueues) > + if (skb_queue_len(&tfile->socket.sk->sk_receive_queue) * numqueues > + >= dev->tx_queue_len) > goto drop; > > if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC))) Acked-by: Jason Wang