From: Chris Wright <chrisw@sous-sol.org>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: Justin Forbes <jmforbes@linuxtx.org>,
Zwane Mwaikambo <zwane@arm.linux.org.uk>,
"Theodore Ts'o" <tytso@mit.edu>,
Randy Dunlap <rdunlap@xenotime.net>,
Dave Jones <davej@redhat.com>,
Chuck Wolber <chuckw@quantumlinux.com>,
Chris Wedgwood <reviews@ml.cw.f00f.org>,
Michael Krufky <mkrufky@linuxtv.org>,
Chuck Ebbert <cebbert@redhat.com>,
Domenico Andreoli <cavokz@gmail.com>, Willy Tarreau <w@1wt.eu>,
Rodrigo Rubira Branco <rbranco@la.checkpoint.com>,
Jake Edge <jake@lwn.net>, Eugene Teo <eteo@redhat.com>,
torvalds@linux-foundation.org, akpm@linux-foundation.org,
alan@lxorguk.ukuu.org.uk,
Vitaly Mayatskikh <v.mayatskih@gmail.com>
Subject: [patch 02/45] udp: Wrong locking code in udp seq_file infrastructure
Date: Tue, 31 Mar 2009 16:10:47 -0700 [thread overview]
Message-ID: <20090331231334.644225443@sous-sol.org> (raw)
In-Reply-To: 20090331231045.719396245@sous-sol.org
[-- Attachment #1: udp-wrong-locking-code-in-udp-seq_file-infrastructure.patch --]
[-- Type: text/plain, Size: 3971 bytes --]
-stable review patch. If anyone has any objections, please let us know.
---------------------
From: Vitaly Mayatskikh <v.mayatskih@gmail.com>
[ Upstream commit 30842f2989aacfaba3ccb39829b3417be9313dbe ]
Reading zero bytes from /proc/net/udp or other similar files which use
the same seq_file udp infrastructure panics kernel in that way:
=====================================
[ BUG: bad unlock balance detected! ]
-------------------------------------
read/1985 is trying to release lock (&table->hash[i].lock) at:
[<ffffffff81321d83>] udp_seq_stop+0x27/0x29
but there are no more locks to release!
other info that might help us debug this:
1 lock held by read/1985:
#0: (&p->lock){--..}, at: [<ffffffff810eefb6>] seq_read+0x38/0x348
stack backtrace:
Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9
Call Trace:
[<ffffffff81321d83>] ? udp_seq_stop+0x27/0x29
[<ffffffff8106dab9>] print_unlock_inbalance_bug+0xd6/0xe1
[<ffffffff8106db62>] lock_release_non_nested+0x9e/0x1c6
[<ffffffff810ef030>] ? seq_read+0xb2/0x348
[<ffffffff8106bdba>] ? mark_held_locks+0x68/0x86
[<ffffffff81321d83>] ? udp_seq_stop+0x27/0x29
[<ffffffff8106dde7>] lock_release+0x15d/0x189
[<ffffffff8137163c>] _spin_unlock_bh+0x1e/0x34
[<ffffffff81321d83>] udp_seq_stop+0x27/0x29
[<ffffffff810ef239>] seq_read+0x2bb/0x348
[<ffffffff810eef7e>] ? seq_read+0x0/0x348
[<ffffffff8111aedd>] proc_reg_read+0x90/0xaf
[<ffffffff810d878f>] vfs_read+0xa6/0x103
[<ffffffff8106bfac>] ? trace_hardirqs_on_caller+0x12f/0x153
[<ffffffff810d88a2>] sys_read+0x45/0x69
[<ffffffff8101123a>] system_call_fastpath+0x16/0x1b
BUG: scheduling while atomic: read/1985/0xffffff00
INFO: lockdep is turned off.
Modules linked in: cpufreq_ondemand acpi_cpufreq freq_table dm_multipath kvm ppdev snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_seq_dummy snd_seq_oss snd_seq_midi_event arc4 snd_s
eq ecb thinkpad_acpi snd_seq_device iwl3945 hwmon sdhci_pci snd_pcm_oss sdhci rfkill mmc_core snd_mixer_oss i2c_i801 mac80211 yenta_socket ricoh_mmc i2c_core iTCO_wdt snd_pcm iTCO_vendor_support rs
rc_nonstatic snd_timer snd lib80211 cfg80211 soundcore snd_page_alloc video parport_pc output parport e1000e [last unloaded: scsi_wait_scan]
Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9
Call Trace:
[<ffffffff8106b456>] ? __debug_show_held_locks+0x1b/0x24
[<ffffffff81043660>] __schedule_bug+0x7e/0x83
[<ffffffff8136ede9>] schedule+0xce/0x838
[<ffffffff810d7972>] ? fsnotify_access+0x5f/0x67
[<ffffffff810112d0>] ? sysret_careful+0xb/0x37
[<ffffffff8106be9c>] ? trace_hardirqs_on_caller+0x1f/0x153
[<ffffffff8137127b>] ? trace_hardirqs_on_thunk+0x3a/0x3f
[<ffffffff810112f6>] sysret_careful+0x31/0x37
read[1985]: segfault at 7fffc479bfe8 ip 0000003e7420a180 sp 00007fffc479bfa0 error 6
Kernel panic - not syncing: Aiee, killing interrupt handler!
udp_seq_stop() tries to unlock not yet locked spinlock. The lock was lost
during splitting global udp_hash_lock to subsequent spinlocks.
Signed-off by: Vitaly Mayatskikh <v.mayatskih@gmail.com>
Acked-by: Eric Dumazet <dada1@cosmosbay.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Chris Wright <chrisw@sous-sol.org>
---
net/ipv4/udp.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -1614,7 +1614,8 @@ static struct sock *udp_get_next(struct
} while (sk && (!net_eq(sock_net(sk), net) || sk->sk_family != state->family));
if (!sk) {
- spin_unlock_bh(&state->udp_table->hash[state->bucket].lock);
+ if (state->bucket < UDP_HTABLE_SIZE)
+ spin_unlock_bh(&state->udp_table->hash[state->bucket].lock);
return udp_get_first(seq, state->bucket + 1);
}
return sk;
@@ -1632,6 +1633,9 @@ static struct sock *udp_get_idx(struct s
static void *udp_seq_start(struct seq_file *seq, loff_t *pos)
{
+ struct udp_iter_state *state = seq->private;
+ state->bucket = UDP_HTABLE_SIZE;
+
return *pos ? udp_get_idx(seq, *pos-1) : SEQ_START_TOKEN;
}
next prev parent reply other threads:[~2009-03-31 23:26 UTC|newest]
Thread overview: 59+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-31 23:10 [patch 00/45] 2.6.29.1 -stable review Chris Wright
2009-03-31 23:10 ` [patch 01/45] netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack Chris Wright
2009-03-31 23:10 ` Chris Wright [this message]
2009-03-31 23:10 ` [patch 03/45] dnet: drivers/net/dnet.c needs <linux/io.h> Chris Wright
2009-03-31 23:10 ` [patch 04/45] bridge: bad error handling when adding invalid ether address Chris Wright
2009-03-31 23:10 ` [patch 05/45] GRO: Disable GRO on legacy netif_rx path Chris Wright
2009-03-31 23:10 ` [patch 06/45] ipv6: Plug sk_buff leak in ipv6_rcv (net/ipv6/ip6_input.c) Chris Wright
2009-03-31 23:10 ` [patch 07/45] xfrm: spin_lock() should be spin_unlock() in xfrm_state.c Chris Wright
2009-03-31 23:10 ` [patch 08/45] USB: EHCI: add software retry for transaction errors Chris Wright
2009-03-31 23:10 ` [patch 09/45] USB: fix USB_STORAGE_CYPRESS_ATACB Chris Wright
2009-03-31 23:10 ` [patch 10/45] USB: usb-storage: increase max_sectors for tape drives Chris Wright
2009-03-31 23:10 ` [patch 11/45] USB: gadget: fix rndis regression Chris Wright
2009-03-31 23:10 ` [patch 12/45] USB: add quirk to avoid config and interface strings Chris Wright
2009-03-31 23:10 ` [patch 13/45] KVM: VMX: Dont allow uninhibited access to EFER on i386 Chris Wright
2009-03-31 23:10 ` [patch 14/45] KVM: SVM: set accessed bit for VMCB segment selectors Chris Wright
2009-03-31 23:11 ` [patch 15/45] ath9k: downgrade xmit queue full message to xmit debug Chris Wright
2009-03-31 23:11 ` [patch 16/45] cifs: fix buffer format byte on NT Rename/hardlink Chris Wright
2009-03-31 23:11 ` [patch 17/45] ath5k: use spin_lock_irqsave for beacon lock Chris Wright
2009-03-31 23:11 ` [patch 18/45] ath9k: fix dma mapping leak of rx buffer upon rmmod Chris Wright
2009-03-31 23:11 ` [patch 19/45] b43: fix b43_plcp_get_bitrate_idx_ofdm return type Chris Wright
2009-03-31 23:11 ` [patch 20/45] ath5k: disable MIB interrupts Chris Wright
2009-03-31 23:11 ` [patch 21/45] ath5k: warn and correct rate for unknown hw rate indexes Chris Wright
2009-03-31 23:11 ` [patch 22/45] CIFS: Fix memory overwrite when saving nativeFileSystem field during mount Chris Wright
2009-03-31 23:11 ` [patch 23/45] cfg80211: force last_request to be set for OLD_REG if regdom is EU Chris Wright
2009-03-31 23:11 ` [patch 24/45] DVB: firedtv: FireDTV S2 problems with tuning solved Chris Wright
2009-03-31 23:11 ` [patch 25/45] SCSI: sg: fix races during device removal Chris Wright
2009-03-31 23:31 ` Linus Torvalds
2009-04-01 0:10 ` James Bottomley
2009-04-01 0:18 ` Linus Torvalds
2009-04-01 1:15 ` Chris Wright
2009-04-01 1:54 ` FUJITA Tomonori
2009-04-01 15:18 ` Tony Battersby
2009-03-31 23:11 ` [patch 26/45] SCSI: sg: fix races with ioctl(SG_IO) Chris Wright
2009-03-31 23:11 ` [patch 27/45] SCSI: sg: avoid blk_put_request/blk_rq_unmap_user in interrupt Chris Wright
2009-03-31 23:11 ` [patch 28/45] ARM: pxa: fix overlay being un-necessarily initialized on pxa25x Chris Wright
2009-03-31 23:11 ` [patch 29/45] ARM: 5428/1: Module relocation update for R_ARM_V4BX Chris Wright
2009-03-31 23:11 ` [patch 30/45] ARM: cumana: Fix a long standing bogon Chris Wright
2009-03-31 23:11 ` [patch 31/45] ARM: fix leak in iop13xx/pci Chris Wright
2009-03-31 23:11 ` [patch 32/45] ARM: twl4030 - leak fix Chris Wright
2009-03-31 23:11 ` [patch 33/45] ARM: 5435/1: fix compile warning in sanity_check_meminfo() Chris Wright
2009-03-31 23:11 ` [patch 34/45] fuse: fix fuse_file_lseek returning with lock held Chris Wright
2009-03-31 23:11 ` [patch 35/45] Add a missing unlock_kernel() in raw_open() Chris Wright
2009-03-31 23:11 ` [patch 36/45] x86, PAT, PCI: Change vma prot in pci_mmap to reflect inherited prot Chris Wright
2009-03-31 23:11 ` [patch 37/45] x86, uv: fix cpumask iterator in uv_bau_init() Chris Wright
2009-03-31 23:11 ` [patch 38/45] x86: fix 64k corruption-check Chris Wright
2009-03-31 23:11 ` [patch 39/45] x86: ptrace, bts: fix an unreachable statement Chris Wright
2009-03-31 23:11 ` [patch 40/45] x86: mtrr: dont modify RdDram/WrDram bits of fixed MTRRs Chris Wright
2009-03-31 23:11 ` [patch 41/45] VM, x86, PAT: Change is_linear_pfn_mapping to not use vm_pgoff Chris Wright
2009-03-31 23:11 ` [patch 42/45] lguest: wire up pte_update/pte_update_defer Chris Wright
2009-03-31 23:11 ` [patch 43/45] lguest: fix spurious BUG_ON() on invalid guest stack Chris Wright
2009-03-31 23:11 ` [patch 44/45] cfg80211: fix incorrect assumption on last_request for 11d Chris Wright
2009-03-31 23:11 ` [patch 45/45] KVM: MMU: Fix another largepage memory leak Chris Wright
2009-04-01 3:47 ` [patch 00/45] 2.6.29.1 -stable review David Miller
2009-04-01 4:42 ` Michael Krufky
2009-04-02 6:57 ` Chris Wright
2009-04-02 6:57 ` [PATCH 46/45] sparc64: Fix MM refcount check in smp_flush_tlb_pending() Chris Wright
2009-04-02 6:57 ` [PATCH 47/45] sparc64: Flush TLB before releasing pages Chris Wright
2009-04-02 6:58 ` [PATCH 48/45] sparc64: Fix reset hangs on Niagara systems Chris Wright
2009-04-02 6:58 ` [PATCH 49/45] V4L: v4l2-common: remove incorrect MODULE test Chris Wright
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20090331231334.644225443@sous-sol.org \
--to=chrisw@sous-sol.org \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=cavokz@gmail.com \
--cc=cebbert@redhat.com \
--cc=chuckw@quantumlinux.com \
--cc=davej@redhat.com \
--cc=eteo@redhat.com \
--cc=jake@lwn.net \
--cc=jmforbes@linuxtx.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mkrufky@linuxtv.org \
--cc=rbranco@la.checkpoint.com \
--cc=rdunlap@xenotime.net \
--cc=reviews@ml.cw.f00f.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
--cc=tytso@mit.edu \
--cc=v.mayatskih@gmail.com \
--cc=w@1wt.eu \
--cc=zwane@arm.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).