On 07/16/2013 12:25 PM, Wei Liu wrote: > On Tue, Jul 16, 2013 at 10:46:01AM +0100, Jan Beulich wrote: >> Due to commit 3683243b ("xen-netfront: use __pskb_pull_tail to ensure >> linear area is big enough on RX") xennet_fill_frags() may end up >> filling MAX_SKB_FRAGS + 1 fragments in a receive skb, and only reduce >> the fragment count subsequently via __pskb_pull_tail(). That's a >> result of xennet_get_responses() allowing a maximum of one more slot to >> be consumed (and intermediately transformed into a fragment) if the >> head slot has a size less than or equal to RX_COPY_THRESHOLD. >> >> Hence we need to adjust xennet_fill_frags() to pull earlier if we >> reached the maximum fragment count - due to the described behavior of >> xennet_get_responses() this guarantees that at least the first fragment >> will get completely consumed, and hence the fragment count reduced. >> >> In order to not needlessly call __pskb_pull_tail() twice, make the >> original call conditional upon the pull target not having been reached >> yet, and defer the newly added one as much as possible (an alternative >> would have been to always call the function right before the call to >> xennet_fill_frags(), but that would imply more frequent cases of >> needing to call it twice). >> >> Signed-off-by: Jan Beulich <jbeulich@xxxxxxxx> >> Cc: Wei Liu <wei.liu2@xxxxxxxxxx> >> Cc: Ian Campbell <ian.campbell@xxxxxxxxxx> >> Cc: stable@xxxxxxxxxxxxxxx (3.6 onwards) >> --- >> v2: Use skb_add_rx_frag() to keep all accounting fields up to date as >> we go (skb->len needing intermediate updating was pointed out by >> Wei Liu and David Miller, shinfo->nr_frags needing updating before >> calling __pskb_pull_tail() was spotted out by Dion Kant). > Jan and Dion, is this a confirmed fix for SuSE kernel? Dear Wei, I did thorough testing on the system which revealed the original problem and I can confirm that it does fix the issue. Dion > > I complied and tested it, at least it didn't break things for me. The > tests I ran were 1) scp large_file to domU; 2) iperf from Dom0 to DomU; > 3) netperf from Dom0 to DomU. > > On the basis that this patch 1) fixes the bug for SuSE kernel (to be > confirmed with Jan); 2) doesn't break upstream (tested by me). > > Acked-by: Wei Liu <wei.liu2@xxxxxxxxxx> > >> --- >> drivers/net/xen-netfront.c | 32 +++++++++++++------------------- >> 1 file changed, 13 insertions(+), 19 deletions(-) >> >> --- 3.11-rc1/drivers/net/xen-netfront.c >> +++ 3.11-rc1-xen-netfront-pull-earlier/drivers/net/xen-netfront.c >> @@ -286,8 +286,7 @@ no_skb: >> break; >> } >> >> - __skb_fill_page_desc(skb, 0, page, 0, 0); >> - skb_shinfo(skb)->nr_frags = 1; >> + skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); >> __skb_queue_tail(&np->rx_batch, skb); >> } >> >> @@ -831,7 +830,6 @@ static RING_IDX xennet_fill_frags(struct >> struct sk_buff_head *list) >> { >> struct skb_shared_info *shinfo = skb_shinfo(skb); >> - int nr_frags = shinfo->nr_frags; >> RING_IDX cons = np->rx.rsp_cons; >> struct sk_buff *nskb; >> >> @@ -840,19 +838,21 @@ static RING_IDX xennet_fill_frags(struct >> RING_GET_RESPONSE(&np->rx, ++cons); >> skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0]; >> >> - __skb_fill_page_desc(skb, nr_frags, >> - skb_frag_page(nfrag), >> - rx->offset, rx->status); >> + if (shinfo->nr_frags == MAX_SKB_FRAGS) { >> + unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; >> >> - skb->data_len += rx->status; >> + BUG_ON(pull_to <= skb_headlen(skb)); >> + __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); >> + } >> + BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS); >> + >> + skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag), >> + rx->offset, rx->status, PAGE_SIZE); >> >> skb_shinfo(nskb)->nr_frags = 0; >> kfree_skb(nskb); >> - >> - nr_frags++; >> } >> >> - shinfo->nr_frags = nr_frags; >> return cons; >> } >> >> @@ -933,7 +933,8 @@ static int handle_incoming_queue(struct >> while ((skb = __skb_dequeue(rxq)) != NULL) { >> int pull_to = NETFRONT_SKB_CB(skb)->pull_to; >> >> - __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); >> + if (pull_to > skb_headlen(skb)) >> + __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); >> >> /* Ethernet work: Delayed to here as it peeks the header. */ >> skb->protocol = eth_type_trans(skb, dev); >> @@ -1018,17 +1019,10 @@ err: >> >> skb_shinfo(skb)->frags[0].page_offset = rx->offset; >> skb_frag_size_set(&skb_shinfo(skb)->frags[0], rx->status); >> - skb->data_len = rx->status; >> + skb->len += skb->data_len = rx->status; >> >> i = xennet_fill_frags(np, skb, &tmpq); >> >> - /* >> - * Truesize is the actual allocation size, even if the >> - * allocation is only partially used. >> - */ >> - skb->truesize += PAGE_SIZE * skb_shinfo(skb)->nr_frags; >> - skb->len += skb->data_len; >> - >> if (rx->flags & XEN_NETRXF_csum_blank) >> skb->ip_summed = CHECKSUM_PARTIAL; >> else if (rx->flags & XEN_NETRXF_data_validated) >> -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html