From: Dominic Curran Date: Wed, 22 Jan 2014 03:03:23 +0000 (+0000) Subject: tuntap: Fix for a race in accessing numqueues X-Git-Tag: firefly_0821_release~176^2~4570^2~32 X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=fa35864e0bb7f7c13b9c6d6751ddac9b42d4810f;p=firefly-linux-kernel-4.4.55.git tuntap: Fix for a race in accessing numqueues A patch for fixing a race between queue selection and changing queues was introduced in commit 92bb73ea2("tuntap: fix a possible race between queue selection and changing queues"). The fix was to prevent the driver from re-reading the tun->numqueues more than once within tun_select_queue() using ACCESS_ONCE(). We have been experiancing 'Divide-by-zero' errors in tun_net_xmit() since we moved from 3.6 to 3.10, and believe that they come from a simular source where the value of tun->numqueues changes to zero between the first and a subsequent read of tun->numqueues. The fix is a simular use of ACCESS_ONCE(), as well as a multiply instead of a divide in the if statement. Signed-off-by: Dominic Curran Cc: Jason Wang Cc: Maxim Krasnyansky Acked-by: Jason Wang Acked-by: Max Krasnyansky Signed-off-by: David S. Miller --- diff --git a/drivers/net/tun.c b/drivers/net/tun.c index 34cca74c99ed..bcf01af4b879 100644 --- a/drivers/net/tun.c +++ b/drivers/net/tun.c @@ -738,15 +738,17 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev) struct tun_struct *tun = netdev_priv(dev); int txq = skb->queue_mapping; struct tun_file *tfile; + u32 numqueues = 0; rcu_read_lock(); tfile = rcu_dereference(tun->tfiles[txq]); + numqueues = ACCESS_ONCE(tun->numqueues); /* Drop packet if interface is not attached */ - if (txq >= tun->numqueues) + if (txq >= numqueues) goto drop; - if (tun->numqueues == 1) { + if (numqueues == 1) { /* Select queue was not called for the skbuff, so we extract the * RPS hash and save it into the flow_table here. */ @@ -779,8 +781,8 @@ static netdev_tx_t tun_net_xmit(struct sk_buff *skb, struct net_device *dev) /* Limit the number of packets queued by dividing txq length with the * number of queues. */ - if (skb_queue_len(&tfile->socket.sk->sk_receive_queue) - >= dev->tx_queue_len / tun->numqueues) + if (skb_queue_len(&tfile->socket.sk->sk_receive_queue) * numqueues + >= dev->tx_queue_len) goto drop; if (unlikely(skb_orphan_frags(skb, GFP_ATOMIC)))