From: Daniel Borkmann <dborkman@redhat.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: davem@davemloft.net, netdev@vger.kernel.org, linux-sctp@vger.kernel.org
Subject: Re: [PATCH net-next 1/3] net: sctp: let sctp_destroy_sock destroy related members
Date: Sun, 09 Jun 2013 09:14:09 +0000 [thread overview]
Message-ID: <51B44761.3050902@redhat.com> (raw)
In-Reply-To: <20130609002054.GA5386@neilslaptop.think-freely.org>
On 06/09/2013 02:20 AM, Neil Horman wrote:
> On Fri, Jun 07, 2013 at 01:36:04PM +0200, Daniel Borkmann wrote:
>> On 06/07/2013 12:54 PM, Neil Horman wrote:
>>> I'm not sure this is safe. Comment in sk_common_release indicates that the
>>> network can still find the socket in the receive path. What if we receive a
>>> cookie chunk while the socket is being torn down? We would wind up using the
>>> hmac to unpack it potentially after you just freed it. I think you need to wait
>>> until you drop the last reference to the endpoint, not whenever you destroy the
>>> local socket. Note that sctp_endpoint_free doesn't actually free anything, it
>>> just removes it from the hash list so it can't be found again, and drops a
>>> refcount. If a parallel recieve op has already found it, hmac may still be
>>> used.
>>
>> Agreed, you're right, thanks for pointing this out Neil! Is it *always* guaranteed
>> that at the time the endpoint is destroyed in a deferred way (e.g. exactly in such
>> a scenario you describe), the socket structure is still alive and not yet freed?
>> Either the ep->base.sk test in sctp_endpoint_destroy() would then be unnecessary
>> or, if necessary, we should move crypto_free_hash() and sctp_put_port() within this
>> body since they deref. socket members (but then that memory would be leaked in case
>> ep->base.sk is NULL). Probably, it might be best to add sth like this to explicitly
>> decouple it from the endpoint, which is then called when all refs are released from
>> the socket; then we could call this from __sk_free() via sk->sk_destruct():
>>
> Thats a good question, I'm on vacation right now, so I'm not looking to closely
> at much (I've spent all day in a pool). I think what you're proposing below
> probably makes sense. Since the hmac crypo instance is allocated when the
Cool, sounds relaxing. :-) Have nice holidays then!
> socket transitions to the listening state in sctp_listen, it makes sense to
> destroy it in sctp_sock_destroy. If we need to we can protect it as an rcu
> variable to protect it against parallel reads from cookie processing. If it
> fails in that case, its irrelevant, as the local socket is shutting down anyway.
I'll evaluate this further and then send a v2 of the set, but I think it makes
sense this way.
Thanks,
Daniel
WARNING: multiple messages have this Message-ID (diff)
From: Daniel Borkmann <dborkman@redhat.com>
To: Neil Horman <nhorman@tuxdriver.com>
Cc: davem@davemloft.net, netdev@vger.kernel.org, linux-sctp@vger.kernel.org
Subject: Re: [PATCH net-next 1/3] net: sctp: let sctp_destroy_sock destroy related members
Date: Sun, 09 Jun 2013 11:14:09 +0200 [thread overview]
Message-ID: <51B44761.3050902@redhat.com> (raw)
In-Reply-To: <20130609002054.GA5386@neilslaptop.think-freely.org>
On 06/09/2013 02:20 AM, Neil Horman wrote:
> On Fri, Jun 07, 2013 at 01:36:04PM +0200, Daniel Borkmann wrote:
>> On 06/07/2013 12:54 PM, Neil Horman wrote:
>>> I'm not sure this is safe. Comment in sk_common_release indicates that the
>>> network can still find the socket in the receive path. What if we receive a
>>> cookie chunk while the socket is being torn down? We would wind up using the
>>> hmac to unpack it potentially after you just freed it. I think you need to wait
>>> until you drop the last reference to the endpoint, not whenever you destroy the
>>> local socket. Note that sctp_endpoint_free doesn't actually free anything, it
>>> just removes it from the hash list so it can't be found again, and drops a
>>> refcount. If a parallel recieve op has already found it, hmac may still be
>>> used.
>>
>> Agreed, you're right, thanks for pointing this out Neil! Is it *always* guaranteed
>> that at the time the endpoint is destroyed in a deferred way (e.g. exactly in such
>> a scenario you describe), the socket structure is still alive and not yet freed?
>> Either the ep->base.sk test in sctp_endpoint_destroy() would then be unnecessary
>> or, if necessary, we should move crypto_free_hash() and sctp_put_port() within this
>> body since they deref. socket members (but then that memory would be leaked in case
>> ep->base.sk is NULL). Probably, it might be best to add sth like this to explicitly
>> decouple it from the endpoint, which is then called when all refs are released from
>> the socket; then we could call this from __sk_free() via sk->sk_destruct():
>>
> Thats a good question, I'm on vacation right now, so I'm not looking to closely
> at much (I've spent all day in a pool). I think what you're proposing below
> probably makes sense. Since the hmac crypo instance is allocated when the
Cool, sounds relaxing. :-) Have nice holidays then!
> socket transitions to the listening state in sctp_listen, it makes sense to
> destroy it in sctp_sock_destroy. If we need to we can protect it as an rcu
> variable to protect it against parallel reads from cookie processing. If it
> fails in that case, its irrelevant, as the local socket is shutting down anyway.
I'll evaluate this further and then send a v2 of the set, but I think it makes
sense this way.
Thanks,
Daniel
next prev parent reply other threads:[~2013-06-09 9:14 UTC|newest]
Thread overview: 24+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-06-07 8:35 [PATCH net-next 0/3] Minor sctp cleanups Daniel Borkmann
2013-06-07 8:35 ` Daniel Borkmann
2013-06-07 8:35 ` [PATCH net-next 1/3] net: sctp: let sctp_destroy_sock destroy related members Daniel Borkmann
2013-06-07 8:35 ` Daniel Borkmann
2013-06-07 10:54 ` Neil Horman
2013-06-07 10:54 ` Neil Horman
2013-06-07 11:36 ` Daniel Borkmann
2013-06-07 11:36 ` Daniel Borkmann
2013-06-09 0:20 ` Neil Horman
2013-06-09 0:20 ` Neil Horman
2013-06-09 9:14 ` Daniel Borkmann [this message]
2013-06-09 9:14 ` Daniel Borkmann
2013-06-07 8:35 ` [PATCH net-next 2/3] net: sctp: sctp_association_init: hold refs in reverse order Daniel Borkmann
2013-06-07 8:35 ` Daniel Borkmann
2013-06-07 11:00 ` Neil Horman
2013-06-07 11:00 ` Neil Horman
2013-06-07 11:38 ` Daniel Borkmann
2013-06-07 11:38 ` Daniel Borkmann
2013-06-09 0:21 ` Neil Horman
2013-06-09 0:21 ` Neil Horman
2013-06-07 8:35 ` [PATCH net-next 3/3] net: sctp: minor: remove variable in sctp_init_sock Daniel Borkmann
2013-06-07 8:35 ` Daniel Borkmann
2013-06-07 11:04 ` Neil Horman
2013-06-07 11:04 ` Neil Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=51B44761.3050902@redhat.com \
--to=dborkman@redhat.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.