[Top] [All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Xen-devel] [PATCHv1 2/2] xen-netback: unref frags when handling a from-guest skb with a frag list

On Tue, 2015-03-03 at 16:26 +0000, David Vrabel wrote:
> Every time a VIF is destroyed up-to 256 pages may be leaked if packets
> with more than MAX_SKB_FRAGS frags where transmitted from the guest.
> Even worse, if another user of ballooned pages allocated one of these
> ballooned pages it would not handle the the unexpectedly non-zero page
> count (e.g., gntdev would deadlock when unmapping a grant because the
> page count would never reach 1).
> 
> When handling a from-guest skb with a frag list, unref the frags
> before releasing them so they are freed correctly when the VIF is
> destroyed.

Am I right that the majority of the first 2 hunks (and various bits of
the 3rd) are just switching the outer loop to nr_frags instead of i, to
free up i for use in the new code below? And also to switch j to the now
available i in the inner loop.

> Also swap over to the new (local) frags /after/ calling the skb
> destructor.  This isn't strictly necessary but it's less confusing.

My only concern would be that this now means there is a period where the
frags list is invalid. However I think the calling context is such that
nobody else can have a reference to an skb which has the same shinfo as
the one in our hand. Is that right?

(If not then I think the old code was also buggy/racy, but with a
smaller window)

> 
> Signed-off-by: David Vrabel <david.vrabel@xxxxxxxxxx>
> ---
>  drivers/net/xen-netback/netback.c |   43 
> +++++++++++++++++++------------------
>  1 file changed, 22 insertions(+), 21 deletions(-)
> 
> diff --git a/drivers/net/xen-netback/netback.c 
> b/drivers/net/xen-netback/netback.c
> index f7a31d2..3d06eeb 100644
> --- a/drivers/net/xen-netback/netback.c
> +++ b/drivers/net/xen-netback/netback.c
> @@ -1343,7 +1343,7 @@ static int xenvif_handle_frag_list(struct xenvif_queue 
> *queue, struct sk_buff *s
>  {
>       unsigned int offset = skb_headlen(skb);
>       skb_frag_t frags[MAX_SKB_FRAGS];
> -     int i;
> +     int i, nr_frags;
>       struct ubuf_info *uarg;
>       struct sk_buff *nskb = skb_shinfo(skb)->frag_list;
>  
> @@ -1357,17 +1357,16 @@ static int xenvif_handle_frag_list(struct 
> xenvif_queue *queue, struct sk_buff *s
>       skb->data_len += nskb->len;
>  
>       /* create a brand new frags array and coalesce there */
> -     for (i = 0; offset < skb->len; i++) {
> +     for (nr_frags = 0; offset < skb->len; nr_frags++) {
>               struct page *page;
>               unsigned int len;
>  
> -             BUG_ON(i >= MAX_SKB_FRAGS);
> +             BUG_ON(nr_frags >= MAX_SKB_FRAGS);
>               page = alloc_page(GFP_ATOMIC);
>               if (!page) {
> -                     int j;
>                       skb->truesize += skb->data_len;
> -                     for (j = 0; j < i; j++)
> -                             put_page(frags[j].page.p);
> +                     for (i = 0; i < nr_frags; i++)
> +                             put_page(frags[i].page.p);
>                       return -ENOMEM;
>               }
>  
> @@ -1379,27 +1378,29 @@ static int xenvif_handle_frag_list(struct 
> xenvif_queue *queue, struct sk_buff *s
>                       BUG();
>  
>               offset += len;
> -             frags[i].page.p = page;
> -             frags[i].page_offset = 0;
> -             skb_frag_size_set(&frags[i], len);
> +             frags[nr_frags].page.p = page;
> +             frags[nr_frags].page_offset = 0;
> +             skb_frag_size_set(&frags[nr_frags], len);
>       }
> -     /* swap out with old one */
> -     memcpy(skb_shinfo(skb)->frags,
> -            frags,
> -            i * sizeof(skb_frag_t));
> -     skb_shinfo(skb)->nr_frags = i;
> -     skb->truesize += i * PAGE_SIZE;
> -
> -     /* remove traces of mapped pages and frag_list */
> +
> +     /* Copied all the bits from the frag list -- free it. */
>       skb_frag_list_init(skb);
> -     uarg = skb_shinfo(skb)->destructor_arg;
> -     /* increase inflight counter to offset decrement in callback */
> +     xenvif_skb_zerocopy_prepare(queue, nskb);
> +     kfree_skb(nskb);
> +
> +     /* Release all the original (foreign) frags. */
> +     for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
> +             skb_frag_unref(skb, i);
>       atomic_inc(&queue->inflight_packets);
> +     uarg = skb_shinfo(skb)->destructor_arg;
>       uarg->callback(uarg, true);
>       skb_shinfo(skb)->destructor_arg = NULL;
>  
> -     xenvif_skb_zerocopy_prepare(queue, nskb);
> -     kfree_skb(nskb);
> +     /* Fill the skb with the new (local) frags. */
> +     memcpy(skb_shinfo(skb)->frags, frags,
> +            nr_frags * sizeof(skb_frag_t));
> +     skb_shinfo(skb)->nr_frags = nr_frags;
> +     skb->truesize += nr_frags * PAGE_SIZE;
>  
>       return 0;
>  }



_______________________________________________
Xen-devel mailing list
Xen-devel@xxxxxxxxxxxxx
http://lists.xen.org/xen-devel

 

©2013 Xen Project, A Linux Foundation Collaborative Project. All Rights Reserved.
Linux Foundation is a registered trademark of The Linux Foundation.
Xen Project is a trademark of The Linux Foundation.

Rackspace

Lists.xenproject.org is hosted with RackSpace, monitoring our
servers 24x7x365 and backed by RackSpace's Fanatical Support®.