xdp: fix bug in cpumap teardown code path
authorJesper Dangaard Brouer <brouer@redhat.com>
Wed, 8 Aug 2018 21:00:34 +0000 (23:00 +0200)
committerDaniel Borkmann <daniel@iogearbox.net>
Thu, 9 Aug 2018 19:50:44 +0000 (21:50 +0200)
commitad0ab027fc6da08cbd34070d816ff3b7986c64ae
tree36f75aa1790a438a29950b2ecd0dddf9baf0b107
parentbf9bae0ea6ec7013ef37b19fbbf29b62a35474fb
xdp: fix bug in cpumap teardown code path

When removing a cpumap entry, a number of syncronization steps happen.
Eventually the teardown code __cpu_map_entry_free is invoked from/via
call_rcu.

The teardown code __cpu_map_entry_free() flushes remaining xdp_frames,
by invoking bq_flush_to_queue, which calls xdp_return_frame_rx_napi().
The issues is that the teardown code is not running in the RX NAPI
code path.  Thus, it is not allowed to invoke the NAPI variant of
xdp_return_frame.

This bug was found and triggered by using the --stress-mode option to
the samples/bpf program xdp_redirect_cpu.  It is hard to trigger,
because the ptr_ring have to be full and cpumap bulk queue max
contains 8 packets, and a remote CPU is racing to empty the ptr_ring
queue.

Fixes: 389ab7f01af9 ("xdp: introduce xdp_return_frame_rx_napi")
Tested-by: Jean-Tsung Hsiao <jhsiao@redhat.com>
Signed-off-by: Jesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel/bpf/cpumap.c