1. 01 Mar, 2017 5 commits
    • Xin Long's avatar
      sctp: call rcu_read_lock before checking for duplicate transport nodes · 5179b266
      Xin Long authored
      Commit cd2b7087 ("sctp: check duplicate node before inserting a
      new transport") called rhltable_lookup() to check for the duplicate
      transport node in transport rhashtable.
      
      But rhltable_lookup() doesn't call rcu_read_lock inside, it could cause
      a use-after-free issue if it tries to dereference the node that another
      cpu has freed it. Note that sock lock can not avoid this as it is per
      sock.
      
      This patch is to fix it by calling rcu_read_lock before checking for
      duplicate transport nodes.
      
      Fixes: cd2b7087 ("sctp: check duplicate node before inserting a new transport")
      Reported-by: default avatarAndrey Konovalov <andreyknvl@google.com>
      Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
      Acked-by: default avatarNeil Horman <nhorman@tuxdriver.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      5179b266
    • David Howells's avatar
      rxrpc: Fix deadlock between call creation and sendmsg/recvmsg · 540b1c48
      David Howells authored
      All the routines by which rxrpc is accessed from the outside are serialised
      by means of the socket lock (sendmsg, recvmsg, bind,
      rxrpc_kernel_begin_call(), ...) and this presents a problem:
      
       (1) If a number of calls on the same socket are in the process of
           connection to the same peer, a maximum of four concurrent live calls
           are permitted before further calls need to wait for a slot.
      
       (2) If a call is waiting for a slot, it is deep inside sendmsg() or
           rxrpc_kernel_begin_call() and the entry function is holding the socket
           lock.
      
       (3) sendmsg() and recvmsg() or the in-kernel equivalents are prevented
           from servicing the other calls as they need to take the socket lock to
           do so.
      
       (4) The socket is stuck until a call is aborted and makes its slot
           available to the waiter.
      
      Fix this by:
      
       (1) Provide each call with a mutex ('user_mutex') that arbitrates access
           by the users of rxrpc separately for each specific call.
      
       (2) Make rxrpc_sendmsg() and rxrpc_recvmsg() unlock the socket as soon as
           they've got a call and taken its mutex.
      
           Note that I'm returning EWOULDBLOCK from recvmsg() if MSG_DONTWAIT is
           set but someone else has the lock.  Should I instead only return
           EWOULDBLOCK if there's nothing currently to be done on a socket, and
           sleep in this particular instance because there is something to be
           done, but we appear to be blocked by the interrupt handler doing its
           ping?
      
       (3) Make rxrpc_new_client_call() unlock the socket after allocating a new
           call, locking its user mutex and adding it to the socket's call tree.
           The call is returned locked so that sendmsg() can add data to it
           immediately.
      
           From the moment the call is in the socket tree, it is subject to
           access by sendmsg() and recvmsg() - even if it isn't connected yet.
      
       (4) Lock new service calls in the UDP data_ready handler (in
           rxrpc_new_incoming_call()) because they may already be in the socket's
           tree and the data_ready handler makes them live immediately if a user
           ID has already been preassigned.
      
           Note that the new call is locked before any notifications are sent
           that it is live, so doing mutex_trylock() *ought* to always succeed.
           Userspace is prevented from doing sendmsg() on calls that are in a
           too-early state in rxrpc_do_sendmsg().
      
       (5) Make rxrpc_new_incoming_call() return the call with the user mutex
           held so that a ping can be scheduled immediately under it.
      
           Note that it might be worth moving the ping call into
           rxrpc_new_incoming_call() and then we can drop the mutex there.
      
       (6) Make rxrpc_accept_call() take the lock on the call it is accepting and
           release the socket after adding the call to the socket's tree.  This
           is slightly tricky as we've dequeued the call by that point and have
           to requeue it.
      
           Note that requeuing emits a trace event.
      
       (7) Make rxrpc_kernel_send_data() and rxrpc_kernel_recv_data() take the
           new mutex immediately and don't bother with the socket mutex at all.
      
      This patch has the nice bonus that calls on the same socket are now to some
      extent parallelisable.
      
      Note that we might want to move rxrpc_service_prealloc() calls out from the
      socket lock and give it its own lock, so that we don't hang progress in
      other calls because we're waiting for the allocator.
      
      We probably also want to avoid calling rxrpc_notify_socket() from within
      the socket lock (rxrpc_accept_call()).
      Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
      Tested-by: default avatarMarc Dionne <marc.c.dionne@auristor.com>
      Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
      540b1c48
    • Linus Torvalds's avatar
      Merge tag 'for-linus-4.11' of git://git.code.sf.net/p/openipmi/linux-ipmi · 2d6be4ab
      Linus Torvalds authored
      Pull IPMI updates from Corey Minyard:
       "This is a few small fixes to the main IPMI driver, make some things
        const, fix typos, etc.
      
        The last patch came in about a week ago, but IMHO it's best to go in
        now. It is not for the main driver, it's for the bt-bmc driver, which
        runs on the managment controller side, not on the host side, so the
        scope is limited and the change is necessary"
      
      * tag 'for-linus-4.11' of git://git.code.sf.net/p/openipmi/linux-ipmi:
        ipmi: bt-bmc: Use a regmap for register access
        char: ipmi: constify ipmi_smi_handlers structures
        acpi:ipmi: Make IPMI user handler const
        ipmi: make ipmi_usr_hndl const
        Documentation: Fix a typo in IPMI.txt.
      2d6be4ab
    • Linus Torvalds's avatar
      Merge branch 'idr-4.11' of git://git.infradead.org/users/willy/linux-dax · cf393195
      Linus Torvalds authored
      Pull IDR rewrite from Matthew Wilcox:
       "The most significant part of the following is the patch to rewrite the
        IDR & IDA to be clients of the radix tree. But there's much more,
        including an enhancement of the IDA to be significantly more space
        efficient, an IDR & IDA test suite, some improvements to the IDR API
        (and driver changes to take advantage of those improvements), several
        improvements to the radix tree test suite and RCU annotations.
      
        The IDR & IDA rewrite had a good spin in linux-next and Andrew's tree
        for most of the last cycle. Coupled with the IDR test suite, I feel
        pretty confident that any remaining bugs are quite hard to hit. 0-day
        did a great job of watching my git tree and pointing out problems; as
        it hit them, I added new test-cases to be sure not to be caught the
        same way twice"
      
      Willy goes on to expand a bit on the IDR rewrite rationale:
       "The radix tree and the IDR use very similar data structures.
      
        Merging the two codebases lets us share the memory allocation pools,
        and results in a net deletion of 500 lines of code. It also opens up
        the possibility of exposing more of the features of the radix tree to
        users of the IDR (and I have some interesting patches along those
        lines waiting for 4.12)
      
        It also shrinks the size of the 'struct idr' from 40 bytes to 24 which
        will shrink a fair few data structures that embed an IDR"
      
      * 'idr-4.11' of git://git.infradead.org/users/willy/linux-dax: (32 commits)
        radix tree test suite: Add config option for map shift
        idr: Add missing __rcu annotations
        radix-tree: Fix __rcu annotations
        radix-tree: Add rcu_dereference and rcu_assign_pointer calls
        radix tree test suite: Run iteration tests for longer
        radix tree test suite: Fix split/join memory leaks
        radix tree test suite: Fix leaks in regression2.c
        radix tree test suite: Fix leaky tests
        radix tree test suite: Enable address sanitizer
        radix_tree_iter_resume: Fix out of bounds error
        radix-tree: Store a pointer to the root in each node
        radix-tree: Chain preallocated nodes through ->parent
        radix tree test suite: Dial down verbosity with -v
        radix tree test suite: Introduce kmalloc_verbose
        idr: Return the deleted entry from idr_remove
        radix tree test suite: Build separate binaries for some tests
        ida: Use exceptional entries for small IDAs
        ida: Move ida_bitmap to a percpu variable
        Reimplement IDR and IDA using the radix tree
        radix-tree: Add radix_tree_iter_delete
        ...
      cf393195
    • Linus Torvalds's avatar
      Merge tag 'iommu-fix-v4.11-rc0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu · 5ecc5ac2
      Linus Torvalds authored
      Pull IOMMU fixes from Joerg Roedel:
       "Fix an issue introduced this merge window into the AMD and Intel IOMMU
        drivers that causes an oops when the vendor-specific sysfs-entries are
        accessed.
      
        The reason for this issue is that I forgot to update the sysfs code in
        the drivers when moving the iommu 'struct device' to the iommu-core"
      
      * tag 'iommu-fix-v4.11-rc0-2' of git://git.kernel.org/pub/scm/linux/kernel/git/joro/iommu:
        iommu/amd: Fix crash when accessing AMD-Vi sysfs entries
        iommu/vt-d: Fix crash when accessing VT-d sysfs entries
      5ecc5ac2
  2. 28 Feb, 2017 35 commits