3fb453b42f
init_dummy_netdev() leaves its netdev_ops pointer zeroed. This leads
to a NULL pointer dereference when sk_busy_loop fires against an iwlwifi
wireless adapter and checks napi->dev->netdev_ops->ndo_busy_poll.
Avoid this by ensuring napi->dev->netdev_ops is valid before following
the pointer, avoiding the following panic when busy polling on a dummy
netdev:
BUG: unable to handle kernel NULL pointer dereference at 00000000000000c8
IP: [<ffffffff817b4b72>] sk_busy_loop+0x92/0x2f0
Call Trace:
[<ffffffff815a3134>] ? uart_write_room+0x74/0xf0
[<ffffffff817964a9>] sock_poll+0x99/0xa0
[<ffffffff81223142>] do_sys_poll+0x2e2/0x520
[<ffffffff8118d3fc>] ? get_page_from_freelist+0x3bc/0xa30
[<ffffffff810ada22>] ? update_curr+0x62/0x140
[<ffffffff811ea671>] ? __slab_free+0xa1/0x2a0
[<ffffffff811ea671>] ? __slab_free+0xa1/0x2a0
[<ffffffff8179dbb1>] ? skb_free_head+0x21/0x30
[<ffffffff81221bd0>] ? poll_initwait+0x50/0x50
[<ffffffff811eaa36>] ? kmem_cache_free+0x1c6/0x1e0
[<ffffffff815a4884>] ? uart_write+0x124/0x1d0
[<ffffffff810bd1cd>] ? remove_wait_queue+0x4d/0x60
[<ffffffff810bd224>] ? __wake_up+0x44/0x50
[<ffffffff81582731>] ? tty_write_unlock+0x31/0x40
[<ffffffff8158c5c6>] ? tty_ldisc_deref+0x16/0x20
[<ffffffff81584820>] ? tty_write+0x1e0/0x2f0
[<ffffffff81587e50>] ? process_echoes+0x80/0x80
[<ffffffff8120c17b>] ? __vfs_write+0x2b/0x130
[<ffffffff8120d09a>] ? vfs_write+0x15a/0x1a0
[<ffffffff81223455>] SyS_poll+0x75/0x100
[<ffffffff819a6524>] entry_SYSCALL_64_fastpath+0x24/0xcf
Commit 79e7fff47b7b ("net: remove support for per driver ndo_busy_poll()")
indirectly fixed this upstream in linux-4.11 by removing the offending
pointer usage. No other users of napi->dev touch its netdev_ops.
Fixes: 8b80cda536ea ("net: rename include/net/ll_poll.h to include/net/busy_poll.h") # 4.4.y
Signed-off-by: Josh Elsasser <jelsasser@appneta.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
170 lines
4.0 KiB
C
170 lines
4.0 KiB
C
/*
|
|
* net busy poll support
|
|
* Copyright(c) 2013 Intel Corporation.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms and conditions of the GNU General Public License,
|
|
* version 2, as published by the Free Software Foundation.
|
|
*
|
|
* This program is distributed in the hope it will be useful, but WITHOUT
|
|
* ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
|
|
* FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for
|
|
* more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License along with
|
|
* this program; if not, write to the Free Software Foundation, Inc.,
|
|
* 51 Franklin St - Fifth Floor, Boston, MA 02110-1301 USA.
|
|
*
|
|
* Author: Eliezer Tamir
|
|
*
|
|
* Contact Information:
|
|
* e1000-devel Mailing List <e1000-devel@lists.sourceforge.net>
|
|
*/
|
|
|
|
#ifndef _LINUX_NET_BUSY_POLL_H
|
|
#define _LINUX_NET_BUSY_POLL_H
|
|
|
|
#include <linux/netdevice.h>
|
|
#include <net/ip.h>
|
|
|
|
#ifdef CONFIG_NET_RX_BUSY_POLL
|
|
|
|
struct napi_struct;
|
|
extern unsigned int sysctl_net_busy_read __read_mostly;
|
|
extern unsigned int sysctl_net_busy_poll __read_mostly;
|
|
|
|
/* return values from ndo_ll_poll */
|
|
#define LL_FLUSH_FAILED -1
|
|
#define LL_FLUSH_BUSY -2
|
|
|
|
static inline bool net_busy_loop_on(void)
|
|
{
|
|
return sysctl_net_busy_poll;
|
|
}
|
|
|
|
static inline u64 busy_loop_us_clock(void)
|
|
{
|
|
return local_clock() >> 10;
|
|
}
|
|
|
|
static inline unsigned long sk_busy_loop_end_time(struct sock *sk)
|
|
{
|
|
return busy_loop_us_clock() + ACCESS_ONCE(sk->sk_ll_usec);
|
|
}
|
|
|
|
/* in poll/select we use the global sysctl_net_ll_poll value */
|
|
static inline unsigned long busy_loop_end_time(void)
|
|
{
|
|
return busy_loop_us_clock() + ACCESS_ONCE(sysctl_net_busy_poll);
|
|
}
|
|
|
|
static inline bool sk_can_busy_loop(struct sock *sk)
|
|
{
|
|
return sk->sk_ll_usec && sk->sk_napi_id &&
|
|
!need_resched() && !signal_pending(current);
|
|
}
|
|
|
|
|
|
static inline bool busy_loop_timeout(unsigned long end_time)
|
|
{
|
|
unsigned long now = busy_loop_us_clock();
|
|
|
|
return time_after(now, end_time);
|
|
}
|
|
|
|
/* when used in sock_poll() nonblock is known at compile time to be true
|
|
* so the loop and end_time will be optimized out
|
|
*/
|
|
static inline bool sk_busy_loop(struct sock *sk, int nonblock)
|
|
{
|
|
unsigned long end_time = !nonblock ? sk_busy_loop_end_time(sk) : 0;
|
|
const struct net_device_ops *ops;
|
|
struct napi_struct *napi;
|
|
int rc = false;
|
|
|
|
/*
|
|
* rcu read lock for napi hash
|
|
* bh so we don't race with net_rx_action
|
|
*/
|
|
rcu_read_lock_bh();
|
|
|
|
napi = napi_by_id(sk->sk_napi_id);
|
|
if (!napi)
|
|
goto out;
|
|
|
|
ops = napi->dev->netdev_ops;
|
|
if (!ops || !ops->ndo_busy_poll)
|
|
goto out;
|
|
|
|
do {
|
|
rc = ops->ndo_busy_poll(napi);
|
|
|
|
if (rc == LL_FLUSH_FAILED)
|
|
break; /* permanent failure */
|
|
|
|
if (rc > 0)
|
|
/* local bh are disabled so it is ok to use _BH */
|
|
NET_ADD_STATS_BH(sock_net(sk),
|
|
LINUX_MIB_BUSYPOLLRXPACKETS, rc);
|
|
cpu_relax();
|
|
|
|
} while (!nonblock && skb_queue_empty(&sk->sk_receive_queue) &&
|
|
!need_resched() && !busy_loop_timeout(end_time));
|
|
|
|
rc = !skb_queue_empty(&sk->sk_receive_queue);
|
|
out:
|
|
rcu_read_unlock_bh();
|
|
return rc;
|
|
}
|
|
|
|
/* used in the NIC receive handler to mark the skb */
|
|
static inline void skb_mark_napi_id(struct sk_buff *skb,
|
|
struct napi_struct *napi)
|
|
{
|
|
skb->napi_id = napi->napi_id;
|
|
}
|
|
|
|
/* used in the protocol hanlder to propagate the napi_id to the socket */
|
|
static inline void sk_mark_napi_id(struct sock *sk, struct sk_buff *skb)
|
|
{
|
|
sk->sk_napi_id = skb->napi_id;
|
|
}
|
|
|
|
#else /* CONFIG_NET_RX_BUSY_POLL */
|
|
static inline unsigned long net_busy_loop_on(void)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline unsigned long busy_loop_end_time(void)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static inline bool sk_can_busy_loop(struct sock *sk)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
static inline void skb_mark_napi_id(struct sk_buff *skb,
|
|
struct napi_struct *napi)
|
|
{
|
|
}
|
|
|
|
static inline void sk_mark_napi_id(struct sock *sk, struct sk_buff *skb)
|
|
{
|
|
}
|
|
|
|
static inline bool busy_loop_timeout(unsigned long end_time)
|
|
{
|
|
return true;
|
|
}
|
|
|
|
static inline bool sk_busy_loop(struct sock *sk, int nonblock)
|
|
{
|
|
return false;
|
|
}
|
|
|
|
#endif /* CONFIG_NET_RX_BUSY_POLL */
|
|
#endif /* _LINUX_NET_BUSY_POLL_H */
|