/* * linux/fs/nfs/cache_lib.c * * Helper routines for the NFS client caches * * Copyright (c) 2009 Trond Myklebust */ #include #include #include #include #include #include #include #include #include #include "cache_lib.h" #define NFS_CACHE_UPCALL_PATHLEN 256 #define NFS_CACHE_UPCALL_TIMEOUT 15 static char nfs_cache_getent_prog[NFS_CACHE_UPCALL_PATHLEN] = "/sbin/nfs_cache_getent"; static unsigned long nfs_cache_getent_timeout = NFS_CACHE_UPCALL_TIMEOUT; module_param_string(cache_getent, nfs_cache_getent_prog, sizeof(nfs_cache_getent_prog), 0600); MODULE_PARM_DESC(cache_getent, "Path to the client cache upcall program"); module_param_named(cache_getent_timeout, nfs_cache_getent_timeout, ulong, 0600); MODULE_PARM_DESC(cache_getent_timeout, "Timeout (in seconds) after which " "the cache upcall is assumed to have failed"); int nfs_cache_upcall(struct cache_detail *cd, char *entry_name) { static char *envp[] = { "HOME=/", "TERM=linux", "PATH=/sbin:/usr/sbin:/bin:/usr/bin", NULL }; char *argv[] = { nfs_cache_getent_prog, cd->name, entry_name, NULL }; int ret = -EACCES; if (nfs_cache_getent_prog[0] == '\0') goto out; ret = call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); /* * Disable the upcall mechanism if we're getting an ENOENT or * EACCES error. The admin can re-enable it on the fly by using * sysfs to set the 'cache_getent' parameter once the problem * has been fixed. */ if (ret == -ENOENT || ret == -EACCES) nfs_cache_getent_prog[0] = '\0'; out: return ret > 0 ? 0 : ret; } /* * Deferred request handling */ void nfs_cache_defer_req_put(struct nfs_cache_defer_req *dreq) { if (atomic_dec_and_test(&dreq->count)) kfree(dreq); } static void nfs_dns_cache_revisit(struct cache_deferred_req *d, int toomany) { struct nfs_cache_defer_req *dreq; dreq = container_of(d, struct nfs_cache_defer_req, deferred_req); complete(&dreq->completion); nfs_cache_defer_req_put(dreq); } static struct cache_deferred_req *nfs_dns_cache_defer(struct cache_req *req) { struct nfs_cache_defer_req *dreq; dreq = container_of(req, struct nfs_cache_defer_req, req); dreq->deferred_req.revisit = nfs_dns_cache_revisit; atomic_inc(&dreq->count); return &dreq->deferred_req; } struct nfs_cache_defer_req *nfs_cache_defer_req_alloc(void) { struct nfs_cache_defer_req *dreq; dreq = kzalloc(sizeof(*dreq), GFP_KERNEL); if (dreq) { init_completion(&dreq->completion); atomic_set(&dreq->count, 1); dreq->req.defer = nfs_dns_cache_defer; } return dreq; } int nfs_cache_wait_for_upcall(struct nfs_cache_defer_req *dreq) { if (wait_for_completion_timeout(&dreq->completion, nfs_cache_getent_timeout * HZ) == 0) return -ETIMEDOUT; return 0; } int nfs_cache_register_sb(struct super_block *sb, struct cache_detail *cd) { int ret; struct dentry *dir; dir = rpc_d_lookup_sb(sb, "cache"); ret = sunrpc_cache_register_pipefs(dir, cd->name, 0600, cd); dput(dir); return ret; } int nfs_cache_register_net(struct net *net, struct cache_detail *cd) { struct super_block *pipefs_sb; int ret = 0; sunrpc_init_cache_detail(cd); pipefs_sb = rpc_get_sb_net(net); if (pipefs_sb) { ret = nfs_cache_register_sb(pipefs_sb, cd); rpc_put_sb_net(net); if (ret) sunrpc_destroy_cache_detail(cd); } return ret; } void nfs_cache_unregister_sb(struct super_block *sb, struct cache_detail *cd) { if (cd->u.pipefs.dir) sunrpc_cache_unregister_pipefs(cd); } void nfs_cache_unregister_net(struct net *net, struct cache_detail *cd) { struct super_block *pipefs_sb; pipefs_sb = rpc_get_sb_net(net); if (pipefs_sb) { nfs_cache_unregister_sb(pipefs_sb, cd); rpc_put_sb_net(net); } sunrpc_destroy_cache_detail(cd); } n value='40'>40space:mode:
authorDouglas Miller <dougmill@linux.vnet.ibm.com>2017-01-28 06:42:20 -0600
committerTejun Heo <tj@kernel.org>2017-01-28 07:49:42 -0500
commit966d2b04e070bc040319aaebfec09e0144dc3341 (patch)
tree4b96156e3d1dd4dfd6039b7c219c9dc4616da52d /include/crypto/b128ops.h
parent1b1bc42c1692e9b62756323c675a44cb1a1f9dbd (diff)
percpu-refcount: fix reference leak during percpu-atomic transition
percpu_ref_tryget() and percpu_ref_tryget_live() should return "true" IFF they acquire a reference. But the return value from atomic_long_inc_not_zero() is a long and may have high bits set, e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines is bool so the reference may actually be acquired but the routines return "false" which results in a reference leak since the caller assumes it does not need to do a corresponding percpu_ref_put(). This was seen when performing CPU hotplug during I/O, as hangs in blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start) raced with percpu_ref_tryget (blk_mq_timeout_work). Sample stack trace: __switch_to+0x2c0/0x450 __schedule+0x2f8/0x970 schedule+0x48/0xc0 blk_mq_freeze_queue_wait+0x94/0x120 blk_mq_queue_reinit_work+0xb8/0x180 blk_mq_queue_reinit_prepare+0x84/0xa0 cpuhp_invoke_callback+0x17c/0x600 cpuhp_up_callbacks+0x58/0x150 _cpu_up+0xf0/0x1c0 do_cpu_up+0x120/0x150 cpu_subsys_online+0x64/0xe0 device_online+0xb4/0x120 online_store+0xb4/0xc0 dev_attr_store+0x68/0xa0 sysfs_kf_write+0x80/0xb0 kernfs_fop_write+0x17c/0x250 __vfs_write+0x6c/0x1e0 vfs_write+0xd0/0x270 SyS_write+0x6c/0x110 system_call+0x38/0xe0 Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS, and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests. However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0 and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set. The fix is to make the tryget routines use an actual boolean internally instead of the atomic long result truncated to a int. Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751 Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com> Reviewed-by: Jens Axboe <axboe@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org> Fixes: e625305b3907 ("percpu-refcount: make percpu_ref based on longs instead of ints") Cc: stable@vger.kernel.org # v3.18+
Diffstat (limited to 'include/crypto/b128ops.h')