1. 18 6月, 2016 2 次提交
    • J
      tipc: fix socket timer deadlock · f1d048f2
      Jon Paul Maloy 提交于
      We sometimes observe a 'deadly embrace' type deadlock occurring
      between mutually connected sockets on the same node. This happens
      when the one-hour peer supervision timers happen to expire
      simultaneously in both sockets.
      
      The scenario is as follows:
      
      CPU 1:                          CPU 2:
      --------                        --------
      tipc_sk_timeout(sk1)            tipc_sk_timeout(sk2)
        lock(sk1.slock)                 lock(sk2.slock)
        msg_create(probe)               msg_create(probe)
        unlock(sk1.slock)               unlock(sk2.slock)
        tipc_node_xmit_skb()            tipc_node_xmit_skb()
          tipc_node_xmit()                tipc_node_xmit()
            tipc_sk_rcv(sk2)                tipc_sk_rcv(sk1)
              lock(sk2.slock)                 lock((sk1.slock)
              filter_rcv()                    filter_rcv()
                tipc_sk_proto_rcv()             tipc_sk_proto_rcv()
                  msg_create(probe_rsp)           msg_create(probe_rsp)
                  tipc_sk_respond()               tipc_sk_respond()
                    tipc_node_xmit_skb()            tipc_node_xmit_skb()
                      tipc_node_xmit()                tipc_node_xmit()
                        tipc_sk_rcv(sk1)                tipc_sk_rcv(sk2)
                          lock((sk1.slock)                lock((sk2.slock)
                          ===> DEADLOCK                   ===> DEADLOCK
      
      Further analysis reveals that there are three different locations in the
      socket code where tipc_sk_respond() is called within the context of the
      socket lock, with ensuing risk of similar deadlocks.
      
      We now solve this by passing a buffer queue along with all upcalls where
      sk_lock.slock may potentially be held. Response or rejected message
      buffers are accumulated into this queue instead of being sent out
      directly, and only sent once we know we are safely outside the slock
      context.
      Reported-by: NGUNA <gbalasun@gmail.com>
      Acked-by: NYing Xue <ying.xue@windriver.com>
      Signed-off-by: NJon Maloy <jon.maloy@ericsson.com>
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      f1d048f2
    • D
      Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf · 695ef16c
      David S. Miller 提交于
      Pablo Neira Ayuso says:
      
      ====================
      Netfilter fixes for net
      
      The following patchset contains Netfilter fixes for your net tree,
      they are rather small patches but fixing several outstanding bugs in
      nf_conntrack and nf_tables, as well as minor problems with missing
      SYNPROXY header uapi installation:
      
      1) Oneliner not to leak conntrack kmemcache on module removal, this
         problem was introduced in the previous merge window, patch from
         Florian Westphal.
      
      2) Two fixes for insufficient ruleset loop validation, one due to
         incorrect flag check in nf_tables_bind_set() and another related to
         silly wrong generation mask logic from the walk path, from Liping
         Zhang.
      
      3) Fix double-free of anonymous sets on error, this fix simplifies the
         code to let the abort path take care of releasing the set object,
         also from Liping Zhang.
      
      4) The introduction of helper function for transactions broke the skip
         inactive rules logic from the nft_do_chain(), again from Liping
         Zhang.
      
      5) Two patches to install uapi xt_SYNPROXY.h header and calm down
         kbuild robot due to missing #include <linux/types.h>.
      ====================
      Signed-off-by: NDavid S. Miller <davem@davemloft.net>
      695ef16c
  2. 17 6月, 2016 6 次提交
  3. 16 6月, 2016 21 次提交
  4. 15 6月, 2016 11 次提交