/* * Copyright (c) 2006, 2007, 2008, 2009, 2010 QLogic Corporation. * All rights reserved. * Copyright (c) 2005, 2006 PathScale, Inc. All rights reserved. * * This software is available to you under a choice of one of two * licenses. You may choose to be licensed under the terms of the GNU * General Public License (GPL) Version 2, available from the file * COPYING in the main directory of this source tree, or the * OpenIB.org BSD license below: * * Redistribution and use in source and binary forms, with or * without modification, are permitted provided that the following * conditions are met: * * - Redistributions of source code must retain the above * copyright notice, this list of conditions and the following * disclaimer. * * - Redistributions in binary form must reproduce the above * copyright notice, this list of conditions and the following * disclaimer in the documentation and/or other materials * provided with the distribution. * * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE * SOFTWARE. */ #if !defined(IB_PMA_H) #define IB_PMA_H #include /* * PMA class portinfo capability mask bits */ #define IB_PMA_CLASS_CAP_ALLPORTSELECT cpu_to_be16(1 << 8) #define IB_PMA_CLASS_CAP_EXT_WIDTH cpu_to_be16(1 << 9) #define IB_PMA_CLASS_CAP_EXT_WIDTH_NOIETF cpu_to_be16(1 << 10) #define IB_PMA_CLASS_CAP_XMIT_WAIT cpu_to_be16(1 << 12) #define IB_PMA_CLASS_PORT_INFO cpu_to_be16(0x0001) #define IB_PMA_PORT_SAMPLES_CONTROL cpu_to_be16(0x0010) #define IB_PMA_PORT_SAMPLES_RESULT cpu_to_be16(0x0011) #define IB_PMA_PORT_COUNTERS cpu_to_be16(0x0012) #define IB_PMA_PORT_COUNTERS_EXT cpu_to_be16(0x001D) #define IB_PMA_PORT_SAMPLES_RESULT_EXT cpu_to_be16(0x001E) struct ib_pma_mad { struct ib_mad_hdr mad_hdr; u8 reserved[40]; u8 data[192]; } __packed; struct ib_pma_portsamplescontrol { u8 opcode; u8 port_select; u8 tick; u8 counter_width; /* resv: 7:3, counter width: 2:0 */ __be32 counter_mask0_9; /* 2, 10 3-bit fields */ __be16 counter_mask10_14; /* 1, 5 3-bit fields */ u8 sample_mechanisms; u8 sample_status; /* only lower 2 bits */ __be64 option_mask; __be64 vendor_mask; __be32 sample_start; __be32 sample_interval; __be16 tag; __be16 counter_select[15]; __be32 reserved1; __be64 samples_only_option_mask; __be32 reserved2[28]; }; struct ib_pma_portsamplesresult { __be16 tag; __be16 sample_status; /* only lower 2 bits */ __be32 counter[15]; }; struct ib_pma_portsamplesresult_ext { __be16 tag; __be16 sample_status; /* only lower 2 bits */ __be32 extended_width; /* only upper 2 bits */ __be64 counter[15]; }; struct ib_pma_portcounters { u8 reserved; u8 port_select; __be16 counter_select; __be16 symbol_error_counter; u8 link_error_recovery_counter; u8 link_downed_counter; __be16 port_rcv_errors; __be16 port_rcv_remphys_errors; __be16 port_rcv_switch_relay_errors; __be16 port_xmit_discards; u8 port_xmit_constraint_errors; u8 port_rcv_constraint_errors; u8 reserved1; u8 link_overrun_errors; /* LocalLink: 7:4, BufferOverrun: 3:0 */ __be16 reserved2; __be16 vl15_dropped; __be32 port_xmit_data; __be32 port_rcv_data; __be32 port_xmit_packets; __be32 port_rcv_packets; __be32 port_xmit_wait; } __packed; #define IB_PMA_SEL_SYMBOL_ERROR cpu_to_be16(0x0001) #define IB_PMA_SEL_LINK_ERROR_RECOVERY cpu_to_be16(0x0002) #define IB_PMA_SEL_LINK_DOWNED cpu_to_be16(0x0004) #define IB_PMA_SEL_PORT_RCV_ERRORS cpu_to_be16(0x0008) #define IB_PMA_SEL_PORT_RCV_REMPHYS_ERRORS cpu_to_be16(0x0010) #define IB_PMA_SEL_PORT_XMIT_DISCARDS cpu_to_be16(0x0040) #define IB_PMA_SEL_LOCAL_LINK_INTEGRITY_ERRORS cpu_to_be16(0x0200) #define IB_PMA_SEL_EXCESSIVE_BUFFER_OVERRUNS cpu_to_be16(0x0400) #define IB_PMA_SEL_PORT_VL15_DROPPED cpu_to_be16(0x0800) #define IB_PMA_SEL_PORT_XMIT_DATA cpu_to_be16(0x1000) #define IB_PMA_SEL_PORT_RCV_DATA cpu_to_be16(0x2000) #define IB_PMA_SEL_PORT_XMIT_PACKETS cpu_to_be16(0x4000) #define IB_PMA_SEL_PORT_RCV_PACKETS cpu_to_be16(0x8000) struct ib_pma_portcounters_ext { u8 reserved; u8 port_select; __be16 counter_select; __be32 reserved1; __be64 port_xmit_data; __be64 port_rcv_data; __be64 port_xmit_packets; __be64 port_rcv_packets; __be64 port_unicast_xmit_packets; __be64 port_unicast_rcv_packets; __be64 port_multicast_xmit_packets; __be64 port_multicast_rcv_packets; } __packed; #define IB_PMA_SELX_PORT_XMIT_DATA cpu_to_be16(0x0001) #define IB_PMA_SELX_PORT_RCV_DATA cpu_to_be16(0x0002) #define IB_PMA_SELX_PORT_XMIT_PACKETS cpu_to_be16(0x0004) #define IB_PMA_SELX_PORT_RCV_PACKETS cpu_to_be16(0x0008) #define IB_PMA_SELX_PORT_UNI_XMIT_PACKETS cpu_to_be16(0x0010) #define IB_PMA_SELX_PORT_UNI_RCV_PACKETS cpu_to_be16(0x0020) #define IB_PMA_SELX_PORT_MULTI_XMIT_PACKETS cpu_to_be16(0x0040) #define IB_PMA_SELX_PORT_MULTI_RCV_PACKETS cpu_to_be16(0x0080) #endif /* IB_PMA_H */ b04e070bc040319aaebfec09e0144dc3341'>net/bluetooth/rfcomm/tty.c parent1b1bc42c1692e9b62756323c675a44cb1a1f9dbd (diff)
percpu-refcount: fix reference leak during percpu-atomic transition
percpu_ref_tryget() and percpu_ref_tryget_live() should return "true" IFF they acquire a reference. But the return value from atomic_long_inc_not_zero() is a long and may have high bits set, e.g. PERCPU_COUNT_BIAS, and the return value of the tryget routines is bool so the reference may actually be acquired but the routines return "false" which results in a reference leak since the caller assumes it does not need to do a corresponding percpu_ref_put(). This was seen when performing CPU hotplug during I/O, as hangs in blk_mq_freeze_queue_wait where percpu_ref_kill (blk_mq_freeze_queue_start) raced with percpu_ref_tryget (blk_mq_timeout_work). Sample stack trace: __switch_to+0x2c0/0x450 __schedule+0x2f8/0x970 schedule+0x48/0xc0 blk_mq_freeze_queue_wait+0x94/0x120 blk_mq_queue_reinit_work+0xb8/0x180 blk_mq_queue_reinit_prepare+0x84/0xa0 cpuhp_invoke_callback+0x17c/0x600 cpuhp_up_callbacks+0x58/0x150 _cpu_up+0xf0/0x1c0 do_cpu_up+0x120/0x150 cpu_subsys_online+0x64/0xe0 device_online+0xb4/0x120 online_store+0xb4/0xc0 dev_attr_store+0x68/0xa0 sysfs_kf_write+0x80/0xb0 kernfs_fop_write+0x17c/0x250 __vfs_write+0x6c/0x1e0 vfs_write+0xd0/0x270 SyS_write+0x6c/0x110 system_call+0x38/0xe0 Examination of the queue showed a single reference (no PERCPU_COUNT_BIAS, and __PERCPU_REF_DEAD, __PERCPU_REF_ATOMIC set) and no requests. However, conditions at the time of the race are count of PERCPU_COUNT_BIAS + 0 and __PERCPU_REF_DEAD and __PERCPU_REF_ATOMIC set. The fix is to make the tryget routines use an actual boolean internally instead of the atomic long result truncated to a int. Fixes: e625305b3907 percpu-refcount: make percpu_ref based on longs instead of ints Link: https://bugzilla.kernel.org/show_bug.cgi?id=190751 Signed-off-by: Douglas Miller <dougmill@linux.vnet.ibm.com> Reviewed-by: Jens Axboe <axboe@fb.com> Signed-off-by: Tejun Heo <tj@kernel.org> Fixes: e625305b3907 ("percpu-refcount: make percpu_ref based on longs instead of ints") Cc: stable@vger.kernel.org # v3.18+
Diffstat (limited to 'net/bluetooth/rfcomm/tty.c')