af_packet: TPACKET_V3: fix fill status rwlock imbalance

stable inclusion from linux-4.19.140 commit ff00ef9aac0a8e17f52169c25f70e5c7e88c87c9 -------------------------------- [ Upstream commit 88fd1cb8 ] After @blk_fill_in_prog_lock is acquired there is an early out vnet situation that can occur. In that case, the rwlock needs to be released. Also, since @blk_fill_in_prog_lock is only acquired when @tp_version is exactly TPACKET_V3, only release it on that exact condition as well. And finally, add sparse annotation so that it is clearer that prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring and releasing @blk_fill_in_prog_lock, respectively. sparse is still unable to understand the balance, but the warnings are now on a higher level that make more sense. Fixes: 632ca50f ("af_packet: TPACKET_V3: replace busy-wait loop") Signed-off-by: N John Ogness <john.ogness@linutronix.de> Reported-by: N kernel test robot <lkp@intel.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Aichun Li <liaichun@huawei.com> Reviewed-by: N wangxiaopeng <wangxiaopeng7@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>

af_packet: TPACKET_V3: fix fill status rwlock imbalance
stable inclusion from linux-4.19.140 commit ff00ef9aac0a8e17f52169c25f70e5c7e88c87c9 -------------------------------- [ Upstream commit 88fd1cb8 ] After @blk_fill_in_prog_lock is acquired there is an early out vnet situation that can occur. In that case, the rwlock needs to be released. Also, since @blk_fill_in_prog_lock is only acquired when @tp_version is exactly TPACKET_V3, only release it on that exact condition as well. And finally, add sparse annotation so that it is clearer that prb_fill_curr_block() and prb_clear_blk_fill_status() are acquiring and releasing @blk_fill_in_prog_lock, respectively. sparse is still unable to understand the balance, but the warnings are now on a higher level that make more sense. Fixes: 632ca50f ("af_packet: TPACKET_V3: replace busy-wait loop") Signed-off-by: N John Ogness <john.ogness@linutronix.de> Reported-by: N kernel test robot <lkp@intel.com> Signed-off-by: N David S. Miller <davem@davemloft.net> Signed-off-by: N Greg Kroah-Hartman <gregkh@linuxfoundation.org> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com> Signed-off-by: N Aichun Li <liaichun@huawei.com> Reviewed-by: N wangxiaopeng <wangxiaopeng7@huawei.com> Signed-off-by: N Yang Yingliang <yangyingliang@huawei.com>
a05e9e93 · John Ogness · Yang Yingliang · 965e4895 · a05e9e93
隐藏空白更改
内联并排

Showing with 7 addition and 2 deletion

net/packet/af_packet.c net/packet/af_packet.c +7 -2

未找到文件。
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -949,6 +949,7 @@ static int prb_queue_frozen(struct tpacket_kbdq_core *pkc)
 }
 static void prb_clear_blk_fill_status(struct packet_ring_buffer *rb)
+	__releases(&pkc->blk_fill_in_prog_lock)
 {
 	struct tpacket_kbdq_core *pkc  = GET_PBDQC_FROM_RB(rb);
 	atomic_dec(&pkc->blk_fill_in_prog);
@@ -996,6 +997,7 @@ static void prb_fill_curr_block(char *curr,
 				struct tpacket_kbdq_core *pkc,
 				struct tpacket_block_desc *pbd,
 				unsigned int len)
+	__acquires(&pkc->blk_fill_in_prog_lock)
 {
 	struct tpacket3_hdr *ppd;
@@ -2275,8 +2277,11 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
 	if (do_vnet &&
 	    virtio_net_hdr_from_skb(skb, h.raw + macoff -
 				    sizeof(struct virtio_net_hdr),
-				    vio_le(), true, 0))
+				    vio_le(), true, 0)) {
+		if (po->tp_version == TPACKET_V3)
+			prb_clear_blk_fill_status(&po->rx_ring);
 		goto drop_n_account;
+	}
 	if (po->tp_version <= TPACKET_V2) {
 		packet_increment_rx_head(po, &po->rx_ring);
@@ -2382,7 +2387,7 @@ static int tpacket_rcv(struct sk_buff *skb, struct net_device *dev,
 		__clear_bit(slot_id, po->rx_ring.rx_owner_map);
 		spin_unlock(&sk->sk_receive_queue.lock);
 		sk->sk_data_ready(sk);
-	} else {
+	} else if (po->tp_version == TPACKET_V3) {
 		prb_clear_blk_fill_status(&po->rx_ring);
 	}