#include #include #include #include #include #include #include #include #include #include "xenfs.h" #define XEN_KSYM_NAME_LEN 127 /* Hypervisor may have different name length */ struct xensyms { struct xen_platform_op op; char *name; uint32_t namelen; }; /* Grab next output page from the hypervisor */ static int xensyms_next_sym(struct xensyms *xs) { int ret; struct xenpf_symdata *symdata = &xs->op.u.symdata; uint64_t symnum; memset(xs->name, 0, xs->namelen); symdata->namelen = xs->namelen; symnum = symdata->symnum; ret = HYPERVISOR_platform_op(&xs->op); if (ret < 0) return ret; /* * If hypervisor's symbol didn't fit into the buffer then allocate * a larger buffer and try again. */ if (unlikely(symdata->namelen > xs->namelen)) { kfree(xs->name); xs->namelen = symdata->namelen; xs->name = kzalloc(xs->namelen, GFP_KERNEL); if (!xs->name) return -ENOMEM; set_xen_guest_handle(symdata->name, xs->name); symdata->symnum--; /* Rewind */ ret = HYPERVISOR_platform_op(&xs->op); if (ret < 0) return ret; } if (symdata->symnum == symnum) /* End of symbols */ return 1; return 0; } static void *xensyms_start(struct seq_file *m, loff_t *pos) { struct xensyms *xs = (struct xensyms *)m->private; xs->op.u.symdata.symnum = *pos; if (xensyms_next_sym(xs)) return NULL; return m->private; } static void *xensyms_next(struct seq_file *m, void *p, loff_t *pos) { struct xensyms *xs = (struct xensyms *)m->private; xs->op.u.symdata.symnum = ++(*pos); if (xensyms_next_sym(xs)) return NULL; return p; } static int xensyms_show(struct seq_file *m, void *p) { struct xensyms *xs = (struct xensyms *)m->private; struct xenpf_symdata *symdata = &xs->op.u.symdata; seq_printf(m, "%016llx %c %s\n", symdata->address, symdata->type, xs->name); return 0; } static void xensyms_stop(struct seq_file *m, void *p) { } static const struct seq_operations xensyms_seq_ops = { .start = xensyms_start, .next = xensyms_next, .show = xensyms_show, .stop = xensyms_stop, }; static int xensyms_open(struct inode *inode, struct file *file) { struct seq_file *m; struct xensyms *xs; int ret; ret = seq_open_private(file, &xensyms_seq_ops, sizeof(struct xensyms)); if (ret) return ret; m = file->private_data; xs = (struct xensyms *)m->private; xs->namelen = XEN_KSYM_NAME_LEN + 1; xs->name = kzalloc(xs->namelen, GFP_KERNEL); if (!xs->name) { seq_release_private(inode, file); return -ENOMEM; } set_xen_guest_handle(xs->op.u.symdata.name, xs->name); xs->op.cmd = XENPF_get_symbol; xs->op.u.symdata.namelen = xs->namelen; return 0; } static int xensyms_release(struct inode *inode, struct file *file) { struct seq_file *m = file->private_data; struct xensyms *xs = (struct xensyms *)m->private; kfree(xs->name); return seq_release_private(inode, file); } const struct file_operations xensyms_ops = { .open = xensyms_open, .read = seq_read, .llseek = seq_lseek, .release = xensyms_release }; move&id=966d2b04e070bc040319aaebfec09e0144dc3341'>rds/tcp.c
diff options
context:
space:
mode:
authorDouglas Miller <dougmill@linux.vnet.ibm.com>2017-01-28 06:42:20 -0600
committerTejun Heo <tj@kernel.org>2017-01-28 07:49:42 -0500
commit966d2b04e070bc040319aaebfec09e0144dc3341 (patch)
tree4b96156e3d1dd4dfd6039b7c219c9dc4616da52d /net/rds/tcp.c
parent1b1bc42c1692e9b62756323c675a44cb1a1f9dbd (diff)
percpu-refcount: fix reference leak during percpu-atomic transition
percpu_ref_tryget() and percpu_ref_tryget_live() should return "true" IFF they acquire a reference. But the return value from atomic_long_inc_not_zero() is a long and may have high bits set, e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines is bool so the reference may actually be acquired but the routines return "false" which results in a reference leak since the caller assumes it does not need to do a corresponding percpu_ref_put(). This was seen when performing CPU hotplug during I/O, as hangs in blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start) raced with percpu_ref_tryget (blk_mq_timeout_work). Sample stack trace: __switch_to+0x2c0/0x450 __schedule+0x2f8/0x970 schedule+0x48/0xc0 blk_mq_freeze_queue_wait+0x94/0x120 blk_mq_queue_reinit_work+0xb8/0x180 blk_mq_queue_reinit_prepare+0x84/0xa0 cpuhp_invoke_callback+0x17c/0x600 cpuhp_up_callbacks+0x58/0x150 _cpu_up+0xf0/0x1c0 do_cpu_up+0x120/0x150 cpu_subsys_online+0x64/0xe0 device_online+0xb4/0x120 online_store+0xb4/0xc0 dev_attr_store+0x68/0xa0 sysfs_kf_write+0x80/0xb0 kernfs_fop_write+0x17c/0x250 __vfs_write+0x6c/0x1e0 vfs_write+0xd0/0x270 SyS_write+0x6c/0x110 system_call+0x38/0xe0 Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS, and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests. However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0 and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set. The fix is to make the tryget routines use an actual boolean internally instead of the atomic long result truncated to a int. Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751 Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com> Reviewed-by: Jens Axboe <axboe@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org> Fixes: e625305b3907 ("percpu-refcount: make percpu_ref based on longs instead of ints") Cc: stable@vger.kernel.org # v3.18+
Diffstat (limited to 'net/rds/tcp.c')