linux/include
Neil Horman 2d8bff1269 netpoll: Close race condition between poll_one_napi and napi_disable
Drivers might call napi_disable while not holding the napi instance poll_lock.
In those instances, its possible for a race condition to exist between
poll_one_napi and napi_disable.  That is to say, poll_one_napi only tests the
NAPI_STATE_SCHED bit to see if there is work to do during a poll, and as such
the following may happen:

CPU0				CPU1
ndo_tx_timeout			napi_poll_dev
 napi_disable			 poll_one_napi
  test_and_set_bit (ret 0)
				  test_bit (ret 1)
   reset adapter		   napi_poll_routine

If the adapter gets a tx timeout without a napi instance scheduled, its possible
for the adapter to think it has exclusive access to the hardware  (as the napi
instance is now scheduled via the napi_disable call), while the netpoll code
thinks there is simply work to do.  The result is parallel hardware access
leading to corrupt data structures in the driver, and a crash.

Additionaly, there is another, more critical race between netpoll and
napi_disable.  The disabled napi state is actually identical to the scheduled
state for a given napi instance.  The implication being that, if a napi instance
is disabled, a netconsole instance would see the napi state of the device as
having been scheduled, and poll it, likely while the driver was dong something
requiring exclusive access.  In the case above, its fairly clear that not having
the rings in a state ready to be polled will cause any number of crashes.

The fix should be pretty easy.  netpoll uses its own bit to indicate that that
the napi instance is in a state of being serviced by netpoll (NAPI_STATE_NPSVC).
We can just gate disabling on that bit as well as the sched bit.  That should
prevent netpoll from conducting a napi poll if we convert its set bit to a
test_and_set_bit operation to provide mutual exclusion

Change notes:
V2)
	Remove a trailing whtiespace
	Resubmit with proper subject prefix

V3)
	Clean up spacing nits

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: jmaxwell@redhat.com
Tested-by: jmaxwell@redhat.com
Signed-off-by: David S. Miller <davem@davemloft.net>
2015-09-23 14:32:50 -07:00
..
acpi Merge branch 'pm-cpufreq' 2015-09-01 15:52:35 +02:00
asm-generic dma-mapping: consolidate dma_set_mask 2015-09-10 13:29:01 -07:00
clocksource
crypto Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2015-09-08 12:41:25 -07:00
drm Merge branch 'drm-next' of git://people.freedesktop.org/~airlied/linux 2015-09-04 15:49:32 -07:00
dt-bindings Merge branch 'drivers/reset' into next/late 2015-09-09 15:42:45 -07:00
keys
kvm
linux netpoll: Close race condition between poll_one_napi and napi_disable 2015-09-23 14:32:50 -07:00
math-emu
media media updates for v4.3-rc1 2015-09-05 18:21:14 -07:00
memory
misc
net tcp/dccp: fix timewait races in timer handling 2015-09-21 16:32:29 -07:00
pcmcia
ras
rdma Changes for 4.3 2015-09-09 08:33:31 -07:00
rxrpc
scsi SCSI misc on 20150901 2015-09-02 12:22:54 -07:00
soc IOMMU Updates for Linux v4.3 2015-09-08 17:22:35 -07:00
sound ALSA: hda - Fix missing inline for dummy snd_hdac_set_codec_wakeup() 2015-09-02 12:24:55 +02:00
target
trace Merge branch 'for-4.3/blkcg' of git://git.kernel.dk/linux-block 2015-09-10 18:56:14 -07:00
uapi Merge branch 'drm-fixes' of git://people.freedesktop.org/~airlied/linux 2015-09-11 09:35:56 -07:00
video libnvdimm for 4.3: 2015-09-08 14:35:59 -07:00
xen xen: MFN/GFN/BFN terminology changes for 4.3-rc0 2015-09-10 16:21:11 -07:00
Kbuild