From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk, James Chapman <jchapman@katalix.com>,
David S Miller <davem@davemloft.net>
Subject: PPPOL2TP: Make locking calls softirq-safe
Date: Wed, 16 Apr 2008 18:01:56 -0700 [thread overview]
Message-ID: <20080417010343.187171409@sous-sol.org> (raw)
In-Reply-To: 20080417010122.148289106@sous-sol.org
[-- Attachment #1: pppol2tp-make-locking-calls-softirq-safe.patch --]
[-- Type: text/plain, Size: 7923 bytes --]
-stable review patch. If anyone has any objections, please let us know.
---------------------
From: James Chapman <jchapman@katalix.com>
Upstream commit: cf3752e2d203bbbfc88d29e362e6938cef4339b3
Fix locking issues in the pppol2tp driver which can cause a kernel
crash on SMP boxes. There were two problems:-
1. The driver was violating read_lock() and write_lock() scheduling
rules because it wasn't using softirq-safe locks in softirq
contexts. So we now consistently use the _bh variants of the lock
functions.
2. The driver was calling sk_dst_get() in pppol2tp_xmit() which was
taking sk_dst_lock in softirq context. We now call __sk_dst_get().
Signed-off-by: James Chapman <jchapman@katalix.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
drivers/net/pppol2tp.c | 58 ++++++++++++++++++++++++------------------------
1 files changed, 29 insertions(+), 29 deletions(-)
diff --git a/drivers/net/pppol2tp.c b/drivers/net/pppol2tp.c
index a7556cd..ff4a94b 100644
--- a/drivers/net/pppol2tp.c
+++ b/drivers/net/pppol2tp.c
@@ -302,14 +302,14 @@ pppol2tp_session_find(struct pppol2tp_tunnel *tunnel, u16 session_id)
struct pppol2tp_session *session;
struct hlist_node *walk;
- read_lock(&tunnel->hlist_lock);
+ read_lock_bh(&tunnel->hlist_lock);
hlist_for_each_entry(session, walk, session_list, hlist) {
if (session->tunnel_addr.s_session == session_id) {
- read_unlock(&tunnel->hlist_lock);
+ read_unlock_bh(&tunnel->hlist_lock);
return session;
}
}
- read_unlock(&tunnel->hlist_lock);
+ read_unlock_bh(&tunnel->hlist_lock);
return NULL;
}
@@ -320,14 +320,14 @@ static struct pppol2tp_tunnel *pppol2tp_tunnel_find(u16 tunnel_id)
{
struct pppol2tp_tunnel *tunnel = NULL;
- read_lock(&pppol2tp_tunnel_list_lock);
+ read_lock_bh(&pppol2tp_tunnel_list_lock);
list_for_each_entry(tunnel, &pppol2tp_tunnel_list, list) {
if (tunnel->stats.tunnel_id == tunnel_id) {
- read_unlock(&pppol2tp_tunnel_list_lock);
+ read_unlock_bh(&pppol2tp_tunnel_list_lock);
return tunnel;
}
}
- read_unlock(&pppol2tp_tunnel_list_lock);
+ read_unlock_bh(&pppol2tp_tunnel_list_lock);
return NULL;
}
@@ -344,7 +344,7 @@ static void pppol2tp_recv_queue_skb(struct pppol2tp_session *session, struct sk_
struct sk_buff *skbp;
u16 ns = PPPOL2TP_SKB_CB(skb)->ns;
- spin_lock(&session->reorder_q.lock);
+ spin_lock_bh(&session->reorder_q.lock);
skb_queue_walk(&session->reorder_q, skbp) {
if (PPPOL2TP_SKB_CB(skbp)->ns > ns) {
__skb_insert(skb, skbp->prev, skbp, &session->reorder_q);
@@ -360,7 +360,7 @@ static void pppol2tp_recv_queue_skb(struct pppol2tp_session *session, struct sk_
__skb_queue_tail(&session->reorder_q, skb);
out:
- spin_unlock(&session->reorder_q.lock);
+ spin_unlock_bh(&session->reorder_q.lock);
}
/* Dequeue a single skb.
@@ -442,7 +442,7 @@ static void pppol2tp_recv_dequeue(struct pppol2tp_session *session)
* expect to send up next, dequeue it and any other
* in-sequence packets behind it.
*/
- spin_lock(&session->reorder_q.lock);
+ spin_lock_bh(&session->reorder_q.lock);
skb_queue_walk_safe(&session->reorder_q, skb, tmp) {
if (time_after(jiffies, PPPOL2TP_SKB_CB(skb)->expires)) {
session->stats.rx_seq_discards++;
@@ -469,13 +469,13 @@ static void pppol2tp_recv_dequeue(struct pppol2tp_session *session)
goto out;
}
}
- spin_unlock(&session->reorder_q.lock);
+ spin_unlock_bh(&session->reorder_q.lock);
pppol2tp_recv_dequeue_skb(session, skb);
- spin_lock(&session->reorder_q.lock);
+ spin_lock_bh(&session->reorder_q.lock);
}
out:
- spin_unlock(&session->reorder_q.lock);
+ spin_unlock_bh(&session->reorder_q.lock);
}
/* Internal receive frame. Do the real work of receiving an L2TP data frame
@@ -1058,7 +1058,7 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb)
/* Get routing info from the tunnel socket */
dst_release(skb->dst);
- skb->dst = sk_dst_get(sk_tun);
+ skb->dst = dst_clone(__sk_dst_get(sk_tun));
skb_orphan(skb);
skb->sk = sk_tun;
@@ -1106,7 +1106,7 @@ static void pppol2tp_tunnel_closeall(struct pppol2tp_tunnel *tunnel)
PRINTK(tunnel->debug, PPPOL2TP_MSG_CONTROL, KERN_INFO,
"%s: closing all sessions...\n", tunnel->name);
- write_lock(&tunnel->hlist_lock);
+ write_lock_bh(&tunnel->hlist_lock);
for (hash = 0; hash < PPPOL2TP_HASH_SIZE; hash++) {
again:
hlist_for_each_safe(walk, tmp, &tunnel->session_hlist[hash]) {
@@ -1126,7 +1126,7 @@ again:
* disappear as we're jumping between locks.
*/
sock_hold(sk);
- write_unlock(&tunnel->hlist_lock);
+ write_unlock_bh(&tunnel->hlist_lock);
lock_sock(sk);
if (sk->sk_state & (PPPOX_CONNECTED | PPPOX_BOUND)) {
@@ -1148,11 +1148,11 @@ again:
* list so we are guaranteed to make forward
* progress.
*/
- write_lock(&tunnel->hlist_lock);
+ write_lock_bh(&tunnel->hlist_lock);
goto again;
}
}
- write_unlock(&tunnel->hlist_lock);
+ write_unlock_bh(&tunnel->hlist_lock);
}
/* Really kill the tunnel.
@@ -1161,9 +1161,9 @@ again:
static void pppol2tp_tunnel_free(struct pppol2tp_tunnel *tunnel)
{
/* Remove from socket list */
- write_lock(&pppol2tp_tunnel_list_lock);
+ write_lock_bh(&pppol2tp_tunnel_list_lock);
list_del_init(&tunnel->list);
- write_unlock(&pppol2tp_tunnel_list_lock);
+ write_unlock_bh(&pppol2tp_tunnel_list_lock);
atomic_dec(&pppol2tp_tunnel_count);
kfree(tunnel);
@@ -1239,9 +1239,9 @@ static void pppol2tp_session_destruct(struct sock *sk)
/* Delete the session socket from the
* hash
*/
- write_lock(&tunnel->hlist_lock);
+ write_lock_bh(&tunnel->hlist_lock);
hlist_del_init(&session->hlist);
- write_unlock(&tunnel->hlist_lock);
+ write_unlock_bh(&tunnel->hlist_lock);
atomic_dec(&pppol2tp_session_count);
}
@@ -1386,9 +1386,9 @@ static struct sock *pppol2tp_prepare_tunnel_socket(int fd, u16 tunnel_id,
/* Add tunnel to our list */
INIT_LIST_HEAD(&tunnel->list);
- write_lock(&pppol2tp_tunnel_list_lock);
+ write_lock_bh(&pppol2tp_tunnel_list_lock);
list_add(&tunnel->list, &pppol2tp_tunnel_list);
- write_unlock(&pppol2tp_tunnel_list_lock);
+ write_unlock_bh(&pppol2tp_tunnel_list_lock);
atomic_inc(&pppol2tp_tunnel_count);
/* Bump the reference count. The tunnel context is deleted
@@ -1593,11 +1593,11 @@ static int pppol2tp_connect(struct socket *sock, struct sockaddr *uservaddr,
sk->sk_user_data = session;
/* Add session to the tunnel's hash list */
- write_lock(&tunnel->hlist_lock);
+ write_lock_bh(&tunnel->hlist_lock);
hlist_add_head(&session->hlist,
pppol2tp_session_id_hash(tunnel,
session->tunnel_addr.s_session));
- write_unlock(&tunnel->hlist_lock);
+ write_unlock_bh(&tunnel->hlist_lock);
atomic_inc(&pppol2tp_session_count);
@@ -2199,7 +2199,7 @@ static struct pppol2tp_session *next_session(struct pppol2tp_tunnel *tunnel, str
int next = 0;
int i;
- read_lock(&tunnel->hlist_lock);
+ read_lock_bh(&tunnel->hlist_lock);
for (i = 0; i < PPPOL2TP_HASH_SIZE; i++) {
hlist_for_each_entry(session, walk, &tunnel->session_hlist[i], hlist) {
if (curr == NULL) {
@@ -2217,7 +2217,7 @@ static struct pppol2tp_session *next_session(struct pppol2tp_tunnel *tunnel, str
}
}
out:
- read_unlock(&tunnel->hlist_lock);
+ read_unlock_bh(&tunnel->hlist_lock);
if (!found)
session = NULL;
@@ -2228,13 +2228,13 @@ static struct pppol2tp_tunnel *next_tunnel(struct pppol2tp_tunnel *curr)
{
struct pppol2tp_tunnel *tunnel = NULL;
- read_lock(&pppol2tp_tunnel_list_lock);
+ read_lock_bh(&pppol2tp_tunnel_list_lock);
if (list_is_last(&curr->list, &pppol2tp_tunnel_list)) {
goto out;
}
tunnel = list_entry(curr->list.next, struct pppol2tp_tunnel, list);
out:
- read_unlock(&pppol2tp_tunnel_list_lock);
+ read_unlock_bh(&pppol2tp_tunnel_list_lock);
return tunnel;
}
--
next prev parent reply other threads:[~2008-04-17 1:22 UTC|newest]
Thread overview: 86+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-04-17 1:01 [patch 00/66] 2.6.24-stable review Chris Wright
2008-04-17 1:01 ` time: prevent the loop in timespec_add_ns() from being optimised away Chris Wright
2008-04-17 1:01 ` kbuild: soften modpost checks when doing cross builds Chris Wright
2008-04-17 1:01 ` mtd: memory corruption in block2mtd.c Chris Wright
2008-04-17 1:01 ` md: remove the super sysfs attribute from devices in an md array Chris Wright
2008-04-17 1:01 ` V4L: ivtv: Add missing sg_init_table() Chris Wright
2008-04-17 1:01 ` UIO: add pgprot_noncached() to UIO mmap code Chris Wright
2008-04-17 1:01 ` USB: add support for Motorola ROKR Z6 cellphone in mass storage mode Chris Wright
2008-04-17 1:01 ` USB: new quirk flag to avoid Set-Interface Chris Wright
2008-04-17 1:01 ` inotify: fix race Chris Wright
2008-04-17 1:01 ` inotify: remove debug code Chris Wright
2008-04-17 1:01 ` NOHZ: reevaluate idle sleep length after add_timer_on() Chris Wright
2008-04-17 1:01 ` slab: fix cache_cache bootstrap in kmem_cache_init() Chris Wright
2008-04-17 1:01 ` xen: fix RMW when unmasking events Chris Wright
2008-04-17 1:01 ` xen: mask out SEP from CPUID Chris Wright
2008-04-17 1:01 ` xen: fix UP setup of shared_info Chris Wright
2008-04-17 1:01 ` PERCPU : __percpu_alloc_mask() can dynamically size percpu_data storage Chris Wright
2008-04-17 1:01 ` alloc_percpu() fails to allocate percpu data Chris Wright
2008-04-17 1:01 ` vfs: fix data leak in nobh_write_end() Chris Wright
2008-04-17 1:01 ` pci: revert SMBus unhide on HP Compaq nx6110 Chris Wright
2008-04-17 1:01 ` hwmon: (w83781d) Fix I/O resource conflict with PNP Chris Wright
2008-04-17 1:01 ` vmcoreinfo: add the symbol "phys_base" Chris Wright
2008-04-17 9:24 ` Eric W. Biederman
2008-04-17 17:16 ` Chris Wright
2008-04-17 17:29 ` Vivek Goyal
2008-04-18 10:17 ` Ken'ichi Ohmichi
2008-04-17 23:31 ` Eric W. Biederman
2008-04-17 1:01 ` USB: Allow initialization of broken keyspan serial adapters Chris Wright
2008-04-17 1:01 ` USB: serial: fix regression in Visor/Palm OS module for kernels >= 2.6.24 Chris Wright
2008-04-17 1:01 ` USB: serial: ti_usb_3410_5052: Correct TUSB3410 endpoint requirements Chris Wright
2008-04-17 8:01 ` Oliver Neukum
2008-04-17 17:02 ` Greg KH
2008-04-17 1:01 ` CRYPTO xcbc: Fix crash when ipsec uses xcbc-mac with big data chunk Chris Wright
2008-04-17 11:26 ` S.Çağlar Onur
2008-04-17 14:22 ` Herbert Xu
2008-04-17 23:33 ` Chris Wright
2008-04-17 1:01 ` mtd: fix broken state in CFI driver caused by FL_SHUTDOWN Chris Wright
2008-04-17 1:01 ` ipmi: change device node ordering to reflect probe order Chris Wright
2008-04-17 1:01 ` AX25 ax25_out: check skb for NULL in ax25_kick() Chris Wright
2008-04-17 1:01 ` NET: include <linux/types.h> into linux/ethtool.h for __u* typedef Chris Wright
2008-04-17 1:01 ` SUNGEM: Fix NAPI assertion failure Chris Wright
2008-04-17 1:01 ` INET: inet_frag_evictor() must run with BH disabled Chris Wright
2008-04-17 1:01 ` LLC: Restrict LLC sockets to root Chris Wright
2008-04-17 1:01 ` netpoll: zap_completion_queue: adjust skb->users counter Chris Wright
2008-04-17 1:01 ` Chris Wright [this message]
2008-04-17 1:01 ` PPPOL2TP: Fix SMP issues in skb reorder queue handling Chris Wright
2008-04-17 1:01 ` NET: Add preemption point in qdisc_run Chris Wright
2008-04-17 1:01 ` sch_htb: fix "too many events" situation Chris Wright
2008-04-17 1:02 ` SCTP: Fix local_addr deletions during list traversals Chris Wright
2008-04-17 1:02 ` NET: Fix multicast device ioctl checks Chris Wright
2008-04-17 1:02 ` TCP: Fix shrinking windows with window scaling Chris Wright
2008-04-17 1:02 ` TCP: Let skbs grow over a page on fast peers Chris Wright
2008-04-17 1:02 ` VLAN: Dont copy ALLMULTI/PROMISC flags from underlying device Chris Wright
2008-04-17 1:02 ` SPARC64: Fix atomic backoff limit Chris Wright
2008-04-17 1:02 ` SPARC64: Fix __get_cpu_var in preemption-enabled area Chris Wright
2008-04-17 1:02 ` SPARC64: flush_ptrace_access() needs preemption disable Chris Wright
2008-04-17 1:02 ` libata: assume no device is attached if both IDENTIFYs are aborted Chris Wright
2008-04-17 1:02 ` sis190: read the mac address from the eeprom first Chris Wright
2008-04-17 1:02 ` bluetooth: hci_core: defer hci_unregister_sysfs() Chris Wright
2008-04-17 1:02 ` SPARC64: Fix FPU saving in 64-bit signal handling Chris Wright
2008-04-17 1:02 ` DVB: tda10086: make the 22kHz tone for DISEQC a config option Chris Wright
2008-04-17 1:02 ` SUNRPC: Fix a memory leak in rpc_create() Chris Wright
2008-04-17 21:25 ` Stefan Lippers-Hollmann
2008-04-17 22:06 ` Trond Myklebust
2008-04-17 22:09 ` Chris Wright
2008-04-18 14:42 ` Chuck Lever
2008-04-17 1:02 ` HFS+: fix unlink of links Chris Wright
2008-04-17 1:02 ` acpi: fix "buggy BIOS check" when CPUs are hot removed Chris Wright
2008-04-17 1:02 ` plip: replace spin_lock_irq with spin_lock_irqsave in irq context Chris Wright
2008-04-17 1:02 ` signalfd: fix for incorrect SI_QUEUE user data reporting Chris Wright
2008-04-17 1:02 ` md: close a livelock window in handle_parity_checks5 Chris Wright
2008-04-17 1:02 ` POWERPC: Fix build of modular drivers/macintosh/apm_emu.c Chris Wright
2008-04-17 1:02 ` pnpacpi: reduce printk severity for "pnpacpi: exceeded the max number of ..." Chris Wright
2008-04-17 15:24 ` Nick Andrew
2008-04-17 17:09 ` Chris Wright
2008-04-18 21:48 ` Bjorn Helgaas
2008-04-23 4:09 ` [stable PATCH for 2.6.24.5 and 2.6.25] pnpacpi: fix potential corruption on "pnpacpi: exceeded the max number of IRQ resources 2" Len Brown
2008-04-17 1:02 ` PARISC futex: special case cmpxchg NULL in kernel space Chris Wright
2008-04-17 1:02 ` PARISC pdc_console: fix bizarre panic on boot Chris Wright
2008-04-17 1:02 ` PARISC fix signal trampoline cache flushing Chris Wright
2008-04-17 1:02 ` acpi: bus: check once more for an empty list after locking it Chris Wright
2008-04-17 1:02 ` fbdev: fix /proc/fb oops after module removal Chris Wright
2008-04-17 1:02 ` macb: Call phy_disconnect on removing Chris Wright
2008-04-17 1:02 ` file capabilities: remove cap_task_kill() Chris Wright
2008-04-17 1:02 ` locks: fix possible infinite loop in fcntl(F_SETLKW) over nfs Chris Wright
2008-04-18 7:50 ` [stable] [patch 00/66] 2.6.24-stable review Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080417010343.187171409@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=davem@davemloft.net \
--cc=jchapman@katalix.com \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox