AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
5fb8642a17
kernel_optimize_test/net/smc
History
Ursula Braun 5fb8642a17 net/smc: fix sock refcounting in case of termination 
When an ISM device is removed, all its linkgroups are terminated,
i.e. all the corresponding connections are killed.
Connection killing invokes smc_close_active_abort(), which decreases
the sock refcount for certain states to simulate passive closing.
And it cancels the close worker and has to give up the sock lock for
this timeframe. This opens the door for a passive close worker or a
socket close to run in between. In this case smc_close_active_abort() and
passive close worker resp. smc_release() might do a sock_put for passive
closing. This causes:

[ 1323.315943] refcount_t: underflow; use-after-free.
[ 1323.316055] WARNING: CPU: 3 PID: 54469 at lib/refcount.c:28 refcount_warn_saturate+0xe8/0x130
[ 1323.316069] Kernel panic - not syncing: panic_on_warn set ...
[ 1323.316084] CPU: 3 PID: 54469 Comm: uperf Not tainted 5.9.0-20200826.rc2.git0.46328853ed20.300.fc32.s390x+debug #1
[ 1323.316096] Hardware name: IBM 2964 NC9 702 (z/VM 6.4.0)
[ 1323.316108] Call Trace:
[ 1323.316125]  [<00000000c0d4aae8>] show_stack+0x90/0xf8
[ 1323.316143]  [<00000000c15989b0>] dump_stack+0xa8/0xe8
[ 1323.316158]  [<00000000c0d8344e>] panic+0x11e/0x288
[ 1323.316173]  [<00000000c0d83144>] __warn+0xac/0x158
[ 1323.316187]  [<00000000c1597a7a>] report_bug+0xb2/0x130
[ 1323.316201]  [<00000000c0d36424>] monitor_event_exception+0x44/0xc0
[ 1323.316219]  [<00000000c195c716>] pgm_check_handler+0x1da/0x238
[ 1323.316234]  [<00000000c151844c>] refcount_warn_saturate+0xec/0x130
[ 1323.316280] ([<00000000c1518448>] refcount_warn_saturate+0xe8/0x130)
[ 1323.316310]  [<000003ff801f2e2a>] smc_release+0x192/0x1c8 [smc]
[ 1323.316323]  [<00000000c169f1fa>] __sock_release+0x5a/0xe0
[ 1323.316334]  [<00000000c169f2ac>] sock_close+0x2c/0x40
[ 1323.316350]  [<00000000c1086de0>] __fput+0xb8/0x278
[ 1323.316362]  [<00000000c0db1e0e>] task_work_run+0x76/0xb8
[ 1323.316393]  [<00000000c0d8ab84>] do_exit+0x26c/0x520
[ 1323.316408]  [<00000000c0d8af08>] do_group_exit+0x48/0xc0
[ 1323.316421]  [<00000000c0d8afa8>] __s390x_sys_exit_group+0x28/0x38
[ 1323.316433]  [<00000000c195c32c>] system_call+0xe0/0x2b4
[ 1323.316446] 1 lock held by uperf/54469:
[ 1323.316456]  #0: 0000000044125e60 (&sb->s_type->i_mutex_key#9){+.+.}-{3:3}, at: __sock_release+0x44/0xe0

The patch rechecks sock state in smc_close_active_abort() after
smc_close_cancel_work() to avoid duplicate decrease of sock
refcount for the same purpose.

Fixes: 611b63a127 ("net/smc: cancel tx worker in case of socket aborts")
Reviewed-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: Ursula Braun <ubraun@linux.ibm.com>
Signed-off-by: Karsten Graul <kgraul@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-09-03 16:52:33 -07:00
..
af_smc.c net/smc: unique reason code for exceeded max dmb count 2020-07-27 10:30:01 -07:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
smc_cdc.c net/smc: put slot when connection is killed 2020-07-20 17:52:25 -07:00
smc_cdc.h net/smc: pre-fetch send buffer outside of send_lock 2020-05-30 18:12:25 -07:00
smc_clc.c net/smc: tolerate future SMCD versions 2020-07-08 12:35:15 -07:00
smc_clc.h net/smc: unique reason code for exceeded max dmb count 2020-07-27 10:30:01 -07:00
smc_close.c net/smc: fix sock refcounting in case of termination 2020-09-03 16:52:33 -07:00
smc_close.h net/smc: remove close abort worker 2019-10-22 11:23:44 -07:00
smc_core.c net/smc: reset sndbuf_desc if freed 2020-09-03 16:52:33 -07:00
smc_core.h net/smc: do not call dma sync for unmapped memory 2020-07-19 15:30:22 -07:00
smc_diag.c net/smc: Prevent kernel-infoleak in __smc_diag_dump() 2020-08-20 12:07:31 -07:00
smc_ib.c net/smc: protect smc ib device initialization 2020-07-19 15:30:22 -07:00
smc_ib.h net/smc: protect smc ib device initialization 2020-07-19 15:30:22 -07:00
smc_ism.c net/smc: switch smcd_dev_list spinlock to mutex 2020-07-08 12:35:15 -07:00
smc_ism.h net/smc: switch smcd_dev_list spinlock to mutex 2020-07-08 12:35:15 -07:00
smc_llc.c net/smc: fix toleration of fake add_link messages 2020-09-03 16:52:33 -07:00
smc_llc.h net/smc: move add link processing for new device into llc layer 2020-07-19 15:30:22 -07:00
smc_netns.h net/smc: add pnet table namespace support 2019-02-21 10:34:37 -08:00
smc_pnet.c net/smc: switch smcd_dev_list spinlock to mutex 2020-07-08 12:35:15 -07:00
smc_pnet.h net/smc: introduce smc_pnet_find_alt_roce() 2020-05-01 16:20:05 -07:00
smc_rx.c fs: make the pipe_buf_operations ->confirm operation optional 2020-05-20 12:11:26 -04:00
smc_rx.h smc: add support for splice() 2018-05-04 11:45:06 -04:00
smc_tx.c net/smc: switch connections to alternate link 2020-05-04 10:54:39 -07:00
smc_tx.h net/smc: eliminate cursor read and write calls 2018-07-23 10:57:14 -07:00
smc_wr.c net/smc: fix work request handling 2020-07-08 12:35:15 -07:00
smc_wr.h net/smc: wait for departure of an IB message 2020-05-04 10:54:39 -07:00
smc.h net/smc: handle incoming CDC validation message 2020-05-04 10:54:39 -07:00