The test implemented by some_qdisc_is_busy() is somewhat loosy for
NOLOCK qdisc, as we may hit the following scenario :
CPU1 CPU2
// in net_tx_action()
clear_bit(__QDISC_STATE_SCHED...);
// in some_qdisc_is_busy()
val = (qdisc_is_running(q) ||
test_bit(__QDISC_STATE_SCHED,
&q->state));
// here val is 0 but...
qdisc_run(q)
// ... CPU1 is going to run the qdisc next
As a conseguence qdisc_run() in net_tx_action() can race with
qdisc_reset() in dev_qdisc_reset(). Such race is not possible for !NOLOCK
qdisc as both the above bit operations are under the root qdisc lock().
After commit 021a17ed79 ("pfifo_fast: drop unneeded additional lock on
dequeue") the race can cause use after free and/or null ptr dereference,
but the root cause is likely older.
This patch addresses the issue explicitly checking for deactivation under
the seqlock for NOLOCK qdisc, so that the qdisc_run() in the critical
scenario becomes a no-op.
Note that the enqueue() op can still execute concurrently with
dev_qdisc_reset(), but that is safe due to the skb_array() locking, and
we can't avoid that for NOLOCK qdiscs.
Fixes: 021a17ed79 ("pfifo_fast: drop unneeded additional lock on
dequeue")
Reported-by: Li Shuang <shuali@redhat.com>
Reported-and-tested-by: Davide Caratti <dcaratti@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
(Backported from commit d518d2ed8640c1cbbbb6f63939e3e65471817367).
Git-Commit: d518d2ed8640c1cbbbb6f63939e3e65471817367
Git-repo: https://android.googlesource.com/kernel/common/
Change-Id: Id4e048bd00ea0d9be49f98958e648c74af965e12
Signed-off-by: Chinmay Agarwal <chinagar@codeaurora.org>
e786a31cce