Re: NULL primary_path

[Vlad Yasevich <vyasevich@gmail.com>]

On 03/08/2013 09:31 AM, Karl Heiss wrote:
> On Fri, Mar 8, 2013 at 8:52 AM, Karl Heiss <kheiss@gmail.com> wrote:
>> On Thu, Mar 7, 2013 at 6:09 PM, Vlad Yasevich <vyasevich@gmail.com> wrote:
>>> On 03/07/2013 04:51 PM, Karl Heiss wrote:
>>>>
>>>> On Thu, Mar 7, 2013 at 12:17 PM, Vlad Yasevich <vyasevich@gmail.com>
>>>> wrote:
>>>>>
>>>>> On 03/07/2013 12:06 PM, Karl Heiss wrote:
>>>>>>
>>>>>>
>>>>>> The issue appears to manifest itself when the connection is closed
>>>>>> from the remote end and getsockopt(SCTP_STATUS) is called within a
>>>>>> small window in which the association is still valid but
>>>>>> asoc->peer.primary_path is NULL.
>>>>>
>>>>>
>>>>>
>>>>> Aha!  Thanks.  There was a bug in the rcu clean-up that allowed the
>>>>> association to remain while all transports have been removed.
>>>>>
>>>>> Here is a patch that should have addressed this condition:
>>>>>
>>>>> commit 8c98653f05534acd1cb07ea4929702a3659177d1
>>>>> Author: Daniel Borkmann <dborkman@redhat.com>
>>>>> Date:   Fri Feb 1 04:37:43 2013 +0000
>>>>>
>>>>>       sctp: sctp_close: fix release of bindings for deferred call_rcu's
>>>>>
>>>>> Full patch is here:
>>>>>
>>>>> http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?idŒ98653f05534acd1cb07ea4929702a3659177d1
>>>>>
>>>>> Make sure that you have this patch in the kernel you are running
>>>>>
>>>>> -vlad
>>>>>
>>>>>
>>>>>>
>>>>
>>>> Unfortunately this patch wont apply to the version of the SCTP stack
>>>> that we are using (2.6.36.2) since it does not have a
>>>> sctp_transport_destroy_rcu() function.  Is there any chance that
>>>> simply swapping the order of the instructions without moving them
>>>> would have any effect?  I ask this hypothetically because the race
>>>> condition window seems to be difficult to recreate, thus nothing to
>>>> test against (aside from in the field!).
>>>>
>>>> Karl
>>>>
>>>
>>> Hi Karl
>>>
>>> I think I see the problem now.  The problem happens when the association is
>>> destroyed.  We delay removing the association from
>>> the association id pool until all references on the association
>>> have dropped.  As a result, it is possible (for a very short
>>> period of time) for an association structure to still exist in
>>> the kernel and still be found via the association id, but that association
>>> has no transports and is about to be completely destroyed.
>>>
>>> This is a really interesting race and I need to figure out if it is
>>> there on purpose or not?
>>>
>>> In the mean time, here is a patch that should solve it for you.
>>>
>>> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
>>> index b907073..2d92c89 100644
>>> --- a/net/sctp/socket.c
>>> +++ b/net/sctp/socket.c
>>> @@ -223,7 +223,7 @@ struct sctp_association *sctp_id2assoc(struct sock *sk,
>>> sctp_assoc_t id)
>>>                  if (!list_empty(&sctp_sk(sk)->ep->asocs))
>>>                          asoc = list_entry(sctp_sk(sk)->ep->asocs.next,
>>>                                            struct sctp_association, asocs);
>>> -               return asoc;
>>> +               goto done;
>>>          }
>>>
>>>          /* Otherwise this is a UDP-style socket. */
>>> @@ -234,6 +234,7 @@ struct sctp_association *sctp_id2assoc(struct sock *sk,
>>> sctp_assoc_t id)
>>>          asoc = (struct sctp_association *)idr_find(&sctp_assocs_id,
>>> (int)id);
>>>          spin_unlock_bh(&sctp_assocs_id_lock);
>>>
>>> +done:
>>>          if (!asoc || (asoc->base.sk != sk) || asoc->base.dead)
>>>                  return NULL;
>>>
>>
>> Vlad,
>>
>> Looking at the kdump from the panic, I am seeing that your patch above
>> may not work in this case since the asoc is valid, the base.sk is
>> valid, and base.dead is 0.  Unless base.sk is valid but doesn't match
>> sk, this wouldn't appear to fix this issue.

Hm..  If the association is not marked "dead", it should still have all 
its transports present.  If you look at the peer.transport_addr_list in
you kdump, is that list empty or not?

Are any other peer transport pointers set (active_path, retran_path)?

>>
>> Karl
>
> Vlad,
>
> One other thing, with the difficulty we are having recreating this
> issue, is there any generic way to increase the likelihood for the
> transport to be cleared out while delaying the association cleanup?
> Is there any way that the association is initialized without any
> transport information?

When the association is initialized, the lists are empty, but the next
thing that happens is that we add transport of the destination we are
sending to or receiving from to the association and mark it as primary 
and active.  All this happens under a socket lock, so getsockopt can't
access the association until all actions on that association complete.

> The reason I ask; we believe the issue is
> happening very shortly after the association is brought up (we bring
> it up and then do the getsockopt()).

Can you check what the association state is?  Alternately, can you 
provide the kdump and the kernel so I can dig around.

Thanks
-vlad
>
> Thanks,
> Karl
>