Thread (10 messages) 10 messages, 3 authors, 2011-05-28

Re: [PATCH 1/2 v2] af-packet: Use existing netdev reference for bound sockets.

From: Ben Greear <hidden>
Date: 2011-05-28 17:01:16 

On 05/27/2011 11:20 PM, Eric Dumazet wrote:
Le vendredi 27 mai 2011 à 13:18 -0700, Ben Greear a écrit :
quoted
On 05/27/2011 01:15 PM, David Miller wrote:
quoted
From: Eric Dumazet<redacted>
Date: Fri, 27 May 2011 22:08:41 +0200
quoted
Le jeudi 26 mai 2011 à 21:11 -0700, Ben Greear a écrit :
quoted
On 05/26/2011 08:42 PM, Eric Dumazet wrote:
quoted
Le jeudi 26 mai 2011 à 16:55 -0700, greearb@candelatech.com a écrit :
quoted
quoted
    out_free:
    	kfree_skb(skb);
    out_unlock:
-	if (dev)
+	if (dev&&    need_rls_dev)
    		dev_put(dev);
    out:
    	return err;
Hmmm, I wonder why you want this Ben.

IMHO this is buggy, because we can sleep in this function.

We must take a ref on device (its really cheap these days, now we have a
percpu device refcnt)
Why must you take the reference?  And if we must, why isn't the
current code that assigns the prot_hook.dev without taking a
reference OK?
If we sleep, device can disappear under us.

The only way to not take a reference is to hold rcu_read_lock(), but
you're not allowed to sleep under rcu_read_lock().
You still have not addresses Ben's point.

Why is it ok for the po->prot_hook.dev handling to not take a
reference?  It's been doing this forever.  Ben is just borrowing this
behavior for his uses.

After some more research I think it happens to be OK because
->prot_hook.dev is used _only_ for pointer comparisons, it is never
actually dereferenced or used in any other way.  Probably, we should
just use ->ifindex for this.
It's easy enough to add a dev_hold() when I assign the skb instead
of looking it up in my patch, but perhaps it would be cleaner over all to
just hold a ref on the prot_hook.dev when it is originally assigned?

Problem is : if packet_notifier(NETDEV_DOWN|UNREGISTER) is run while we
sleep, what happens then ?

Normally, if we sleep a long time in tpacket_snd() after device ref
increment, and before dev_queue_xmit(), the unregister process can enter
the infamous msleep(250) loop in netdev_wait_allrefs(), but at least we
dont crash.

But if you dont take the reference, we can crash in dev_queue_xmit()
when dereferencing the freed netdev structure.

Please check commit 1a35ca80c1db7 (packet: dont call sleeping functions
while holding rcu_read_lock()) for reference on possible problems.
I'll create a new patch to hold ref on the prot_hook.dev when it's assigned,
and then layer the 'existing netdev reference' patch on top of that.  Might
be a day or two...

Thanks,
Ben

Thanks !


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Ben Greear [off-list ref]
Candela Technologies Inc  http://www.candelatech.com
  



    
  

  
    

      

        Keyboard shortcuts
      

      

        
          
hback out one level

          
jnext message in thread

          
kprevious message in thread

          
ldrill in

          
Escclose help / fold thread tree

          
?toggle this help