e1000: fix data race between tx_ring->next_to_clean
authorDmitriy Vyukov <dvyukov@google.com>
Tue, 8 Sep 2015 08:52:44 +0000 (10:52 +0200)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 15 Sep 2016 06:27:38 +0000 (08:27 +0200)
[ Upstream commit 9eab46b7cb8d0b0dcf014bf7b25e0e72b9e4d929 ]

e1000_clean_tx_irq cleans buffers and sets tx_ring->next_to_clean,
then e1000_xmit_frame reuses the cleaned buffers. But there are no
memory barriers when buffers gets recycled, so the recycled buffers
can be corrupted.

Use smp_store_release to update tx_ring->next_to_clean and
smp_load_acquire to read tx_ring->next_to_clean to properly
hand off buffers from e1000_clean_tx_irq to e1000_xmit_frame.

The data race was found with KernelThreadSanitizer (KTSAN).

Signed-off-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Aaron Brown <aaron.f.brown@intel.com>
Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com>
Signed-off-by: Sasha Levin <alexander.levin@verizon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
drivers/net/ethernet/intel/e1000/e1000.h
drivers/net/ethernet/intel/e1000/e1000_main.c

index 69707108d23cdeb57bda5c6dd5e3e1aa29faa2b6..98fe5a2cd6e3e1020ac1c346c63e6a21a5a6832a 100644 (file)
@@ -213,8 +213,11 @@ struct e1000_rx_ring {
 };
 
 #define E1000_DESC_UNUSED(R)                                           \
-       ((((R)->next_to_clean > (R)->next_to_use)                       \
-         ? 0 : (R)->count) + (R)->next_to_clean - (R)->next_to_use - 1)
+({                                                                     \
+       unsigned int clean = smp_load_acquire(&(R)->next_to_clean);     \
+       unsigned int use = READ_ONCE((R)->next_to_use);                 \
+       (clean > use ? 0 : (R)->count) + clean - use - 1;               \
+})
 
 #define E1000_RX_DESC_EXT(R, i)                                                \
        (&(((union e1000_rx_desc_extended *)((R).desc))[i]))
index fd7be860c20131e7db9a557dcdd40db348d9edf5..068023595d8439c5b1264a105828ba80d3a54309 100644 (file)
@@ -3876,7 +3876,10 @@ static bool e1000_clean_tx_irq(struct e1000_adapter *adapter,
                eop_desc = E1000_TX_DESC(*tx_ring, eop);
        }
 
-       tx_ring->next_to_clean = i;
+       /* Synchronize with E1000_DESC_UNUSED called from e1000_xmit_frame,
+        * which will reuse the cleaned buffers.
+        */
+       smp_store_release(&tx_ring->next_to_clean, i);
 
        netdev_completed_queue(netdev, pkts_compl, bytes_compl);