diff mbox

[RFC,v1] tun: Cleanup error handling in tun_set_iff()

Message ID 20090803161242.12947.14620.stgit@flek.lan
State RFC, archived
Delegated to: David Miller
Headers show

Commit Message

Paul Moore Aug. 3, 2009, 4:12 p.m. UTC 
Convert some pointless gotos into returns and ensure tun_attach() errors are
handled correctly.

Signed-off-by: Paul Moore <paul.moore@hp.com>

--

I'm sending this as an RFC patch because I'm not entirely certain that the
changes to the tun_attach() error handling code are 100% correct, although I
strongly suspect that the current behavor of simply returning an error code
without any cleanup is broken.  Can anyone comment on this?
---

 drivers/net/tun.c |   19 ++++++++++---------
 1 files changed, 10 insertions(+), 9 deletions(-)


--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

David Miller Aug. 4, 2009, 4:16 a.m. UTC | #1 
From: Paul Moore <paul.moore@hp.com>
Date: Mon, 03 Aug 2009 12:12:43 -0400

> Convert some pointless gotos into returns and ensure tun_attach() errors are
> handled correctly.
> 
> Signed-off-by: Paul Moore <paul.moore@hp.com>
> 
> --
> 
> I'm sending this as an RFC patch because I'm not entirely certain that the
> changes to the tun_attach() error handling code are 100% correct, although I
> strongly suspect that the current behavor of simply returning an error code
> without any cleanup is broken.  Can anyone comment on this?

It looks good to me.

But I've been wrong about this code before, so it would be nice
to get some other eyes on it :-)
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Eric W. Biederman Aug. 5, 2009, 5:32 a.m. UTC | #2 
Paul Moore <paul.moore@hp.com> writes:

> Convert some pointless gotos into returns and ensure tun_attach() errors are
> handled correctly.
>
> Signed-off-by: Paul Moore <paul.moore@hp.com>

This patch appears slightly wrong.  Comments inline.

> I'm sending this as an RFC patch because I'm not entirely certain that the
> changes to the tun_attach() error handling code are 100% correct, although I
> strongly suspect that the current behavor of simply returning an error code
> without any cleanup is broken.  Can anyone comment on this?
> ---
>
>  drivers/net/tun.c |   19 ++++++++++---------
>  1 files changed, 10 insertions(+), 9 deletions(-)
>
> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 4a0db7a..b6d06fd 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -938,13 +938,10 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
>  		err = tun_attach(tun, file);
>  		if (err < 0)
>  			return err;
> -	}
> -	else {
> +	} else {
>  		char *name;
>  		unsigned long flags = 0;
>  
> -		err = -EINVAL;
> -
>  		if (!capable(CAP_NET_ADMIN))
>  			return -EPERM;
>  
> @@ -958,7 +955,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
>  			flags |= TUN_TAP_DEV;
>  			name = "tap%d";
>  		} else
> -			goto failed;
> +			return -EINVAL;

Trivially correct.

>  
>  		if (*ifr->ifr_name)
>  			name = ifr->ifr_name;
> @@ -976,10 +973,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
>  		tun->flags = flags;
>  		tun->txflt.count = 0;
>  
> -		err = -ENOMEM;
>  		sk = sk_alloc(net, AF_UNSPEC, GFP_KERNEL, &tun_proto);
> -		if (!sk)
> +		if (!sk) {
> +			err = -ENOMEM;
>  			goto err_free_dev;
> +		}

Trivially correct but I would argue uglier.

>  
>  		init_waitqueue_head(&tun->socket.wait);
>  		sock_init_data(&tun->socket, sk);
> @@ -1010,7 +1008,7 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
>  
>  		err = tun_attach(tun, file);
>  		if (err < 0)
> -			goto failed;
> +			goto err_unreg_dev;
>  	}

This is the interesting one.  And several problems with it.  When
Herbert reworked the reference counting here he introduced the goto
failed; Instead of err_free_dev.

I think there were more possible races when I introduced the check
of the return code of tun_attach, the only case I can see currently
is if the file was attached to another tun device before we grabbed the
rtnl_lock.


>  	DBG(KERN_INFO "%s: tun_set_iff\n", tun->dev->name);
> @@ -1039,11 +1037,14 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
>  	strcpy(ifr->ifr_name, tun->dev->name);
>  	return 0;
>  
> + err_unreg_dev:
> +	rtnl_lock();
> +	unregister_netdevice(tun->dev);
> +	rtnl_unlock();

This is a guaranteed deadlock.  We already hold the rtnl_lock here.
Furthermore all I should need to do in this case is to call
unregister_netdevice(...).    As all of the rest of the pieces should
happen in the cleanup routines called from unregister_netdevice.

The current behavior of returning an error code is a little bit off
as it creates a persistent tun device without setting tun->flags | TUN_PERSIST.
And it leaves a tun device for someone else to clean up.

At the same time it should be perfectly legitimate for someone else to
come along and attach to the tun device and delete it or to call
ip link del <tun>

Eric

>   err_free_sk:
>  	sock_put(sk);
>   err_free_dev:
>  	free_netdev(dev);
> - failed:
>  	return err;
>  }
>  
>
> --
> To unsubscribe from this list: send the line "unsubscribe netdev" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Paul Moore Aug. 5, 2009, 9:38 p.m. UTC | #3 
On Wednesday 05 August 2009 01:32:49 am Eric W. Biederman wrote:
> Paul Moore <paul.moore@hp.com> writes:
> > Convert some pointless gotos into returns and ensure tun_attach() errors
> > are handled correctly.
> >
> > Signed-off-by: Paul Moore <paul.moore@hp.com>
>
> This patch appears slightly wrong.  Comments inline.

Thanks for taking a look ...

> > I'm sending this as an RFC patch because I'm not entirely certain that
> > the changes to the tun_attach() error handling code are 100% correct,
> > although I strongly suspect that the current behavor of simply returning
> > an error code without any cleanup is broken.  Can anyone comment on this?
> > ---
> >
> >  drivers/net/tun.c |   19 ++++++++++---------
> >  1 files changed, 10 insertions(+), 9 deletions(-)
> >
> > diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> > index 4a0db7a..b6d06fd 100644
> > --- a/drivers/net/tun.c
> > +++ b/drivers/net/tun.c
> > @@ -976,10 +973,11 @@ static int tun_set_iff(struct net *net, struct file
> > *file, struct ifreq *ifr) tun->flags = flags;
> >  		tun->txflt.count = 0;
> >
> > -		err = -ENOMEM;
> >  		sk = sk_alloc(net, AF_UNSPEC, GFP_KERNEL, &tun_proto);
> > -		if (!sk)
> > +		if (!sk) {
> > +			err = -ENOMEM;
> >  			goto err_free_dev;
> > +		}
>
> Trivially correct but I would argue uglier.

My reasoning behind the change was that code related to the error handling 
should be moved outside the common path as much as possible similar to what we 
do now with the gotos.

> > @@ -1010,7 +1008,7 @@ static int tun_set_iff(struct net *net, struct file
> > *file, struct ifreq *ifr)
> >
> >  		err = tun_attach(tun, file);
> >  		if (err < 0)
> > -			goto failed;
> > +			goto err_unreg_dev;
> >  	}
>
> This is the interesting one.  And several problems with it.  When
> Herbert reworked the reference counting here he introduced the goto
> failed; Instead of err_free_dev.
>
> I think there were more possible races when I introduced the check
> of the return code of tun_attach, the only case I can see currently
> is if the file was attached to another tun device before we grabbed the
> rtnl_lock.

...

> > @@ -1039,11 +1037,14 @@ static int tun_set_iff(struct net *net, struct
> > file *file, struct ifreq *ifr) strcpy(ifr->ifr_name, tun->dev->name);
> >  	return 0;
> >
> > + err_unreg_dev:
> > +	rtnl_lock();
> > +	unregister_netdevice(tun->dev);
> > +	rtnl_unlock();
>
> This is a guaranteed deadlock.  We already hold the rtnl_lock here.
> Furthermore all I should need to do in this case is to call
> unregister_netdevice(...).    As all of the rest of the pieces should
> happen in the cleanup routines called from unregister_netdevice.

Okay, so at the very least the rtnl_[un]lock() calls need to be removed and we 
can safely return after calling unregister_netdevice() without having to 
free/release anything else.  The thing that concerns me the most are the 
potential races you talked about.

I'll admit there are many dark places here that I still don't understand but 
looking at the code it appears that the only way to get into tun_set_iff() is 
if the file is not currently attached to a TUN device which is further checked 
in tun_attach().  Also, I'm not sure what refcounting you are talking about - 
do you mean the tun_file->count refcount?  I think we should be okay in this 
regard as the only way we would end up changing tun_file->count is if 
tun_attach() completed successfully; if tun_attach() fails there is not change 
in the refcount.  I could be way off here but it _seems_ safe ... :)

> The current behavior of returning an error code is a little bit off
> as it creates a persistent tun device without setting tun->flags |
> TUN_PERSIST. And it leaves a tun device for someone else to clean up.
>
> At the same time it should be perfectly legitimate for someone else to
> come along and attach to the tun device and delete it or to call
> ip link del <tun>

My concern is that I believe that if the kernel fails at an operation it 
should do all it can to unwind any actions it took in the course of attempting 
to perform the requested operation.  Leaving a TUN device around in the case 
of a tun_attach() failure seems like the kernel is being lazy, sure a user can 
cleanup the device but why should they have to?
Eric W. Biederman Aug. 5, 2009, 11:14 p.m. UTC | #4 
Paul Moore <paul.moore@hp.com> writes:

> On Wednesday 05 August 2009 01:32:49 am Eric W. Biederman wrote:
>> Paul Moore <paul.moore@hp.com> writes:
>> > Convert some pointless gotos into returns and ensure tun_attach() errors
>> > are handled correctly.
>> >
>> > Signed-off-by: Paul Moore <paul.moore@hp.com>
>>
>> This patch appears slightly wrong.  Comments inline.
>
> Thanks for taking a look ...
>
>> > I'm sending this as an RFC patch because I'm not entirely certain that
>> > the changes to the tun_attach() error handling code are 100% correct,
>> > although I strongly suspect that the current behavor of simply returning
>> > an error code without any cleanup is broken.  Can anyone comment on this?
>> > ---
>> >
>> >  drivers/net/tun.c |   19 ++++++++++---------
>> >  1 files changed, 10 insertions(+), 9 deletions(-)
>> >
>> > diff --git a/drivers/net/tun.c b/drivers/net/tun.c
>> > index 4a0db7a..b6d06fd 100644
>> > --- a/drivers/net/tun.c
>> > +++ b/drivers/net/tun.c
>> > @@ -976,10 +973,11 @@ static int tun_set_iff(struct net *net, struct file
>> > *file, struct ifreq *ifr) tun->flags = flags;
>> >  		tun->txflt.count = 0;
>> >
>> > -		err = -ENOMEM;
>> >  		sk = sk_alloc(net, AF_UNSPEC, GFP_KERNEL, &tun_proto);
>> > -		if (!sk)
>> > +		if (!sk) {
>> > +			err = -ENOMEM;
>> >  			goto err_free_dev;
>> > +		}
>>
>> Trivially correct but I would argue uglier.
>
> My reasoning behind the change was that code related to the error handling 
> should be moved outside the common path as much as possible similar to what we 
> do now with the gotos.

I don't understand.  Generating less readable and less efficient code is
preferable?

>> > @@ -1010,7 +1008,7 @@ static int tun_set_iff(struct net *net, struct file
>> > *file, struct ifreq *ifr)
>> >
>> >  		err = tun_attach(tun, file);
>> >  		if (err < 0)
>> > -			goto failed;
>> > +			goto err_unreg_dev;
>> >  	}
>>
>> This is the interesting one.  And several problems with it.  When
>> Herbert reworked the reference counting here he introduced the goto
>> failed; Instead of err_free_dev.
>>
>> I think there were more possible races when I introduced the check
>> of the return code of tun_attach, the only case I can see currently
>> is if the file was attached to another tun device before we grabbed the
>> rtnl_lock.
>
> ...
>
>> > @@ -1039,11 +1037,14 @@ static int tun_set_iff(struct net *net, struct
>> > file *file, struct ifreq *ifr) strcpy(ifr->ifr_name, tun->dev->name);
>> >  	return 0;
>> >
>> > + err_unreg_dev:
>> > +	rtnl_lock();
>> > +	unregister_netdevice(tun->dev);
>> > +	rtnl_unlock();
>>
>> This is a guaranteed deadlock.  We already hold the rtnl_lock here.
>> Furthermore all I should need to do in this case is to call
>> unregister_netdevice(...).    As all of the rest of the pieces should
>> happen in the cleanup routines called from unregister_netdevice.
>
> Okay, so at the very least the rtnl_[un]lock() calls need to be removed and we 
> can safely return after calling unregister_netdevice() without having to 
> free/release anything else.  The thing that concerns me the most are the 
> potential races you talked about.
>
> I'll admit there are many dark places here that I still don't understand but 
> looking at the code it appears that the only way to get into tun_set_iff() is 
> if the file is not currently attached to a TUN device which is further checked 
> in tun_attach().  

Yes.  But how many times can you come into tun_set_iff on the same file?
Think multiple threads trying to do the same thing at the same time.

> Also, I'm not sure what refcounting you are talking about - 
> do you mean the tun_file->count refcount?  I think we should be okay in this 
> regard as the only way we would end up changing tun_file->count is if 
> tun_attach() completed successfully; if tun_attach() fails there is not change 
> in the refcount.  I could be way off here but it _seems_ safe ... :)

I totally agree that things are not as obvious as they should be.  I made
things more complex when I added support for ip link del.  Then Herbert's
patches collided and broke things when he added the socket support.
Herbert change the refcount scheme that made things simpler and easier
to get correct.

Things are mostly good now, but think the tun code could use good audit,
cleanup, simplification.  Which takes advantage of everything that Herbert
did.  All of which requires someone to spend enough time looking at the
code to understand what is going on.  Not hard but a bit time consuming.

>> The current behavior of returning an error code is a little bit off
>> as it creates a persistent tun device without setting tun->flags |
>> TUN_PERSIST. And it leaves a tun device for someone else to clean up.
>>
>> At the same time it should be perfectly legitimate for someone else to
>> come along and attach to the tun device and delete it or to call
>> ip link del <tun>
>
> My concern is that I believe that if the kernel fails at an operation it 
> should do all it can to unwind any actions it took in the course of attempting 
> to perform the requested operation.  Leaving a TUN device around in the case 
> of a tun_attach() failure seems like the kernel is being lazy, sure a user can 
> cleanup the device but why should they have to?

Sure.  I am all for that and that is how I originally coded it.
My point is that this is not harmful and that it can really only be triggered
by a buggy or hostile user.   So it isn't critical to get fixed.  It is an
imperfect so a fix is desirable.

Eric
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Herbert Xu Aug. 6, 2009, 10:10 a.m. UTC | #5 
On Wed, Aug 05, 2009 at 05:38:42PM -0400, Paul Moore wrote:
>
> My concern is that I believe that if the kernel fails at an operation it 
> should do all it can to unwind any actions it took in the course of attempting 
> to perform the requested operation.  Leaving a TUN device around in the case 
> of a tun_attach() failure seems like the kernel is being lazy, sure a user can 
> cleanup the device but why should they have to?

That particular tun_attach should never fail.  Perhaps you can
just add a WARN_ON.

Cheers,
Eric W. Biederman Aug. 6, 2009, 10:21 a.m. UTC | #6 
Herbert Xu <herbert@gondor.apana.org.au> writes:

> On Wed, Aug 05, 2009 at 05:38:42PM -0400, Paul Moore wrote:
>>
>> My concern is that I believe that if the kernel fails at an operation it 
>> should do all it can to unwind any actions it took in the course of attempting 
>> to perform the requested operation.  Leaving a TUN device around in the case 
>> of a tun_attach() failure seems like the kernel is being lazy, sure a user can 
>> cleanup the device but why should they have to?
>
> That particular tun_attach should never fail.  Perhaps you can
> just add a WARN_ON.

Two threads one file descriptor.  Both simultaneously attempt to 
attach to a tun device.  One will fail, the other succeed.

At least that is how I read the locking.

Eric
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Herbert Xu Aug. 6, 2009, 1:37 p.m. UTC | #7 
On Thu, Aug 06, 2009 at 03:21:41AM -0700, Eric W. Biederman wrote:
>
> Two threads one file descriptor.  Both simultaneously attempt to 
> attach to a tun device.  One will fail, the other succeed.
> 
> At least that is how I read the locking.

Yes but the "race" fixed by this patch is centred on the tun_attach
call for a newly created network device.  As tun_set_iff occurs
under RTNL, the second thread cannot start attaching until the
creation thread has completed.  IOW the thread that creates the
net device should always succeed in attaching.

If two threads try to attach to the same device that was already
created then yes one will fail and the other succeed.  However,
AFAICS that case has nothing to do with this patch.

Cheers,
Eric W. Biederman Aug. 6, 2009, 2:27 p.m. UTC | #8 
Herbert Xu <herbert@gondor.apana.org.au> writes:

> On Thu, Aug 06, 2009 at 03:21:41AM -0700, Eric W. Biederman wrote:
>>
>> Two threads one file descriptor.  Both simultaneously attempt to 
>> attach to a tun device.  One will fail, the other succeed.
>> 
>> At least that is how I read the locking.
>
> Yes but the "race" fixed by this patch is centred on the tun_attach
> call for a newly created network device.  As tun_set_iff occurs
> under RTNL, the second thread cannot start attaching until the
> creation thread has completed.  IOW the thread that creates the
> net device should always succeed in attaching.

>
> If two threads try to attach to the same device that was already
> created then yes one will fail and the other succeed.  However,
> AFAICS that case has nothing to do with this patch.

Summarizing:

tun = __tun_get(tfile);
if (!tun) { // No tun we are not attached.
	 < -------------------- race opportunity
	rtnl_lock();
        tun_set_iff();
        rtnl_unlock();
}
...

We don't test if we are attached under the rtnl
until we get to tun_attach();

So two threads can both do:

tun = __tun_get(tfile);
if (!tun) {
	rtnl_lock();
        tun_set_iff();
            dev = __dev_get_by_name(net, "not_an_interface_name");
            if (!dev) {
               dev = alloc_netdev(....);
               ...;
               register_netdev(dev);
               ...;
               err = tun_attach(..);
            }


Only one thread is in tun_set_iff() at a time, but the other thread
could have attached the file to a device before the one in tun_attach().

Eric
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Herbert Xu Aug. 6, 2009, 2:39 p.m. UTC | #9 
On Thu, Aug 06, 2009 at 07:27:13AM -0700, Eric W. Biederman wrote:
>
> Summarizing:
> 
> tun = __tun_get(tfile);
> if (!tun) { // No tun we are not attached.
> 	 < -------------------- race opportunity
> 	rtnl_lock();
>         tun_set_iff();
>         rtnl_unlock();
> }
> ...
> 
> We don't test if we are attached under the rtnl
> until we get to tun_attach();
> 
> So two threads can both do:
> 
> tun = __tun_get(tfile);
> if (!tun) {
> 	rtnl_lock();
>         tun_set_iff();
>             dev = __dev_get_by_name(net, "not_an_interface_name");
>             if (!dev) {
>                dev = alloc_netdev(....);
>                ...;
>                register_netdev(dev);
>                ...;
>                err = tun_attach(..);
>             }
> 
> 
> Only one thread is in tun_set_iff() at a time, but the other thread
> could have attached the file to a device before the one in tun_attach().

Right, I see what you mean.  However I don't think this is possible
because the ioctl runs under the big kernel lock.

Cheers,
Eric W. Biederman Aug. 6, 2009, 3:02 p.m. UTC | #10 
Herbert Xu <herbert@gondor.apana.org.au> writes:

> On Thu, Aug 06, 2009 at 07:27:13AM -0700, Eric W. Biederman wrote:
>>
>> Summarizing:
>> 
>> tun = __tun_get(tfile);
>> if (!tun) { // No tun we are not attached.
>> 	 < -------------------- race opportunity
>> 	rtnl_lock();
>>         tun_set_iff();
>>         rtnl_unlock();
>> }
>> ...
>> 
>> We don't test if we are attached under the rtnl
>> until we get to tun_attach();
>> 
>> So two threads can both do:
>> 
>> tun = __tun_get(tfile);
>> if (!tun) {
>> 	rtnl_lock();
>>         tun_set_iff();
>>             dev = __dev_get_by_name(net, "not_an_interface_name");
>>             if (!dev) {
>>                dev = alloc_netdev(....);
>>                ...;
>>                register_netdev(dev);
>>                ...;
>>                err = tun_attach(..);
>>             }
>> 
>> 
>> Only one thread is in tun_set_iff() at a time, but the other thread
>> could have attached the file to a device before the one in tun_attach().
>
> Right, I see what you mean.  However I don't think this is possible
> because the ioctl runs under the big kernel lock.

Why not?  We can sleep on that code path.
Although now that you mention it we should use unlocked_ioctl unless
we actually need the BKL.

Eric
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Paul Moore Aug. 6, 2009, 6:09 p.m. UTC | #11 
On Thursday 06 August 2009 11:02:22 am Eric W. Biederman wrote:
> Herbert Xu <herbert@gondor.apana.org.au> writes:
> > On Thu, Aug 06, 2009 at 07:27:13AM -0700, Eric W. Biederman wrote:
> >> Summarizing:
> >>
> >> tun = __tun_get(tfile);
> >> if (!tun) { // No tun we are not attached.
> >> 	 < -------------------- race opportunity
> >> 	rtnl_lock();
> >>         tun_set_iff();
> >>         rtnl_unlock();
> >> }
> >> ...
> >>
> >> We don't test if we are attached under the rtnl
> >> until we get to tun_attach();
> >>
> >> So two threads can both do:
> >>
> >> tun = __tun_get(tfile);
> >> if (!tun) {
> >> 	rtnl_lock();
> >>         tun_set_iff();
> >>             dev = __dev_get_by_name(net, "not_an_interface_name");
> >>             if (!dev) {
> >>                dev = alloc_netdev(....);
> >>                ...;
> >>                register_netdev(dev);
> >>                ...;
> >>                err = tun_attach(..);
> >>             }
> >>
> >>
> >> Only one thread is in tun_set_iff() at a time, but the other thread
> >> could have attached the file to a device before the one in tun_attach().
> >
> > Right, I see what you mean.  However I don't think this is possible
> > because the ioctl runs under the big kernel lock.
>
> Why not?  We can sleep on that code path.
> Although now that you mention it we should use unlocked_ioctl unless
> we actually need the BKL.

Dave, if you haven't already, it is probably a good idea to just forget about 
this patch.  Prior to this discussion I suspected that the TUN driver could 
use a closer look, after reading the comments from Eric and Herbert there 
isn't much suspicion left.  I'll put this on my rainy day todo list to try and 
tackle but I won't be upset if somebody beats me to it.
Paul Moore Aug. 6, 2009, 6:20 p.m. UTC | #12 
On Wednesday 05 August 2009 07:14:06 pm Eric W. Biederman wrote:
> Paul Moore <paul.moore@hp.com> writes:
> > On Wednesday 05 August 2009 01:32:49 am Eric W. Biederman wrote:
> >> Paul Moore <paul.moore@hp.com> writes:
> >> > diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> >> > index 4a0db7a..b6d06fd 100644
> >> > --- a/drivers/net/tun.c
> >> > +++ b/drivers/net/tun.c
> >> > @@ -976,10 +973,11 @@ static int tun_set_iff(struct net *net, struct
> >> > file *file, struct ifreq *ifr) tun->flags = flags;
> >> >  		tun->txflt.count = 0;
> >> >
> >> > -		err = -ENOMEM;
> >> >  		sk = sk_alloc(net, AF_UNSPEC, GFP_KERNEL, &tun_proto);
> >> > -		if (!sk)
> >> > +		if (!sk) {
> >> > +			err = -ENOMEM;
> >> >  			goto err_free_dev;
> >> > +		}
> >>
> >> Trivially correct but I would argue uglier.
> >
> > My reasoning behind the change was that code related to the error
> > handling should be moved outside the common path as much as possible
> > similar to what we do now with the gotos.
>
> I don't understand.  Generating less readable and less efficient code is
> preferable?

While we can probably debate the "readability" of code all day long and get no 
where (anyone care to argue about the color of the bikeshed?) the concept of 
code efficiency should be a bit easier to quantify.  I'll admit that I'm far 
from a performance expert but here is my reasoning ...

The code currently looks something like this:

	err = -ENOMEM;
	buf = alloc(...);
	if (!buf)
		goto label;

This means that in the common case where 'alloc()' completes without error we 
are doing an extra, unnecessary assignment where we set the value in 'err'.  
Now, if we change this slightly to match what I proposed in the patch:

	buf = alloc(...);
	if (!buf) {
		err = -ENOMEM;
		goto label;
	}

We eliminate that extra assignment in the case where 'alloc()' completes 
without error, which should result in more efficient code (less instructions 
in the common case).  Am I wrong?  If that is the case I would appreciate an 
explanation ...
David Miller Aug. 6, 2009, 6:41 p.m. UTC | #13 
From: Paul Moore <paul.moore@hp.com>
Date: Thu, 6 Aug 2009 14:09:19 -0400

> Dave, if you haven't already, it is probably a good idea to just
> forget about this patch.

ok.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Herbert Xu Aug. 7, 2009, midnight UTC | #14 
On Thu, Aug 06, 2009 at 02:20:20PM -0400, Paul Moore wrote:
>
> The code currently looks something like this:
> 
> 	err = -ENOMEM;
> 	buf = alloc(...);
> 	if (!buf)
> 		goto label;
> 
> This means that in the common case where 'alloc()' completes without error we 
> are doing an extra, unnecessary assignment where we set the value in 'err'.  
> Now, if we change this slightly to match what I proposed in the patch:
> 
> 	buf = alloc(...);
> 	if (!buf) {
> 		err = -ENOMEM;
> 		goto label;
> 	}
> 
> We eliminate that extra assignment in the case where 'alloc()' completes 
> without error, which should result in more efficient code (less instructions 
> in the common case).  Am I wrong?  If that is the case I would appreciate an 
> explanation ...

Your style potentially introduces a second jump which may end
up being worse compared to the extra work on a modern CPU.


Cheers,
Paul Moore Aug. 7, 2009, 12:23 p.m. UTC | #15 
On Thursday 06 August 2009 08:00:21 pm Herbert Xu wrote:
> On Thu, Aug 06, 2009 at 02:20:20PM -0400, Paul Moore wrote:
> > The code currently looks something like this:
> >
> > 	err = -ENOMEM;
> > 	buf = alloc(...);
> > 	if (!buf)
> > 		goto label;
> >
> > This means that in the common case where 'alloc()' completes without
> > error we are doing an extra, unnecessary assignment where we set the
> > value in 'err'. Now, if we change this slightly to match what I proposed
> > in the patch:
> >
> > 	buf = alloc(...);
> > 	if (!buf) {
> > 		err = -ENOMEM;
> > 		goto label;
> > 	}
> >
> > We eliminate that extra assignment in the case where 'alloc()' completes
> > without error, which should result in more efficient code (less
> > instructions in the common case).  Am I wrong?  If that is the case I
> > would appreciate an explanation ...
>
> Your style potentially introduces a second jump which may end
> up being worse compared to the extra work on a modern CPU.

Thanks, I hadn't thought of that possibility.  I suppose the impact of a 
second jump is going to depend quite a bit on the hardware it runs on 
(pipeline depth, branch prediction, etc.) and isn't as easy to quantify as I 
had hoped.  Oh well, I appreciate the explanation anyway :)
diff mbox

Patch

diff --git a/drivers/net/tun.c b/drivers/net/tun.c
index 4a0db7a..b6d06fd 100644
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -938,13 +938,10 @@  static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 		err = tun_attach(tun, file);
 		if (err < 0)
 			return err;
-	}
-	else {
+	} else {
 		char *name;
 		unsigned long flags = 0;
 
-		err = -EINVAL;
-
 		if (!capable(CAP_NET_ADMIN))
 			return -EPERM;
 
@@ -958,7 +955,7 @@  static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 			flags |= TUN_TAP_DEV;
 			name = "tap%d";
 		} else
-			goto failed;
+			return -EINVAL;
 
 		if (*ifr->ifr_name)
 			name = ifr->ifr_name;
@@ -976,10 +973,11 @@  static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 		tun->flags = flags;
 		tun->txflt.count = 0;
 
-		err = -ENOMEM;
 		sk = sk_alloc(net, AF_UNSPEC, GFP_KERNEL, &tun_proto);
-		if (!sk)
+		if (!sk) {
+			err = -ENOMEM;
 			goto err_free_dev;
+		}
 
 		init_waitqueue_head(&tun->socket.wait);
 		sock_init_data(&tun->socket, sk);
@@ -1010,7 +1008,7 @@  static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 
 		err = tun_attach(tun, file);
 		if (err < 0)
-			goto failed;
+			goto err_unreg_dev;
 	}
 
 	DBG(KERN_INFO "%s: tun_set_iff\n", tun->dev->name);
@@ -1039,11 +1037,14 @@  static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr)
 	strcpy(ifr->ifr_name, tun->dev->name);
 	return 0;
 
+ err_unreg_dev:
+	rtnl_lock();
+	unregister_netdevice(tun->dev);
+	rtnl_unlock();
  err_free_sk:
 	sock_put(sk);
  err_free_dev:
 	free_netdev(dev);
- failed:
 	return err;
 }