8e1da73acd
Add napi_disable routine in gro_cells_destroy since starting from commit c42858eaf492 ("gro_cells: remove spinlock protecting receive queues") gro_cell_poll and gro_cells_destroy can run concurrently on napi_skbs list producing a kernel Oops if the tunnel interface is removed while gro_cell_poll is running. The following Oops has been triggered removing a vxlan device while the interface is receiving traffic [ 5628.948853] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 [ 5628.949981] PGD 0 P4D 0 [ 5628.950308] Oops: 0002 [#1] SMP PTI [ 5628.950748] CPU: 0 PID: 9 Comm: ksoftirqd/0 Not tainted 4.20.0-rc6+ #41 [ 5628.952940] RIP: 0010:gro_cell_poll+0x49/0x80 [ 5628.955615] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202 [ 5628.956250] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000 [ 5628.957102] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150 [ 5628.957940] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000 [ 5628.958803] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040 [ 5628.959661] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040 [ 5628.960682] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000 [ 5628.961616] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5628.962359] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0 [ 5628.963188] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 5628.964034] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 5628.964871] Call Trace: [ 5628.965179] net_rx_action+0xf0/0x380 [ 5628.965637] __do_softirq+0xc7/0x431 [ 5628.966510] run_ksoftirqd+0x24/0x30 [ 5628.966957] smpboot_thread_fn+0xc5/0x160 [ 5628.967436] kthread+0x113/0x130 [ 5628.968283] ret_from_fork+0x3a/0x50 [ 5628.968721] Modules linked in: [ 5628.969099] CR2: 0000000000000008 [ 5628.969510] ---[ end trace 9d9dedc7181661fe ]--- [ 5628.970073] RIP: 0010:gro_cell_poll+0x49/0x80 [ 5628.972965] RSP: 0018:ffffc9000004fdd8 EFLAGS: 00010202 [ 5628.973611] RAX: 0000000000000000 RBX: ffffe8ffffc08150 RCX: 0000000000000000 [ 5628.974504] RDX: 0000000000000000 RSI: ffff88802356bf00 RDI: ffffe8ffffc08150 [ 5628.975462] RBP: 0000000000000026 R08: 0000000000000000 R09: 0000000000000000 [ 5628.976413] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000040 [ 5628.977375] R13: ffffe8ffffc08100 R14: 0000000000000000 R15: 0000000000000040 [ 5628.978296] FS: 0000000000000000(0000) GS:ffff88803ea00000(0000) knlGS:0000000000000000 [ 5628.979327] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 5628.980044] CR2: 0000000000000008 CR3: 000000000221c000 CR4: 00000000000006b0 [ 5628.980929] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 5628.981736] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 [ 5628.982409] Kernel panic - not syncing: Fatal exception in interrupt [ 5628.983307] Kernel Offset: disabled Fixes: c42858eaf492 ("gro_cells: remove spinlock protecting receive queues") Signed-off-by: Lorenzo Bianconi <lorenzo.bianconi@redhat.com> Acked-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
95 lines
2.1 KiB
C
95 lines
2.1 KiB
C
// SPDX-License-Identifier: GPL-2.0
|
|
#include <linux/skbuff.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/netdevice.h>
|
|
#include <net/gro_cells.h>
|
|
|
|
struct gro_cell {
|
|
struct sk_buff_head napi_skbs;
|
|
struct napi_struct napi;
|
|
};
|
|
|
|
int gro_cells_receive(struct gro_cells *gcells, struct sk_buff *skb)
|
|
{
|
|
struct net_device *dev = skb->dev;
|
|
struct gro_cell *cell;
|
|
|
|
if (!gcells->cells || skb_cloned(skb) || netif_elide_gro(dev))
|
|
return netif_rx(skb);
|
|
|
|
cell = this_cpu_ptr(gcells->cells);
|
|
|
|
if (skb_queue_len(&cell->napi_skbs) > netdev_max_backlog) {
|
|
atomic_long_inc(&dev->rx_dropped);
|
|
kfree_skb(skb);
|
|
return NET_RX_DROP;
|
|
}
|
|
|
|
__skb_queue_tail(&cell->napi_skbs, skb);
|
|
if (skb_queue_len(&cell->napi_skbs) == 1)
|
|
napi_schedule(&cell->napi);
|
|
return NET_RX_SUCCESS;
|
|
}
|
|
EXPORT_SYMBOL(gro_cells_receive);
|
|
|
|
/* called under BH context */
|
|
static int gro_cell_poll(struct napi_struct *napi, int budget)
|
|
{
|
|
struct gro_cell *cell = container_of(napi, struct gro_cell, napi);
|
|
struct sk_buff *skb;
|
|
int work_done = 0;
|
|
|
|
while (work_done < budget) {
|
|
skb = __skb_dequeue(&cell->napi_skbs);
|
|
if (!skb)
|
|
break;
|
|
napi_gro_receive(napi, skb);
|
|
work_done++;
|
|
}
|
|
|
|
if (work_done < budget)
|
|
napi_complete_done(napi, work_done);
|
|
return work_done;
|
|
}
|
|
|
|
int gro_cells_init(struct gro_cells *gcells, struct net_device *dev)
|
|
{
|
|
int i;
|
|
|
|
gcells->cells = alloc_percpu(struct gro_cell);
|
|
if (!gcells->cells)
|
|
return -ENOMEM;
|
|
|
|
for_each_possible_cpu(i) {
|
|
struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
|
|
|
|
__skb_queue_head_init(&cell->napi_skbs);
|
|
|
|
set_bit(NAPI_STATE_NO_BUSY_POLL, &cell->napi.state);
|
|
|
|
netif_napi_add(dev, &cell->napi, gro_cell_poll,
|
|
NAPI_POLL_WEIGHT);
|
|
napi_enable(&cell->napi);
|
|
}
|
|
return 0;
|
|
}
|
|
EXPORT_SYMBOL(gro_cells_init);
|
|
|
|
void gro_cells_destroy(struct gro_cells *gcells)
|
|
{
|
|
int i;
|
|
|
|
if (!gcells->cells)
|
|
return;
|
|
for_each_possible_cpu(i) {
|
|
struct gro_cell *cell = per_cpu_ptr(gcells->cells, i);
|
|
|
|
napi_disable(&cell->napi);
|
|
netif_napi_del(&cell->napi);
|
|
__skb_queue_purge(&cell->napi_skbs);
|
|
}
|
|
free_percpu(gcells->cells);
|
|
gcells->cells = NULL;
|
|
}
|
|
EXPORT_SYMBOL(gro_cells_destroy);
|