1. 25 9月, 2014 1 次提交
  2. 11 9月, 2014 1 次提交
    • C
      rpc: xs_bind - do not bind when requesting a random ephemeral port · 0f7a622c
      Chris Perl 提交于
      When attempting to establish a local ephemeral endpoint for a TCP or UDP
      socket, do not explicitly call bind, instead let it happen implicilty when the
      socket is first used.
      
      The main motivating factor for this change is when TCP runs out of unique
      ephemeral ports (i.e.  cannot find any ephemeral ports which are not a part of
      *any* TCP connection).  In this situation if you explicitly call bind, then the
      call will fail with EADDRINUSE.  However, if you allow the allocation of an
      ephemeral port to happen implicitly as part of connect (or other functions),
      then ephemeral ports can be reused, so long as the combination of (local_ip,
      local_port, remote_ip, remote_port) is unique for TCP sockets on the system.
      
      This doesn't matter for UDP sockets, but it seemed easiest to treat TCP and UDP
      sockets the same.
      
      This can allow mount.nfs(8) to continue to function successfully, even in the
      face of misbehaving applications which are creating a large number of TCP
      connections.
      Signed-off-by: NChris Perl <chris.perl@gmail.com>
      Signed-off-by: NTrond Myklebust <trond.myklebust@primarydata.com>
      0f7a622c
  3. 13 7月, 2014 1 次提交
  4. 01 7月, 2014 1 次提交
  5. 24 5月, 2014 1 次提交
  6. 18 4月, 2014 1 次提交
  7. 12 4月, 2014 1 次提交
    • D
      net: Fix use after free by removing length arg from sk_data_ready callbacks. · 676d2369
      David S. Miller 提交于
      Several spots in the kernel perform a sequence like:
      
      	skb_queue_tail(&sk->s_receive_queue, skb);
      	sk->sk_data_ready(sk, skb->len);
      
      But at the moment we place the SKB onto the socket receive queue it
      can be consumed and freed up.  So this skb->len access is potentially
      to freed up memory.
      
      Furthermore, the skb->len can be modified by the consumer so it is
      possible that the value isn't accurate.
      
      And finally, no actual implementation of this callback actually uses
      the length argument.  And since nobody actually cared about it's
      value, lots of call sites pass arbitrary values in such as '0' and
      even '1'.
      
      So just remove the length argument from the callback, that way there
      is no confusion whatsoever and all of these use-after-free cases get
      fixed as a side effect.
      
      Based upon a patch by Eric Dumazet and his suggestion to audit this
      issue tree-wide.
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      676d2369
  8. 30 3月, 2014 3 次提交
  9. 29 3月, 2014 1 次提交
  10. 12 2月, 2014 1 次提交
  11. 11 2月, 2014 1 次提交
  12. 15 1月, 2014 1 次提交
  13. 01 1月, 2014 2 次提交
  14. 11 12月, 2013 1 次提交
  15. 13 11月, 2013 1 次提交
  16. 09 11月, 2013 1 次提交
    • T
      SUNRPC: Fix a data corruption issue when retransmitting RPC calls · a6b31d18
      Trond Myklebust 提交于
      The following scenario can cause silent data corruption when doing
      NFS writes. It has mainly been observed when doing database writes
      using O_DIRECT.
      
      1) The RPC client uses sendpage() to do zero-copy of the page data.
      2) Due to networking issues, the reply from the server is delayed,
         and so the RPC client times out.
      
      3) The client issues a second sendpage of the page data as part of
         an RPC call retransmission.
      
      4) The reply to the first transmission arrives from the server
         _before_ the client hardware has emptied the TCP socket send
         buffer.
      5) After processing the reply, the RPC state machine rules that
         the call to be done, and triggers the completion callbacks.
      6) The application notices the RPC call is done, and reuses the
         pages to store something else (e.g. a new write).
      
      7) The client NIC drains the TCP socket send buffer. Since the
         page data has now changed, it reads a corrupted version of the
         initial RPC call, and puts it on the wire.
      
      This patch fixes the problem in the following manner:
      
      The ordering guarantees of TCP ensure that when the server sends a
      reply, then we know that the _first_ transmission has completed. Using
      zero-copy in that situation is therefore safe.
      If a time out occurs, we then send the retransmission using sendmsg()
      (i.e. no zero-copy), We then know that the socket contains a full copy of
      the data, and so it will retransmit a faithful reproduction even if the
      RPC call completes, and the application reuses the O_DIRECT buffer in
      the meantime.
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      Cc: stable@vger.kernel.org
      a6b31d18
  17. 31 10月, 2013 2 次提交
    • T
      SUNRPC: Cleanup xs_destroy() · a1311d87
      Trond Myklebust 提交于
      There is no longer any need for a separate xs_local_destroy() helper.
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      a1311d87
    • N
      SUNRPC: close a rare race in xs_tcp_setup_socket. · 93dc41bd
      NeilBrown 提交于
      We have one report of a crash in xs_tcp_setup_socket.
      The call path to the crash is:
      
        xs_tcp_setup_socket -> inet_stream_connect -> lock_sock_nested.
      
      The 'sock' passed to that last function is NULL.
      
      The only way I can see this happening is a concurrent call to
      xs_close:
      
        xs_close -> xs_reset_transport -> sock_release -> inet_release
      
      inet_release sets:
         sock->sk = NULL;
      inet_stream_connect calls
         lock_sock(sock->sk);
      which gets NULL.
      
      All calls to xs_close are protected by XPRT_LOCKED as are most
      activations of the workqueue which runs xs_tcp_setup_socket.
      The exception is xs_tcp_schedule_linger_timeout.
      
      So presumably the timeout queued by the later fires exactly when some
      other code runs xs_close().
      
      To protect against this we can move the cancel_delayed_work_sync()
      call from xs_destory() to xs_close().
      
      As xs_close is never called from the worker scheduled on
      ->connect_worker, this can never deadlock.
      Signed-off-by: NNeilBrown <neilb@suse.de>
      [Trond: Make it safe to call cancel_delayed_work_sync() on AF_LOCAL sockets]
      Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
      93dc41bd
  18. 29 10月, 2013 1 次提交
  19. 02 10月, 2013 2 次提交
  20. 05 9月, 2013 1 次提交
  21. 25 7月, 2013 1 次提交
  22. 13 6月, 2013 1 次提交
  23. 15 5月, 2013 1 次提交
  24. 26 4月, 2013 1 次提交
  25. 15 4月, 2013 1 次提交
  26. 26 3月, 2013 1 次提交
  27. 10 3月, 2013 1 次提交
    • J
      sunrpc: don't attempt to cancel unitialized work · 190b1ecf
      J. Bruce Fields 提交于
      As of dc107402 "SUNRPC: make AF_LOCAL connect synchronous", we no longer initialize connect_worker in the
      AF_LOCAL case, resulting in warnings like:
      
          WARNING: at lib/debugobjects.c:261 debug_print_object+0x8c/0xb0() Hardware name: Bochs
          ODEBUG: assert_init not available (active state 0) object type: timer_list hint: stub_timer+0x0/0x20
          Modules linked in: iscsi_tcp libiscsi_tcp libiscsi scsi_transport_iscsi nfsd auth_rpcgss nfs_acl lockd sunrpc
          Pid: 4816, comm: nfsd Tainted: G        W    3.8.0-rc2-00049-gdc107402 #801
          Call Trace:
           [<ffffffff8156ec00>] ? free_obj_work+0x60/0xa0
           [<ffffffff81046aaf>] warn_slowpath_common+0x7f/0xc0
           [<ffffffff81046ba6>] warn_slowpath_fmt+0x46/0x50
           [<ffffffff8156eccc>] debug_print_object+0x8c/0xb0
           [<ffffffff81055030>] ? timer_debug_hint+0x10/0x10
           [<ffffffff8156f7e3>] debug_object_assert_init+0xe3/0x120
           [<ffffffff81057ebb>] del_timer+0x2b/0x80
           [<ffffffff8109c4e6>] ? mark_held_locks+0x86/0x110
           [<ffffffff81065a29>] try_to_grab_pending+0xd9/0x150
           [<ffffffff81065b57>] __cancel_work_timer+0x27/0xc0
           [<ffffffff81065c03>] cancel_delayed_work_sync+0x13/0x20
           [<ffffffffa0007067>] xs_destroy+0x27/0x80 [sunrpc]
           [<ffffffffa00040d8>] xprt_destroy+0x78/0xa0 [sunrpc]
           [<ffffffffa0006241>] xprt_put+0x21/0x30 [sunrpc]
           [<ffffffffa00030cf>] rpc_free_client+0x10f/0x1a0 [sunrpc]
           [<ffffffffa0002ff3>] ? rpc_free_client+0x33/0x1a0 [sunrpc]
           [<ffffffffa0002f7e>] rpc_release_client+0x6e/0xb0 [sunrpc]
           [<ffffffffa000325d>] rpc_shutdown_client+0xfd/0x1b0 [sunrpc]
           [<ffffffffa0017196>] rpcb_put_local+0x106/0x130 [sunrpc]
          ...
      Acked-by: N"Myklebust, Trond" <Trond.Myklebust@netapp.com>
      Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
      190b1ecf
  28. 01 3月, 2013 1 次提交
  29. 05 2月, 2013 1 次提交
  30. 01 2月, 2013 4 次提交
  31. 16 12月, 2012 2 次提交