2017-07-25 07:57:31 +00:00
|
|
|
From 0a9648f1293966c838dc570da73c15a76f4c89d6 Mon Sep 17 00:00:00 2001
|
|
|
|
From: Eric Dumazet <edumazet@google.com>
|
|
|
|
Date: Wed, 21 Dec 2016 05:42:43 -0800
|
|
|
|
Subject: [PATCH 09/10] tcp: add a missing barrier in tcp_tasklet_func()
|
|
|
|
|
|
|
|
Madalin reported crashes happening in tcp_tasklet_func() on powerpc64
|
|
|
|
|
|
|
|
Before TSQ_QUEUED bit is cleared, we must ensure the changes done
|
|
|
|
by list_del(&tp->tsq_node); are committed to memory, otherwise
|
|
|
|
corruption might happen, as an other cpu could catch TSQ_QUEUED
|
|
|
|
clearance too soon.
|
|
|
|
|
|
|
|
We can notice that old kernels were immune to this bug, because
|
|
|
|
TSQ_QUEUED was cleared after a bh_lock_sock(sk)/bh_unlock_sock(sk)
|
|
|
|
section, but they could have missed a kick to write additional bytes,
|
|
|
|
when NIC interrupts for a given flow are spread to multiple cpus.
|
|
|
|
|
|
|
|
Affected TCP flows would need an incoming ACK or RTO timer to add more
|
|
|
|
packets to the pipe. So overall situation should be better now.
|
|
|
|
|
|
|
|
Fixes: b223feb9de2a ("tcp: tsq: add shortcut in tcp_tasklet_func()")
|
|
|
|
Signed-off-by: Eric Dumazet <edumazet@google.com>
|
|
|
|
Reported-by: Madalin Bucur <madalin.bucur@nxp.com>
|
|
|
|
Tested-by: Madalin Bucur <madalin.bucur@nxp.com>
|
|
|
|
Tested-by: Xing Lei <xing.lei@nxp.com>
|
|
|
|
Signed-off-by: David S. Miller <davem@davemloft.net>
|
|
|
|
---
|
|
|
|
net/ipv4/tcp_output.c | 1 +
|
|
|
|
1 file changed, 1 insertion(+)
|
|
|
|
|
|
|
|
--- a/net/ipv4/tcp_output.c
|
|
|
|
+++ b/net/ipv4/tcp_output.c
|
2018-08-04 16:08:25 +00:00
|
|
|
@@ -774,6 +774,7 @@ static void tcp_tasklet_func(unsigned lo
|
2017-07-25 07:57:31 +00:00
|
|
|
list_del(&tp->tsq_node);
|
|
|
|
|
|
|
|
sk = (struct sock *)tp;
|
|
|
|
+ smp_mb__before_atomic();
|
|
|
|
clear_bit(TSQ_QUEUED, &sk->sk_tsq_flags);
|
|
|
|
|
|
|
|
if (!sk->sk_lock.owned &&
|