aboutsummaryrefslogtreecommitdiffstats
path: root/net/sunrpc
diff options
context:
space:
mode:
authorNeilBrown <neilb@suse.de>2013-10-31 01:14:36 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2013-10-31 09:14:50 -0400
commit93dc41bdc5c853916610576c6b48a1704959c70d (patch)
tree893c971fc8538c8872938c56a442be0abe7db437 /net/sunrpc
parent09c3e54635c85b3da44d3bc156619c1f1af3bb43 (diff)
SUNRPC: close a rare race in xs_tcp_setup_socket.
We have one report of a crash in xs_tcp_setup_socket. The call path to the crash is: xs_tcp_setup_socket -> inet_stream_connect -> lock_sock_nested. The 'sock' passed to that last function is NULL. The only way I can see this happening is a concurrent call to xs_close: xs_close -> xs_reset_transport -> sock_release -> inet_release inet_release sets: sock->sk = NULL; inet_stream_connect calls lock_sock(sock->sk); which gets NULL. All calls to xs_close are protected by XPRT_LOCKED as are most activations of the workqueue which runs xs_tcp_setup_socket. The exception is xs_tcp_schedule_linger_timeout. So presumably the timeout queued by the later fires exactly when some other code runs xs_close(). To protect against this we can move the cancel_delayed_work_sync() call from xs_destory() to xs_close(). As xs_close is never called from the worker scheduled on ->connect_worker, this can never deadlock. Signed-off-by: NeilBrown <neilb@suse.de> [Trond: Make it safe to call cancel_delayed_work_sync() on AF_LOCAL sockets] Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'net/sunrpc')
-rw-r--r--net/sunrpc/xprtsock.c13
1 files changed, 9 insertions, 4 deletions
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 9deed17fd3e4..a4709bbf8e5e 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -835,6 +835,8 @@ static void xs_close(struct rpc_xprt *xprt)
835 835
836 dprintk("RPC: xs_close xprt %p\n", xprt); 836 dprintk("RPC: xs_close xprt %p\n", xprt);
837 837
838 cancel_delayed_work_sync(&transport->connect_worker);
839
838 xs_reset_transport(transport); 840 xs_reset_transport(transport);
839 xprt->reestablish_timeout = 0; 841 xprt->reestablish_timeout = 0;
840 842
@@ -869,12 +871,8 @@ static void xs_local_destroy(struct rpc_xprt *xprt)
869 */ 871 */
870static void xs_destroy(struct rpc_xprt *xprt) 872static void xs_destroy(struct rpc_xprt *xprt)
871{ 873{
872 struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt);
873
874 dprintk("RPC: xs_destroy xprt %p\n", xprt); 874 dprintk("RPC: xs_destroy xprt %p\n", xprt);
875 875
876 cancel_delayed_work_sync(&transport->connect_worker);
877
878 xs_local_destroy(xprt); 876 xs_local_destroy(xprt);
879} 877}
880 878
@@ -1817,6 +1815,10 @@ static inline void xs_reclassify_socket(int family, struct socket *sock)
1817} 1815}
1818#endif 1816#endif
1819 1817
1818static void xs_dummy_setup_socket(struct work_struct *work)
1819{
1820}
1821
1820static struct socket *xs_create_sock(struct rpc_xprt *xprt, 1822static struct socket *xs_create_sock(struct rpc_xprt *xprt,
1821 struct sock_xprt *transport, int family, int type, int protocol) 1823 struct sock_xprt *transport, int family, int type, int protocol)
1822{ 1824{
@@ -2668,6 +2670,9 @@ static struct rpc_xprt *xs_setup_local(struct xprt_create *args)
2668 xprt->ops = &xs_local_ops; 2670 xprt->ops = &xs_local_ops;
2669 xprt->timeout = &xs_local_default_timeout; 2671 xprt->timeout = &xs_local_default_timeout;
2670 2672
2673 INIT_DELAYED_WORK(&transport->connect_worker,
2674 xs_dummy_setup_socket);
2675
2671 switch (sun->sun_family) { 2676 switch (sun->sun_family) {
2672 case AF_LOCAL: 2677 case AF_LOCAL:
2673 if (sun->sun_path[0] != '/') { 2678 if (sun->sun_path[0] != '/') {
generated by cgit v1.2.2 (git 2.25.0) at 2024-12-20 09:52:39 -0500