1. 24 3月, 2015 3 次提交
  2. 21 3月, 2015 4 次提交
  3. 20 3月, 2015 1 次提交
  4. 19 3月, 2015 4 次提交
  5. 17 3月, 2015 2 次提交
  6. 16 3月, 2015 2 次提交
    • H
      rhashtable: Fix rhashtable_remove failures · 565e8640
      Herbert Xu 提交于
      The commit 9d901bc0 ("rhashtable:
      Free bucket tables asynchronously after rehash") causes gratuitous
      failures in rhashtable_remove.
      
      The reason is that it inadvertently introduced multiple rehashing
      from the perspective of readers.  IOW it is now possible to see
      more than two tables during a single RCU critical section.
      
      Fortunately the other reader rhashtable_lookup already deals with
      this correctly thanks to c4db8848
      ("rhashtable: rhashtable: Move future_tbl into struct bucket_table")
      so only rhashtable_remove is broken by this change.
      
      This patch fixes this by looping over every table from the first
      one to the last or until we find the element that we were trying
      to delete.
      
      Incidentally the simple test for detecting rehashing to prevent
      starting another shrinking no longer works.  Since it isn't needed
      anyway (the work queue and the mutex serves as a natural barrier
      to unnecessary rehashes) I've simply killed the test.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      565e8640
    • H
      rhashtable: Fix use-after-free in rhashtable_walk_stop · 963ecbd4
      Herbert Xu 提交于
      The commit c4db8848 ("rhashtable:
      Move future_tbl into struct bucket_table") introduced a use-after-
      free bug in rhashtable_walk_stop because it dereferences tbl after
      droping the RCU read lock.
      
      This patch fixes it by moving the RCU read unlock down to the bottom
      of rhashtable_walk_stop.  In fact this was how I had it originally
      but it got dropped while rearranging patches because this one
      depended on the async freeing of bucket_table.
      Signed-off-by: NHerbert Xu <herbert@gondor.apana.org.au>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      963ecbd4
  7. 15 3月, 2015 6 次提交
  8. 13 3月, 2015 7 次提交
  9. 12 3月, 2015 3 次提交
  10. 05 3月, 2015 1 次提交
    • S
      seq_buf: Fix seq_buf_bprintf() truncation · 4d4eb4d4
      Steven Rostedt (Red Hat) 提交于
      In seq_buf_bprintf(), bstr_printf() is used to copy the format into the
      buffer remaining in the seq_buf structure. The return of bstr_printf()
      is the amount of characters written to the buffer excluding the '\0',
      unless the line was truncated!
      
      If the line copied does not fit, it is truncated, and a '\0' is added
      to the end of the buffer. But in this case, '\0' is included in the length
      of the line written. To know if the buffer had overflowed, the return
      length will be the same or greater than the length of the buffer passed in.
      
      The check in seq_buf_bprintf() only checked if the length returned from
      bstr_printf() would fit in the buffer, as the seq_buf_bprintf() is only
      to be an all or nothing command. It either writes all the string into
      the seq_buf, or none of it. If the string is truncated, the pointers
      inside the seq_buf must be reset to what they were when the function was
      called. This is not the case. On overflow, it copies only part of the string.
      
      The fix is to change the overflow check to see if the length returned from
      bstr_printf() is less than the length remaining in the seq_buf buffer, and not
      if it is less than or equal to as it currently does. Then seq_buf_bprintf()
      will know if the write from bstr_printf() was truncated or not.
      
      Link: http://lkml.kernel.org/r/1425500481.2712.27.camel@perches.com
      
      Cc: stable@vger.kernel.org
      Reported-by: NJoe Perches <joe@perches.com>
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      4d4eb4d4
  11. 04 3月, 2015 1 次提交
    • S
      seq_buf: Fix seq_buf_vprintf() truncation · 4a8fe4e1
      Steven Rostedt (Red Hat) 提交于
      In seq_buf_vprintf(), vsnprintf() is used to copy the format into the
      buffer remaining in the seq_buf structure. The return of vsnprintf()
      is the amount of characters written to the buffer excluding the '\0',
      unless the line was truncated!
      
      If the line copied does not fit, it is truncated, and a '\0' is added
      to the end of the buffer. But in this case, '\0' is included in the length
      of the line written. To know if the buffer had overflowed, the return
      length will be the same as the length of the buffer passed in.
      
      The check in seq_buf_vprintf() only checked if the length returned from
      vsnprintf() would fit in the buffer, as the seq_buf_vprintf() is only
      to be an all or nothing command. It either writes all the string into
      the seq_buf, or none of it. If the string is truncated, the pointers
      inside the seq_buf must be reset to what they were when the function was
      called. This is not the case. On overflow, it copies only part of the string.
      
      The fix is to change the overflow check to see if the length returned from
      vsnprintf() is less than the length remaining in the seq_buf buffer, and not
      if it is less than or equal to as it currently does. Then seq_buf_vprintf()
      will know if the write from vsnpritnf() was truncated or not.
      
      Cc: stable@vger.kernel.org
      Signed-off-by: NSteven Rostedt <rostedt@goodmis.org>
      4a8fe4e1
  12. 28 2月, 2015 3 次提交
    • E
      rhashtable: use cond_resched() · 5beb5c90
      Eric Dumazet 提交于
      If a hash table has 128 slots and 16384 elems, expand to 256 slots
      takes more than one second. For larger sets, a soft lockup is detected.
      
      Holding cpu for that long, even in a work queue is a show stopper
      for non preemptable kernels.
      
      cond_resched() at strategic points to allow process scheduler
      to reschedule us.
      Signed-off-by: NEric Dumazet <edumazet@google.com>
      Acked-by: NDaniel Borkmann <daniel@iogearbox.net>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      5beb5c90
    • D
      rhashtable: remove indirection for grow/shrink decision functions · 4c4b52d9
      Daniel Borkmann 提交于
      Currently, all real users of rhashtable default their grow and shrink
      decision functions to rht_grow_above_75() and rht_shrink_below_30(),
      so that there's currently no need to have this explicitly selectable.
      
      It can/should be generic and private inside rhashtable until a real
      use case pops up. Since we can make this private, we'll save us this
      additional indirection layer and can improve insertion/deletion time
      as well.
      
      Reference: http://patchwork.ozlabs.org/patch/443040/Suggested-by: NDavid S. Miller <davem@davemloft.net>
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Acked-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      4c4b52d9
    • D
      rhashtable: unconditionally grow when max_shift is not specified · 8331de75
      Daniel Borkmann 提交于
      While commit c0c09bfd ("rhashtable: avoid unnecessary wakeup for
      worker queue") rightfully moved part of the decision making of
      whether we should expand or shrink from the expand/shrink functions
      themselves into insert/delete functions in order to avoid unnecessary
      worker wake-ups, it however introduced a regression by doing so.
      
      Before that change, if no max_shift was specified (= 0) on rhashtable
      initialization, rhashtable_expand() would just grow unconditionally
      and lets the available memory be the limiting factor. After that
      change, if no max_shift was specified, there would be _no_ expansion
      step at all.
      
      Given that netlink and tipc have a max_shift specified, it was not
      visible there, but Josh Hunt reported that if nft that starts out
      with a default element hint of 3 if not otherwise provided, would
      slow i.e. inserts down trememdously as it cannot grow larger to
      relax table occupancy.
      
      Given that the test case verifies shrinks/expands manually, we also
      must remove pointer to the helper functions to explicitly avoid
      parallel resizing on insertions/deletions. test_bucket_stats() and
      test_rht_lookup() could also be wrapped around rhashtable mutex to
      explicitly synchronize a walk from resizing, but I think that defeats
      the actual test case which intended to have explicit test steps,
      i.e. 1) inserts, 2) expands, 3) shrinks, 4) deletions, with object
      verification after each stage.
      Reported-by: NJosh Hunt <johunt@akamai.com>
      Fixes: c0c09bfd ("rhashtable: avoid unnecessary wakeup for worker queue")
      Signed-off-by: NDaniel Borkmann <daniel@iogearbox.net>
      Cc: Ying Xue <ying.xue@windriver.com>
      Cc: Josh Hunt <johunt@akamai.com>
      Acked-by: NThomas Graf <tgraf@suug.ch>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      8331de75
  13. 24 2月, 2015 1 次提交
  14. 21 2月, 2015 2 次提交