From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: David Howells <dhowells@redhat.com>,
Sasha Levin <sashal@kernel.org>,
linux-afs@lists.infradead.org, netdev@vger.kernel.org
Subject: [PATCH AUTOSEL 4.19 12/59] rxrpc: Fix trace-after-put looking at the put connection record
Date: Sat, 26 Oct 2019 09:18:23 -0400 [thread overview]
Message-ID: <20191026131910.3435-12-sashal@kernel.org> (raw)
In-Reply-To: <20191026131910.3435-1-sashal@kernel.org>
From: David Howells <dhowells@redhat.com>
[ Upstream commit 4c1295dccc0afe0905b6ca4c62ade7f2406f2cfb ]
rxrpc_put_*conn() calls trace_rxrpc_conn() after they have done the
decrement of the refcount - which looks at the debug_id in the connection
record. But unless the refcount was reduced to zero, we no longer have the
right to look in the record and, indeed, it may be deleted by some other
thread.
Fix this by getting the debug_id out before decrementing the refcount and
then passing that into the tracepoint.
Fixes: 363deeab6d0f ("rxrpc: Add connection tracepoint and client conn state tracepoint")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/trace/events/rxrpc.h | 6 +++---
net/rxrpc/call_accept.c | 2 +-
net/rxrpc/conn_client.c | 6 ++++--
net/rxrpc/conn_object.c | 13 +++++++------
net/rxrpc/conn_service.c | 2 +-
5 files changed, 16 insertions(+), 13 deletions(-)
diff --git a/include/trace/events/rxrpc.h b/include/trace/events/rxrpc.h
index a08916eb76152..0924119bcfa40 100644
--- a/include/trace/events/rxrpc.h
+++ b/include/trace/events/rxrpc.h
@@ -554,10 +554,10 @@ TRACE_EVENT(rxrpc_peer,
);
TRACE_EVENT(rxrpc_conn,
- TP_PROTO(struct rxrpc_connection *conn, enum rxrpc_conn_trace op,
+ TP_PROTO(unsigned int conn_debug_id, enum rxrpc_conn_trace op,
int usage, const void *where),
- TP_ARGS(conn, op, usage, where),
+ TP_ARGS(conn_debug_id, op, usage, where),
TP_STRUCT__entry(
__field(unsigned int, conn )
@@ -567,7 +567,7 @@ TRACE_EVENT(rxrpc_conn,
),
TP_fast_assign(
- __entry->conn = conn->debug_id;
+ __entry->conn = conn_debug_id;
__entry->op = op;
__entry->usage = usage;
__entry->where = where;
diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c
index 8079aacaecace..c5566bc4aaca3 100644
--- a/net/rxrpc/call_accept.c
+++ b/net/rxrpc/call_accept.c
@@ -88,7 +88,7 @@ static int rxrpc_service_prealloc_one(struct rxrpc_sock *rx,
smp_store_release(&b->conn_backlog_head,
(head + 1) & (size - 1));
- trace_rxrpc_conn(conn, rxrpc_conn_new_service,
+ trace_rxrpc_conn(conn->debug_id, rxrpc_conn_new_service,
atomic_read(&conn->usage), here);
}
diff --git a/net/rxrpc/conn_client.c b/net/rxrpc/conn_client.c
index c979a56faaef0..f16c7e913f50b 100644
--- a/net/rxrpc/conn_client.c
+++ b/net/rxrpc/conn_client.c
@@ -217,7 +217,8 @@ rxrpc_alloc_client_connection(struct rxrpc_conn_parameters *cp, gfp_t gfp)
rxrpc_get_local(conn->params.local);
key_get(conn->params.key);
- trace_rxrpc_conn(conn, rxrpc_conn_new_client, atomic_read(&conn->usage),
+ trace_rxrpc_conn(conn->debug_id, rxrpc_conn_new_client,
+ atomic_read(&conn->usage),
__builtin_return_address(0));
trace_rxrpc_client(conn, -1, rxrpc_client_alloc);
_leave(" = %p", conn);
@@ -989,11 +990,12 @@ rxrpc_put_one_client_conn(struct rxrpc_connection *conn)
void rxrpc_put_client_conn(struct rxrpc_connection *conn)
{
const void *here = __builtin_return_address(0);
+ unsigned int debug_id = conn->debug_id;
int n;
do {
n = atomic_dec_return(&conn->usage);
- trace_rxrpc_conn(conn, rxrpc_conn_put_client, n, here);
+ trace_rxrpc_conn(debug_id, rxrpc_conn_put_client, n, here);
if (n > 0)
return;
ASSERTCMP(n, >=, 0);
diff --git a/net/rxrpc/conn_object.c b/net/rxrpc/conn_object.c
index 885dae829f4a1..3d02636b8f856 100644
--- a/net/rxrpc/conn_object.c
+++ b/net/rxrpc/conn_object.c
@@ -272,7 +272,7 @@ bool rxrpc_queue_conn(struct rxrpc_connection *conn)
if (n == 0)
return false;
if (rxrpc_queue_work(&conn->processor))
- trace_rxrpc_conn(conn, rxrpc_conn_queued, n + 1, here);
+ trace_rxrpc_conn(conn->debug_id, rxrpc_conn_queued, n + 1, here);
else
rxrpc_put_connection(conn);
return true;
@@ -287,7 +287,7 @@ void rxrpc_see_connection(struct rxrpc_connection *conn)
if (conn) {
int n = atomic_read(&conn->usage);
- trace_rxrpc_conn(conn, rxrpc_conn_seen, n, here);
+ trace_rxrpc_conn(conn->debug_id, rxrpc_conn_seen, n, here);
}
}
@@ -299,7 +299,7 @@ void rxrpc_get_connection(struct rxrpc_connection *conn)
const void *here = __builtin_return_address(0);
int n = atomic_inc_return(&conn->usage);
- trace_rxrpc_conn(conn, rxrpc_conn_got, n, here);
+ trace_rxrpc_conn(conn->debug_id, rxrpc_conn_got, n, here);
}
/*
@@ -313,7 +313,7 @@ rxrpc_get_connection_maybe(struct rxrpc_connection *conn)
if (conn) {
int n = atomic_fetch_add_unless(&conn->usage, 1, 0);
if (n > 0)
- trace_rxrpc_conn(conn, rxrpc_conn_got, n + 1, here);
+ trace_rxrpc_conn(conn->debug_id, rxrpc_conn_got, n + 1, here);
else
conn = NULL;
}
@@ -336,10 +336,11 @@ static void rxrpc_set_service_reap_timer(struct rxrpc_net *rxnet,
void rxrpc_put_service_conn(struct rxrpc_connection *conn)
{
const void *here = __builtin_return_address(0);
+ unsigned int debug_id = conn->debug_id;
int n;
n = atomic_dec_return(&conn->usage);
- trace_rxrpc_conn(conn, rxrpc_conn_put_service, n, here);
+ trace_rxrpc_conn(debug_id, rxrpc_conn_put_service, n, here);
ASSERTCMP(n, >=, 0);
if (n == 1)
rxrpc_set_service_reap_timer(conn->params.local->rxnet,
@@ -423,7 +424,7 @@ void rxrpc_service_connection_reaper(struct work_struct *work)
*/
if (atomic_cmpxchg(&conn->usage, 1, 0) != 1)
continue;
- trace_rxrpc_conn(conn, rxrpc_conn_reap_service, 0, NULL);
+ trace_rxrpc_conn(conn->debug_id, rxrpc_conn_reap_service, 0, NULL);
if (rxrpc_conn_is_client(conn))
BUG();
diff --git a/net/rxrpc/conn_service.c b/net/rxrpc/conn_service.c
index 80773a50c7551..6da7c4bf15e88 100644
--- a/net/rxrpc/conn_service.c
+++ b/net/rxrpc/conn_service.c
@@ -138,7 +138,7 @@ struct rxrpc_connection *rxrpc_prealloc_service_connection(struct rxrpc_net *rxn
list_add_tail(&conn->proc_link, &rxnet->conn_proc_list);
write_unlock(&rxnet->conn_lock);
- trace_rxrpc_conn(conn, rxrpc_conn_new_service,
+ trace_rxrpc_conn(conn->debug_id, rxrpc_conn_new_service,
atomic_read(&conn->usage),
__builtin_return_address(0));
}
--
2.20.1
next prev parent reply other threads:[~2019-10-26 13:31 UTC|newest]
Thread overview: 38+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-26 13:18 [PATCH AUTOSEL 4.19 01/59] tools: bpf: Use !building_out_of_srctree to determine srctree Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 03/59] mac80211_hwsim: fix incorrect dev_alloc_name failure goto Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 06/59] net: dsa: b53: Do not clear existing mirrored port mask Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 07/59] net: stmmac: gmac4+: Not all Unicast addresses may be available Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 10/59] rxrpc: Fix call ref leak Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 11/59] rxrpc: Fix trace-after-put looking at the put peer record Sasha Levin
2019-10-26 13:18 ` Sasha Levin [this message]
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 13/59] rxrpc: Fix trace-after-put looking at the put call record Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 14/59] rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 15/59] mac80211: accept deauth frames in IBSS mode Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 16/59] mac80211: fix scan when operating on DFS channels in ETSI domains Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 17/59] llc: fix sk_buff leak in llc_sap_state_process() Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 18/59] llc: fix sk_buff leak in llc_conn_service() Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 19/59] llc: fix another potential sk_buff leak in llc_ui_sendmsg() Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 20/59] llc: fix sk_buff refcounting in llc_conn_state_process() Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 21/59] NFC: pn533: fix use-after-free and memleaks Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 22/59] ip6erspan: remove the incorrect mtu limit for ip6erspan Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 23/59] iwlwifi: dbg_ini: fix memory leak in alloc_sgtable Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 24/59] iwlwifi: pcie: fix memory leaks in iwl_pcie_ctxt_info_gen3_init Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 25/59] iwlwifi: exclude GEO SAR support for 3168 Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 27/59] net: stmmac: fix length of PTP clock's name string Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 28/59] net: stmmac: fix disabling flexible PPS output Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 29/59] bonding: fix potential NULL deref in bond_update_slave_arr Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 32/59] act_mirred: Fix mirred_init_module error handling Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 33/59] net: usb: qmi_wwan: add Telit 0x1050 composition Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 34/59] net: avoid possible false sharing in sk_leave_memory_pressure() Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 35/59] net: add {READ|WRITE}_ONCE() annotations on ->rskq_accept_head Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 36/59] net/smc: receive returns without data Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 37/59] net/smc: receive pending data after RCV_SHUTDOWN Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 39/59] vhost/test: stop device before reset Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 40/59] net/ibmvnic: Fix EOI when running in XIVE mode Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 47/59] net: i82596: fix dma_alloc_attr for sni_82596 Sasha Levin
2019-10-26 13:18 ` [PATCH AUTOSEL 4.19 48/59] net: bcmgenet: Fix RGMII_MODE_EN value for GENET v1/2/3 Sasha Levin
2019-10-26 13:19 ` [PATCH AUTOSEL 4.19 49/59] net: usb: sr9800: fix uninitialized local variable Sasha Levin
2019-10-26 13:19 ` [PATCH AUTOSEL 4.19 51/59] net: stmmac: disable/enable ptp_ref_clk in suspend/resume flow Sasha Levin
2019-10-26 13:19 ` [PATCH AUTOSEL 4.19 52/59] usb: hso: obey DMA rules in tiocmget Sasha Levin
2019-10-26 13:19 ` [PATCH AUTOSEL 4.19 54/59] net: stmmac: fix argument to stmmac_pcs_ctrl_ane() Sasha Levin
2019-10-26 13:19 ` [PATCH AUTOSEL 4.19 56/59] net: usb: lan78xx: Connect PHY before registering MAC Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191026131910.3435-12-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=dhowells@redhat.com \
--cc=linux-afs@lists.infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).