<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux.git/net/rxrpc/peer_object.c, branch v5.12</title>
<subtitle>Linux kernel source tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/'/>
<entry>
<title>rxrpc: Make rxrpc_kernel_get_srtt() indicate validity</title>
<updated>2020-08-20T17:21:28+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2020-08-20T14:13:00+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=1d4adfaf65746203861c72d9d78de349eb97d528'/>
<id>1d4adfaf65746203861c72d9d78de349eb97d528</id>
<content type='text'>
Fix rxrpc_kernel_get_srtt() to indicate the validity of the returned
smoothed RTT.  If we haven't had any valid samples yet, the SRTT isn't
useful.

Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout")
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix rxrpc_kernel_get_srtt() to indicate the validity of the returned
smoothed RTT.  If we haven't had any valid samples yet, the SRTT isn't
useful.

Fixes: c410bf01933e ("rxrpc: Fix the excessive initial retransmission timeout")
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rxrpc: Fix the excessive initial retransmission timeout</title>
<updated>2020-05-11T15:42:28+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2020-05-11T13:54:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c410bf01933e5e09d142c66c3df9ad470a7eec13'/>
<id>c410bf01933e5e09d142c66c3df9ad470a7eec13</id>
<content type='text'>
rxrpc currently uses a fixed 4s retransmission timeout until the RTT is
sufficiently sampled.  This can cause problems with some fileservers with
calls to the cache manager in the afs filesystem being dropped from the
fileserver because a packet goes missing and the retransmission timeout is
greater than the call expiry timeout.

Fix this by:

 (1) Copying the RTT/RTO calculation code from Linux's TCP implementation
     and altering it to fit rxrpc.

 (2) Altering the various users of the RTT to make use of the new SRTT
     value.

 (3) Replacing the use of rxrpc_resend_timeout to use the calculated RTO
     value instead (which is needed in jiffies), along with a backoff.

Notes:

 (1) rxrpc provides RTT samples by matching the serial numbers on outgoing
     DATA packets that have the RXRPC_REQUEST_ACK set and PING ACK packets
     against the reference serial number in incoming REQUESTED ACK and
     PING-RESPONSE ACK packets.

 (2) Each packet that is transmitted on an rxrpc connection gets a new
     per-connection serial number, even for retransmissions, so an ACK can
     be cross-referenced to a specific trigger packet.  This allows RTT
     information to be drawn from retransmitted DATA packets also.

 (3) rxrpc maintains the RTT/RTO state on the rxrpc_peer record rather than
     on an rxrpc_call because many RPC calls won't live long enough to
     generate more than one sample.

 (4) The calculated SRTT value is in units of 8ths of a microsecond rather
     than nanoseconds.

The (S)RTT and RTO values are displayed in /proc/net/rxrpc/peers.

Fixes: 17926a79320a ([AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both"")
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
rxrpc currently uses a fixed 4s retransmission timeout until the RTT is
sufficiently sampled.  This can cause problems with some fileservers with
calls to the cache manager in the afs filesystem being dropped from the
fileserver because a packet goes missing and the retransmission timeout is
greater than the call expiry timeout.

Fix this by:

 (1) Copying the RTT/RTO calculation code from Linux's TCP implementation
     and altering it to fit rxrpc.

 (2) Altering the various users of the RTT to make use of the new SRTT
     value.

 (3) Replacing the use of rxrpc_resend_timeout to use the calculated RTO
     value instead (which is needed in jiffies), along with a backoff.

Notes:

 (1) rxrpc provides RTT samples by matching the serial numbers on outgoing
     DATA packets that have the RXRPC_REQUEST_ACK set and PING ACK packets
     against the reference serial number in incoming REQUESTED ACK and
     PING-RESPONSE ACK packets.

 (2) Each packet that is transmitted on an rxrpc connection gets a new
     per-connection serial number, even for retransmissions, so an ACK can
     be cross-referenced to a specific trigger packet.  This allows RTT
     information to be drawn from retransmitted DATA packets also.

 (3) rxrpc maintains the RTT/RTO state on the rxrpc_peer record rather than
     on an rxrpc_call because many RPC calls won't live long enough to
     generate more than one sample.

 (4) The calculated SRTT value is in units of 8ths of a microsecond rather
     than nanoseconds.

The (S)RTT and RTO values are displayed in /proc/net/rxrpc/peers.

Fixes: 17926a79320a ([AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both"")
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net</title>
<updated>2019-10-20T17:43:00+00:00</updated>
<author>
<name>David S. Miller</name>
<email>davem@davemloft.net</email>
</author>
<published>2019-10-20T05:51:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2f184393e0c2d409c62262f57f2a57efdf9370b8'/>
<id>2f184393e0c2d409c62262f57f2a57efdf9370b8</id>
<content type='text'>
Several cases of overlapping changes which were for the most
part trivially resolvable.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Several cases of overlapping changes which were for the most
part trivially resolvable.

Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rxrpc: rxrpc_peer needs to hold a ref on the rxrpc_local record</title>
<updated>2019-10-07T10:05:05+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2019-10-07T09:58:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=9ebeddef58c41bd700419cdcece24cf64ce32276'/>
<id>9ebeddef58c41bd700419cdcece24cf64ce32276</id>
<content type='text'>
The rxrpc_peer record needs to hold a reference on the rxrpc_local record
it points as the peer is used as a base to access information in the
rxrpc_local record.

This can cause problems in __rxrpc_put_peer(), where we need the network
namespace pointer, and in rxrpc_send_keepalive(), where we need to access
the UDP socket, leading to symptoms like:

    BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
    [inline]
    BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
    net/rxrpc/peer_object.c:435
    Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

Fix this by taking a ref on the local record for the peer record.

Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The rxrpc_peer record needs to hold a reference on the rxrpc_local record
it points as the peer is used as a base to access information in the
rxrpc_local record.

This can cause problems in __rxrpc_put_peer(), where we need the network
namespace pointer, and in rxrpc_send_keepalive(), where we need to access
the UDP socket, leading to symptoms like:

    BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
    [inline]
    BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
    net/rxrpc/peer_object.c:435
    Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

Fix this by taking a ref on the local record for the peer record.

Fixes: ace45bec6d77 ("rxrpc: Fix firewall route keepalive")
Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rxrpc: Fix trace-after-put looking at the put peer record</title>
<updated>2019-10-07T10:05:05+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2019-10-07T09:58:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=55f6c98e3674ce16038a1949c3f9ca5a9a99f289'/>
<id>55f6c98e3674ce16038a1949c3f9ca5a9a99f289</id>
<content type='text'>
rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
of the refcount - which looks at the debug_id in the peer record.  But
unless the refcount was reduced to zero, we no longer have the right to
look in the record and, indeed, it may be deleted by some other thread.

Fix this by getting the debug_id out before decrementing the refcount and
then passing that into the tracepoint.

This can cause the following symptoms:

    BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
    [inline]
    BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
    net/rxrpc/peer_object.c:435
    Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

Fixes: 1159d4b496f5 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
rxrpc_put_peer() calls trace_rxrpc_peer() after it has done the decrement
of the refcount - which looks at the debug_id in the peer record.  But
unless the refcount was reduced to zero, we no longer have the right to
look in the record and, indeed, it may be deleted by some other thread.

Fix this by getting the debug_id out before decrementing the refcount and
then passing that into the tracepoint.

This can cause the following symptoms:

    BUG: KASAN: use-after-free in __rxrpc_put_peer net/rxrpc/peer_object.c:411
    [inline]
    BUG: KASAN: use-after-free in rxrpc_put_peer+0x685/0x6a0
    net/rxrpc/peer_object.c:435
    Read of size 8 at addr ffff888097ec0058 by task syz-executor823/24216

Fixes: 1159d4b496f5 ("rxrpc: Add a tracepoint to track rxrpc_peer refcounting")
Reported-by: syzbot+b9be979c55f2bea8ed30@syzkaller.appspotmail.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rxrpc: Add missing "new peer" trace</title>
<updated>2019-10-04T20:58:33+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2019-10-03T16:45:57+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=033b2c7f0f26d236f5e87888aca3d5ecb6a64cb7'/>
<id>033b2c7f0f26d236f5e87888aca3d5ecb6a64cb7</id>
<content type='text'>
There was supposed to be a trace indicating that a new peer had been
created.  Add it.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There was supposed to be a trace indicating that a new peer had been
created.  Add it.

Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rxrpc: Fix potential deadlock</title>
<updated>2019-07-30T13:42:50+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2019-07-30T13:42:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=60034d3d146b11922ab1db613bce062dddc0327a'/>
<id>60034d3d146b11922ab1db613bce062dddc0327a</id>
<content type='text'>
There is a potential deadlock in rxrpc_peer_keepalive_dispatch() whereby
rxrpc_put_peer() is called with the peer_hash_lock held, but if it reduces
the peer's refcount to 0, rxrpc_put_peer() calls __rxrpc_put_peer() - which
the tries to take the already held lock.

Fix this by providing a version of rxrpc_put_peer() that can be called in
situations where the lock is already held.

The bug may produce the following lockdep report:

============================================
WARNING: possible recursive locking detected
5.2.0-next-20190718 #41 Not tainted
--------------------------------------------
kworker/0:3/21678 is trying to acquire lock:
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at: spin_lock_bh
/./include/linux/spinlock.h:343 [inline]
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at:
__rxrpc_put_peer /net/rxrpc/peer_object.c:415 [inline]
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at:
rxrpc_put_peer+0x2d3/0x6a0 /net/rxrpc/peer_object.c:435

but task is already holding lock:
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at: spin_lock_bh
/./include/linux/spinlock.h:343 [inline]
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at:
rxrpc_peer_keepalive_dispatch /net/rxrpc/peer_event.c:378 [inline]
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at:
rxrpc_peer_keepalive_worker+0x6b3/0xd02 /net/rxrpc/peer_event.c:430

Fixes: 330bdcfadcee ("rxrpc: Fix the keepalive generator [ver #2]")
Reported-by: syzbot+72af434e4b3417318f84@syzkaller.appspotmail.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Reviewed-by: Marc Dionne &lt;marc.dionne@auristor.com&gt;
Reviewed-by: Jeffrey Altman &lt;jaltman@auristor.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
There is a potential deadlock in rxrpc_peer_keepalive_dispatch() whereby
rxrpc_put_peer() is called with the peer_hash_lock held, but if it reduces
the peer's refcount to 0, rxrpc_put_peer() calls __rxrpc_put_peer() - which
the tries to take the already held lock.

Fix this by providing a version of rxrpc_put_peer() that can be called in
situations where the lock is already held.

The bug may produce the following lockdep report:

============================================
WARNING: possible recursive locking detected
5.2.0-next-20190718 #41 Not tainted
--------------------------------------------
kworker/0:3/21678 is trying to acquire lock:
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at: spin_lock_bh
/./include/linux/spinlock.h:343 [inline]
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at:
__rxrpc_put_peer /net/rxrpc/peer_object.c:415 [inline]
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at:
rxrpc_put_peer+0x2d3/0x6a0 /net/rxrpc/peer_object.c:435

but task is already holding lock:
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at: spin_lock_bh
/./include/linux/spinlock.h:343 [inline]
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at:
rxrpc_peer_keepalive_dispatch /net/rxrpc/peer_event.c:378 [inline]
00000000aa5eecdf (&amp;(&amp;rxnet-&gt;peer_hash_lock)-&gt;rlock){+.-.}, at:
rxrpc_peer_keepalive_worker+0x6b3/0xd02 /net/rxrpc/peer_event.c:430

Fixes: 330bdcfadcee ("rxrpc: Fix the keepalive generator [ver #2]")
Reported-by: syzbot+72af434e4b3417318f84@syzkaller.appspotmail.com
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Reviewed-by: Marc Dionne &lt;marc.dionne@auristor.com&gt;
Reviewed-by: Jeffrey Altman &lt;jaltman@auristor.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152</title>
<updated>2019-05-30T18:26:32+00:00</updated>
<author>
<name>Thomas Gleixner</name>
<email>tglx@linutronix.de</email>
</author>
<published>2019-05-27T06:55:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=2874c5fd284268364ece81a7bd936f3c8168e567'/>
<id>2874c5fd284268364ece81a7bd936f3c8168e567</id>
<content type='text'>
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 3029 file(s).

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Reviewed-by: Allison Randal &lt;allison@lohutok.net&gt;
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Based on 1 normalized pattern(s):

  this program is free software you can redistribute it and or modify
  it under the terms of the gnu general public license as published by
  the free software foundation either version 2 of the license or at
  your option any later version

extracted by the scancode license scanner the SPDX license identifier

  GPL-2.0-or-later

has been chosen to replace the boilerplate/reference in 3029 file(s).

Signed-off-by: Thomas Gleixner &lt;tglx@linutronix.de&gt;
Reviewed-by: Allison Randal &lt;allison@lohutok.net&gt;
Cc: linux-spdx@vger.kernel.org
Link: https://lkml.kernel.org/r/20190527070032.746973796@linutronix.de
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rxrpc: Fix the packet reception routine</title>
<updated>2018-10-08T21:42:04+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2018-10-08T14:46:25+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=c1e15b4944c9fa7fbbb74f7a5920a1e31b4b965a'/>
<id>c1e15b4944c9fa7fbbb74f7a5920a1e31b4b965a</id>
<content type='text'>
The rxrpc_input_packet() function and its call tree was built around the
assumption that data_ready() handler called from UDP to inform a kernel
service that there is data to be had was non-reentrant.  This means that
certain locking could be dispensed with.

This, however, turns out not to be the case with a multi-queue network card
that can deliver packets to multiple cpus simultaneously.  Each of those
cpus can be in the rxrpc_input_packet() function at the same time.

Fix by adding or changing some structure members:

 (1) Add peer-&gt;rtt_input_lock to serialise access to the RTT buffer.

 (2) Make conn-&gt;service_id into a 32-bit variable so that it can be
     cmpxchg'd on all arches.

 (3) Add call-&gt;input_lock to serialise access to the Rx/Tx state.  Note
     that although the Rx and Tx states are (almost) entirely separate,
     there's no point completing the separation and having separate locks
     since it's a bi-phasal RPC protocol rather than a bi-direction
     streaming protocol.  Data transmission and data reception do not take
     place simultaneously on any particular call.

and making the following functional changes:

 (1) In rxrpc_input_data(), hold call-&gt;input_lock around the core to
     prevent simultaneous producing of packets into the Rx ring and
     updating of tracking state for a particular call.

 (2) In rxrpc_input_ping_response(), only read call-&gt;ping_serial once, and
     check it before checking RXRPC_CALL_PINGING as that's a cheaper test.
     The bit test and bit clear can then be combined.  No further locking
     is needed here.

 (3) In rxrpc_input_ack(), take call-&gt;input_lock after we've parsed much of
     the ACK packet.  The superseded ACK check is then done both before and
     after the lock is taken.

     The handing of ackinfo data is split, parsing before the lock is taken
     and processing with it held.  This is keyed on rxMTU being non-zero.

     Congestion management is also done within the locked section.

 (4) In rxrpc_input_ackall(), take call-&gt;input_lock around the Tx window
     rotation.  The ACKALL packet carries no information and is only really
     useful after all packets have been transmitted since it's imprecise.

 (5) In rxrpc_input_implicit_end_call(), we use rx-&gt;incoming_lock to
     prevent calls being simultaneously implicitly ended on two cpus and
     also to prevent any races with incoming call setup.

 (6) In rxrpc_input_packet(), use cmpxchg() to effect the service upgrade
     on a connection.  It is only permitted to happen once for a
     connection.

 (7) In rxrpc_new_incoming_call(), we have to recheck the routing inside
     rx-&gt;incoming_lock to see if someone else set up the call, connection
     or peer whilst we were getting there.  We can't trust the values from
     the earlier routing check unless we pin refs on them - which we want
     to avoid.

     Further, we need to allow for an incoming call to have its state
     changed on another CPU between us making it live and us adjusting it
     because the conn is now in the RXRPC_CONN_SERVICE state.

 (8) In rxrpc_peer_add_rtt(), take peer-&gt;rtt_input_lock around the access
     to the RTT buffer.  Don't need to lock around setting peer-&gt;rtt.

For reference, the inventory of state-accessing or state-altering functions
used by the packet input procedure is:

&gt; rxrpc_input_packet()
  * PACKET CHECKING

  * ROUTING
    &gt; rxrpc_post_packet_to_local()
    &gt; rxrpc_find_connection_rcu() - uses RCU
      &gt; rxrpc_lookup_peer_rcu() - uses RCU
      &gt; rxrpc_find_service_conn_rcu() - uses RCU
      &gt; idr_find() - uses RCU

  * CONNECTION-LEVEL PROCESSING
    - Service upgrade
      - Can only happen once per conn
      ! Changed to use cmpxchg
    &gt; rxrpc_post_packet_to_conn()
    - Setting conn-&gt;hi_serial
      - Probably safe not using locks
      - Maybe use cmpxchg

  * CALL-LEVEL PROCESSING
    &gt; Old-call checking
      &gt; rxrpc_input_implicit_end_call()
        &gt; rxrpc_call_completed()
	&gt; rxrpc_queue_call()
	! Need to take rx-&gt;incoming_lock
	&gt; __rxrpc_disconnect_call()
	&gt; rxrpc_notify_socket()
    &gt; rxrpc_new_incoming_call()
      - Uses rx-&gt;incoming_lock for the entire process
        - Might be able to drop this earlier in favour of the call lock
      &gt; rxrpc_incoming_call()
      	! Conflicts with rxrpc_input_implicit_end_call()
    &gt; rxrpc_send_ping()
      - Don't need locks to check rtt state
      &gt; rxrpc_propose_ACK

  * PACKET DISTRIBUTION
    &gt; rxrpc_input_call_packet()
      &gt; rxrpc_input_data()
	* QUEUE DATA PACKET ON CALL
	&gt; rxrpc_reduce_call_timer()
	  - Uses timer_reduce()
	! Needs call-&gt;input_lock()
	&gt; rxrpc_receiving_reply()
	  ! Needs locking around ack state
	  &gt; rxrpc_rotate_tx_window()
	  &gt; rxrpc_end_tx_phase()
	&gt; rxrpc_proto_abort()
	&gt; rxrpc_input_dup_data()
	- Fills the Rx buffer
	- rxrpc_propose_ACK()
	- rxrpc_notify_socket()

      &gt; rxrpc_input_ack()
	* APPLY ACK PACKET TO CALL AND DISCARD PACKET
	&gt; rxrpc_input_ping_response()
	  - Probably doesn't need any extra locking
	  ! Need READ_ONCE() on call-&gt;ping_serial
	  &gt; rxrpc_input_check_for_lost_ack()
	    - Takes call-&gt;lock to consult Tx buffer
	  &gt; rxrpc_peer_add_rtt()
	    ! Needs to take a lock (peer-&gt;rtt_input_lock)
	    ! Could perhaps manage with cmpxchg() and xadd() instead
	&gt; rxrpc_input_requested_ack
	  - Consults Tx buffer
	    ! Probably needs a lock
	  &gt; rxrpc_peer_add_rtt()
	&gt; rxrpc_propose_ack()
	&gt; rxrpc_input_ackinfo()
	  - Changes call-&gt;tx_winsize
	    ! Use cmpxchg to handle change
	    ! Should perhaps track serial number
	  - Uses peer-&gt;lock to record MTU specification changes
	&gt; rxrpc_proto_abort()
	! Need to take call-&gt;input_lock
	&gt; rxrpc_rotate_tx_window()
	&gt; rxrpc_end_tx_phase()
	&gt; rxrpc_input_soft_acks()
	- Consults the Tx buffer
	&gt; rxrpc_congestion_management()
	  - Modifies the Tx annotations
	  ! Needs call-&gt;input_lock()
	  &gt; rxrpc_queue_call()

      &gt; rxrpc_input_abort()
	* APPLY ABORT PACKET TO CALL AND DISCARD PACKET
	&gt; rxrpc_set_call_completion()
	&gt; rxrpc_notify_socket()

      &gt; rxrpc_input_ackall()
	* APPLY ACKALL PACKET TO CALL AND DISCARD PACKET
	! Need to take call-&gt;input_lock
	&gt; rxrpc_rotate_tx_window()
	&gt; rxrpc_end_tx_phase()

    &gt; rxrpc_reject_packet()

There are some functions used by the above that queue the packet, after
which the procedure is terminated:

 - rxrpc_post_packet_to_local()
   - local-&gt;event_queue is an sk_buff_head
   - local-&gt;processor is a work_struct
 - rxrpc_post_packet_to_conn()
   - conn-&gt;rx_queue is an sk_buff_head
   - conn-&gt;processor is a work_struct
 - rxrpc_reject_packet()
   - local-&gt;reject_queue is an sk_buff_head
   - local-&gt;processor is a work_struct

And some that offload processing to process context:

 - rxrpc_notify_socket()
   - Uses RCU lock
   - Uses call-&gt;notify_lock to call call-&gt;notify_rx
   - Uses call-&gt;recvmsg_lock to queue recvmsg side
 - rxrpc_queue_call()
   - call-&gt;processor is a work_struct
 - rxrpc_propose_ACK()
   - Uses call-&gt;lock to wrap __rxrpc_propose_ACK()

And a bunch that complete a call, all of which use call-&gt;state_lock to
protect the call state:

 - rxrpc_call_completed()
 - rxrpc_set_call_completion()
 - rxrpc_abort_call()
 - rxrpc_proto_abort()
   - Also uses rxrpc_queue_call()

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The rxrpc_input_packet() function and its call tree was built around the
assumption that data_ready() handler called from UDP to inform a kernel
service that there is data to be had was non-reentrant.  This means that
certain locking could be dispensed with.

This, however, turns out not to be the case with a multi-queue network card
that can deliver packets to multiple cpus simultaneously.  Each of those
cpus can be in the rxrpc_input_packet() function at the same time.

Fix by adding or changing some structure members:

 (1) Add peer-&gt;rtt_input_lock to serialise access to the RTT buffer.

 (2) Make conn-&gt;service_id into a 32-bit variable so that it can be
     cmpxchg'd on all arches.

 (3) Add call-&gt;input_lock to serialise access to the Rx/Tx state.  Note
     that although the Rx and Tx states are (almost) entirely separate,
     there's no point completing the separation and having separate locks
     since it's a bi-phasal RPC protocol rather than a bi-direction
     streaming protocol.  Data transmission and data reception do not take
     place simultaneously on any particular call.

and making the following functional changes:

 (1) In rxrpc_input_data(), hold call-&gt;input_lock around the core to
     prevent simultaneous producing of packets into the Rx ring and
     updating of tracking state for a particular call.

 (2) In rxrpc_input_ping_response(), only read call-&gt;ping_serial once, and
     check it before checking RXRPC_CALL_PINGING as that's a cheaper test.
     The bit test and bit clear can then be combined.  No further locking
     is needed here.

 (3) In rxrpc_input_ack(), take call-&gt;input_lock after we've parsed much of
     the ACK packet.  The superseded ACK check is then done both before and
     after the lock is taken.

     The handing of ackinfo data is split, parsing before the lock is taken
     and processing with it held.  This is keyed on rxMTU being non-zero.

     Congestion management is also done within the locked section.

 (4) In rxrpc_input_ackall(), take call-&gt;input_lock around the Tx window
     rotation.  The ACKALL packet carries no information and is only really
     useful after all packets have been transmitted since it's imprecise.

 (5) In rxrpc_input_implicit_end_call(), we use rx-&gt;incoming_lock to
     prevent calls being simultaneously implicitly ended on two cpus and
     also to prevent any races with incoming call setup.

 (6) In rxrpc_input_packet(), use cmpxchg() to effect the service upgrade
     on a connection.  It is only permitted to happen once for a
     connection.

 (7) In rxrpc_new_incoming_call(), we have to recheck the routing inside
     rx-&gt;incoming_lock to see if someone else set up the call, connection
     or peer whilst we were getting there.  We can't trust the values from
     the earlier routing check unless we pin refs on them - which we want
     to avoid.

     Further, we need to allow for an incoming call to have its state
     changed on another CPU between us making it live and us adjusting it
     because the conn is now in the RXRPC_CONN_SERVICE state.

 (8) In rxrpc_peer_add_rtt(), take peer-&gt;rtt_input_lock around the access
     to the RTT buffer.  Don't need to lock around setting peer-&gt;rtt.

For reference, the inventory of state-accessing or state-altering functions
used by the packet input procedure is:

&gt; rxrpc_input_packet()
  * PACKET CHECKING

  * ROUTING
    &gt; rxrpc_post_packet_to_local()
    &gt; rxrpc_find_connection_rcu() - uses RCU
      &gt; rxrpc_lookup_peer_rcu() - uses RCU
      &gt; rxrpc_find_service_conn_rcu() - uses RCU
      &gt; idr_find() - uses RCU

  * CONNECTION-LEVEL PROCESSING
    - Service upgrade
      - Can only happen once per conn
      ! Changed to use cmpxchg
    &gt; rxrpc_post_packet_to_conn()
    - Setting conn-&gt;hi_serial
      - Probably safe not using locks
      - Maybe use cmpxchg

  * CALL-LEVEL PROCESSING
    &gt; Old-call checking
      &gt; rxrpc_input_implicit_end_call()
        &gt; rxrpc_call_completed()
	&gt; rxrpc_queue_call()
	! Need to take rx-&gt;incoming_lock
	&gt; __rxrpc_disconnect_call()
	&gt; rxrpc_notify_socket()
    &gt; rxrpc_new_incoming_call()
      - Uses rx-&gt;incoming_lock for the entire process
        - Might be able to drop this earlier in favour of the call lock
      &gt; rxrpc_incoming_call()
      	! Conflicts with rxrpc_input_implicit_end_call()
    &gt; rxrpc_send_ping()
      - Don't need locks to check rtt state
      &gt; rxrpc_propose_ACK

  * PACKET DISTRIBUTION
    &gt; rxrpc_input_call_packet()
      &gt; rxrpc_input_data()
	* QUEUE DATA PACKET ON CALL
	&gt; rxrpc_reduce_call_timer()
	  - Uses timer_reduce()
	! Needs call-&gt;input_lock()
	&gt; rxrpc_receiving_reply()
	  ! Needs locking around ack state
	  &gt; rxrpc_rotate_tx_window()
	  &gt; rxrpc_end_tx_phase()
	&gt; rxrpc_proto_abort()
	&gt; rxrpc_input_dup_data()
	- Fills the Rx buffer
	- rxrpc_propose_ACK()
	- rxrpc_notify_socket()

      &gt; rxrpc_input_ack()
	* APPLY ACK PACKET TO CALL AND DISCARD PACKET
	&gt; rxrpc_input_ping_response()
	  - Probably doesn't need any extra locking
	  ! Need READ_ONCE() on call-&gt;ping_serial
	  &gt; rxrpc_input_check_for_lost_ack()
	    - Takes call-&gt;lock to consult Tx buffer
	  &gt; rxrpc_peer_add_rtt()
	    ! Needs to take a lock (peer-&gt;rtt_input_lock)
	    ! Could perhaps manage with cmpxchg() and xadd() instead
	&gt; rxrpc_input_requested_ack
	  - Consults Tx buffer
	    ! Probably needs a lock
	  &gt; rxrpc_peer_add_rtt()
	&gt; rxrpc_propose_ack()
	&gt; rxrpc_input_ackinfo()
	  - Changes call-&gt;tx_winsize
	    ! Use cmpxchg to handle change
	    ! Should perhaps track serial number
	  - Uses peer-&gt;lock to record MTU specification changes
	&gt; rxrpc_proto_abort()
	! Need to take call-&gt;input_lock
	&gt; rxrpc_rotate_tx_window()
	&gt; rxrpc_end_tx_phase()
	&gt; rxrpc_input_soft_acks()
	- Consults the Tx buffer
	&gt; rxrpc_congestion_management()
	  - Modifies the Tx annotations
	  ! Needs call-&gt;input_lock()
	  &gt; rxrpc_queue_call()

      &gt; rxrpc_input_abort()
	* APPLY ABORT PACKET TO CALL AND DISCARD PACKET
	&gt; rxrpc_set_call_completion()
	&gt; rxrpc_notify_socket()

      &gt; rxrpc_input_ackall()
	* APPLY ACKALL PACKET TO CALL AND DISCARD PACKET
	! Need to take call-&gt;input_lock
	&gt; rxrpc_rotate_tx_window()
	&gt; rxrpc_end_tx_phase()

    &gt; rxrpc_reject_packet()

There are some functions used by the above that queue the packet, after
which the procedure is terminated:

 - rxrpc_post_packet_to_local()
   - local-&gt;event_queue is an sk_buff_head
   - local-&gt;processor is a work_struct
 - rxrpc_post_packet_to_conn()
   - conn-&gt;rx_queue is an sk_buff_head
   - conn-&gt;processor is a work_struct
 - rxrpc_reject_packet()
   - local-&gt;reject_queue is an sk_buff_head
   - local-&gt;processor is a work_struct

And some that offload processing to process context:

 - rxrpc_notify_socket()
   - Uses RCU lock
   - Uses call-&gt;notify_lock to call call-&gt;notify_rx
   - Uses call-&gt;recvmsg_lock to queue recvmsg side
 - rxrpc_queue_call()
   - call-&gt;processor is a work_struct
 - rxrpc_propose_ACK()
   - Uses call-&gt;lock to wrap __rxrpc_propose_ACK()

And a bunch that complete a call, all of which use call-&gt;state_lock to
protect the call state:

 - rxrpc_call_completed()
 - rxrpc_set_call_completion()
 - rxrpc_abort_call()
 - rxrpc_proto_abort()
   - Also uses rxrpc_queue_call()

Fixes: 17926a79320a ("[AF_RXRPC]: Provide secure RxRPC sockets for use by userspace and kernel both")
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>rxrpc: Fix some missed refs to init_net</title>
<updated>2018-10-05T13:21:59+00:00</updated>
<author>
<name>David Howells</name>
<email>dhowells@redhat.com</email>
</author>
<published>2018-10-05T13:05:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux.git/commit/?id=5e33a23ba4b56c109b732d57a0a76558a37d9ec5'/>
<id>5e33a23ba4b56c109b732d57a0a76558a37d9ec5</id>
<content type='text'>
Fix some refs to init_net that should've been changed to the appropriate
network namespace.

Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Fix some refs to init_net that should've been changed to the appropriate
network namespace.

Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Signed-off-by: David Howells &lt;dhowells@redhat.com&gt;
Acked-by: Paolo Abeni &lt;pabeni@redhat.com&gt;
</pre>
</div>
</content>
</entry>
</feed>
