• Jesper Dangaard Brouer's avatar
    xdp: fix bug in cpumap teardown code path · ad0ab027
    Jesper Dangaard Brouer authored
    When removing a cpumap entry, a number of syncronization steps happen.
    Eventually the teardown code __cpu_map_entry_free is invoked from/via
    call_rcu.
    
    The teardown code __cpu_map_entry_free() flushes remaining xdp_frames,
    by invoking bq_flush_to_queue, which calls xdp_return_frame_rx_napi().
    The issues is that the teardown code is not running in the RX NAPI
    code path.  Thus, it is not allowed to invoke the NAPI variant of
    xdp_return_frame.
    
    This bug was found and triggered by using the --stress-mode option to
    the samples/bpf program xdp_redirect_cpu.  It is hard to trigger,
    because the ptr_ring have to be full and cpumap bulk queue max
    contains 8 packets, and a remote CPU is racing to empty the ptr_ring
    queue.
    
    Fixes: 389ab7f0 ("xdp: introduce xdp_return_frame_rx_napi")
    Tested-by: 's avatarJean-Tsung Hsiao <jhsiao@redhat.com>
    Signed-off-by: 's avatarJesper Dangaard Brouer <brouer@redhat.com>
    Signed-off-by: 's avatarDaniel Borkmann <daniel@iogearbox.net>
    ad0ab027
cpumap.c 18.8 KB