/* * fs/nfs/nfs4session.h * * Copyright (c) 2012 Trond Myklebust * */ #ifndef __LINUX_FS_NFS_NFS4SESSION_H #define __LINUX_FS_NFS_NFS4SESSION_H /* maximum number of slots to use */ #define NFS4_DEF_SLOT_TABLE_SIZE (64U) #define NFS4_DEF_CB_SLOT_TABLE_SIZE (1U) #define NFS4_MAX_SLOT_TABLE (1024U) #define NFS4_NO_SLOT ((u32)-1) #if IS_ENABLED(CONFIG_NFS_V4) /* Sessions slot seqid */ struct nfs4_slot { struct nfs4_slot_table *table; struct nfs4_slot *next; unsigned long generation; u32 slot_nr; u32 seq_nr; unsigned int interrupted : 1, privileged : 1, seq_done : 1; }; /* Sessions */ enum nfs4_slot_tbl_state { NFS4_SLOT_TBL_DRAINING, }; #define SLOT_TABLE_SZ DIV_ROUND_UP(NFS4_MAX_SLOT_TABLE, 8*sizeof(long)) struct nfs4_slot_table { struct nfs4_session *session; /* Parent session */ struct nfs4_slot *slots; /* seqid per slot */ unsigned long used_slots[SLOT_TABLE_SZ]; /* used/unused bitmap */ spinlock_t slot_tbl_lock; struct rpc_wait_queue slot_tbl_waitq; /* allocators may wait here */ wait_queue_head_t slot_waitq; /* Completion wait on slot */ u32 max_slots; /* # slots in table */ u32 max_slotid; /* Max allowed slotid value */ u32 highest_used_slotid; /* sent to server on each SEQ. * op for dynamic resizing */ u32 target_highest_slotid; /* Server max_slot target */ u32 server_highest_slotid; /* Server highest slotid */ s32 d_target_highest_slotid; /* Derivative */ s32 d2_target_highest_slotid; /* 2nd derivative */ unsigned long generation; /* Generation counter for target_highest_slotid */ struct completion complete; unsigned long slot_tbl_state; }; /* * Session related parameters */ struct nfs4_session { struct nfs4_sessionid sess_id; u32 flags; unsigned long session_state; u32 hash_alg; u32 ssv_len; /* The fore and back channel */ struct nfs4_channel_attrs fc_attrs; struct nfs4_slot_table fc_slot_table; struct nfs4_channel_attrs bc_attrs; struct nfs4_slot_table bc_slot_table; struct nfs_client *clp; }; enum nfs4_session_state { NFS4_SESSION_INITING, NFS4_SESSION_ESTABLISHED, }; extern int nfs4_setup_slot_table(struct nfs4_slot_table *tbl, unsigned int max_reqs, const char *queue); extern void nfs4_shutdown_slot_table(struct nfs4_slot_table *tbl); extern struct nfs4_slot *nfs4_alloc_slot(struct nfs4_slot_table *tbl); extern struct nfs4_slot *nfs4_lookup_slot(struct nfs4_slot_table *tbl, u32 slotid); extern int nfs4_slot_wait_on_seqid(struct nfs4_slot_table *tbl, u32 slotid, u32 seq_nr, unsigned long timeout); extern bool nfs4_try_to_lock_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot); extern void nfs4_free_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot); extern void nfs4_slot_tbl_drain_complete(struct nfs4_slot_table *tbl); bool nfs41_wake_and_assign_slot(struct nfs4_slot_table *tbl, struct nfs4_slot *slot); void nfs41_wake_slot_table(struct nfs4_slot_table *tbl); static inline bool nfs4_slot_tbl_draining(struct nfs4_slot_table *tbl) { return !!test_bit(NFS4_SLOT_TBL_DRAINING, &tbl->slot_tbl_state); } static inline bool nfs4_test_locked_slot(const struct nfs4_slot_table *tbl, u32 slotid) { return !!test_bit(slotid, tbl->used_slots); } #if defined(CONFIG_NFS_V4_1) extern void nfs41_set_target_slotid(struct nfs4_slot_table *tbl, u32 target_highest_slotid); extern void nfs41_update_target_slotid(struct nfs4_slot_table *tbl, struct nfs4_slot *slot, struct nfs4_sequence_res *res); extern int nfs4_setup_session_slot_tables(struct nfs4_session *ses); extern struct nfs4_session *nfs4_alloc_session(struct nfs_client *clp); extern void nfs4_destroy_session(struct nfs4_session *session); extern int nfs4_init_session(struct nfs_client *clp); extern int nfs4_init_ds_session(struct nfs_client *, unsigned long); /* * Determine if sessions are in use. */ static inline int nfs4_has_session(const struct nfs_client *clp) { if (clp->cl_session) return 1; return 0; } static inline int nfs4_has_persistent_session(const struct nfs_client *clp) { if (nfs4_has_session(clp)) return (clp->cl_session->flags & SESSION4_PERSIST); return 0; } static inline void nfs4_copy_sessionid(struct nfs4_sessionid *dst, const struct nfs4_sessionid *src) { memcpy(dst->data, src->data, NFS4_MAX_SESSIONID_LEN); } #ifdef CONFIG_CRC32 /* * nfs_session_id_hash - calculate the crc32 hash for the session id * @session - pointer to session */ #define nfs_session_id_hash(sess_id) \ (~crc32_le(0xFFFFFFFF, &(sess_id)->data[0], sizeof((sess_id)->data))) #else #define nfs_session_id_hash(session) (0) #endif #else /* defined(CONFIG_NFS_V4_1) */ static inline int nfs4_init_session(struct nfs_client *clp) { return 0; } /* * Determine if sessions are in use. */ static inline int nfs4_has_session(const struct nfs_client *clp) { return 0; } static inline int nfs4_has_persistent_session(const struct nfs_client *clp) { return 0; } #endif /* defined(CONFIG_NFS_V4_1) */ #endif /* IS_ENABLED(CONFIG_NFS_V4) */ #endif /* __LINUX_FS_NFS_NFS4SESSION_H */ xt.git/patch/include/net/timewait_sock.h?id=966d2b04e070bc040319aaebfec09e0144dc3341'>patch) tree4b96156e3d1dd4dfd6039b7c219c9dc4616da52d /include/net/timewait_sock.h parent1b1bc42c1692e9b62756323c675a44cb1a1f9dbd (diff)
percpu-refcount: fix reference leak during percpu-atomic transition
percpu_ref_tryget() and percpu_ref_tryget_live() should return "true" IFF they acquire a reference. But the return value from atomic_long_inc_not_zero() is a long and may have high bits set, e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines is bool so the reference may actually be acquired but the routines return "false" which results in a reference leak since the caller assumes it does not need to do a corresponding percpu_ref_put(). This was seen when performing CPU hotplug during I/O, as hangs in blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start) raced with percpu_ref_tryget (blk_mq_timeout_work). Sample stack trace: __switch_to+0x2c0/0x450 __schedule+0x2f8/0x970 schedule+0x48/0xc0 blk_mq_freeze_queue_wait+0x94/0x120 blk_mq_queue_reinit_work+0xb8/0x180 blk_mq_queue_reinit_prepare+0x84/0xa0 cpuhp_invoke_callback+0x17c/0x600 cpuhp_up_callbacks+0x58/0x150 _cpu_up+0xf0/0x1c0 do_cpu_up+0x120/0x150 cpu_subsys_online+0x64/0xe0 device_online+0xb4/0x120 online_store+0xb4/0xc0 dev_attr_store+0x68/0xa0 sysfs_kf_write+0x80/0xb0 kernfs_fop_write+0x17c/0x250 __vfs_write+0x6c/0x1e0 vfs_write+0xd0/0x270 SyS_write+0x6c/0x110 system_call+0x38/0xe0 Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS, and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests. However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0 and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set. The fix is to make the tryget routines use an actual boolean internally instead of the atomic long result truncated to a int. Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751 Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com> Reviewed-by: Jens Axboe <axboe@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org> Fixes: e625305b3907 ("percpu-refcount: make percpu_ref based on longs instead of ints") Cc: stable@vger.kernel.org # v3.18+
Diffstat (limited to 'include/net/timewait_sock.h')