From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steven Rostedt Subject: Re: [PATCH RT 05/10] net: add back the missing serialization in ip_send_unicast_reply() Date: Thu, 22 Sep 2016 18:04:32 -0400 Message-ID: <20160922180432.77d3e070@gandalf.local.home> References: <20160922215747.696761304@goodmis.org> <20160922215834.076247330@goodmis.org> Mime-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Cc: Thomas Gleixner , Carsten Emde , Sebastian Andrzej Siewior , John Kacur , Paul Gortmaker , To: linux-kernel@vger.kernel.org, linux-rt-users Return-path: In-Reply-To: <20160922215834.076247330@goodmis.org> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-rt-users.vger.kernel.org And again. I need to fix quilt mail to handle this. -- Steve On Thu, 22 Sep 2016 17:57:52 -0400 Steven Rostedt wrote: > 4.1.33-rt38-rc1 stable review patch. > If anyone has any objections, please let me know. > > ------------------ > > From: Sebastian Andrzej Siewior > > Some time ago Sami PietikÀinen reported a crash on -RT in > ip_send_unicast_reply() which was later fixed by Nicholas Mc Guire > (v3.12.8-rt11). Later (v3.18.8) the code was reworked and I dropped the > patch. As it turns out it was mistake. > I have reports that the same crash is possible with a similar backtrace. > It seems that vanilla protects access to this_cpu_ptr() via > local_bh_disable(). This does not work the on -RT since we can have > NET_RX and NET_TX running in parallel on the same CPU. > This is brings back the old locks. > > |Unable to handle kernel NULL pointer dereference at virtual address 00000010 > |PC is at __ip_make_skb+0x198/0x3e8 > |[] (__ip_make_skb) from [] (ip_push_pending_frames+0x20/0x40) > |[] (ip_push_pending_frames) from [] (ip_send_unicast_reply+0x210/0x22c) > |[] (ip_send_unicast_reply) from [] (tcp_v4_send_reset+0x190/0x1c0) > |[] (tcp_v4_send_reset) from [] (tcp_v4_do_rcv+0x22c/0x288) > |[] (tcp_v4_do_rcv) from [] (release_sock+0xb4/0x150) > |[] (release_sock) from [] (tcp_close+0x240/0x454) > |[] (tcp_close) from [] (inet_release+0x74/0x7c) > |[] (inet_release) from [] (sock_release+0x30/0xb0) > |[] (sock_release) from [] (sock_close+0x1c/0x24) > |[] (sock_close) from [] (__fput+0xe8/0x20c) > |[] (__fput) from [] (____fput+0x18/0x1c) > |[] (____fput) from [] (task_work_run+0xa4/0xb8) > |[] (task_work_run) from [] (do_work_pending+0xd0/0xe4) > |[] (do_work_pending) from [] (work_pending+0xc/0x20) > |Code: e3530001 8a000001 e3a00040 ea000011 (e5973010) > > Cc: stable-rt@vger.kernel.org > Signed-off-by: Sebastian Andrzej Siewior > Signed-off-by: Steven Rostedt > --- > net/ipv4/tcp_ipv4.c | 7 +++++++ > 1 file changed, 7 insertions(+) > > diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c > index 13b92d595138..6bfa68fb5f21 100644 > --- a/net/ipv4/tcp_ipv4.c > +++ b/net/ipv4/tcp_ipv4.c > @@ -62,6 +62,7 @@ > #include > #include > #include > +#include > > #include > #include > @@ -563,6 +564,7 @@ void tcp_v4_send_check(struct sock *sk, struct sk_buff *skb) > } > EXPORT_SYMBOL(tcp_v4_send_check); > > +static DEFINE_LOCAL_IRQ_LOCK(tcp_sk_lock); > /* > * This routine will send an RST to the other tcp. > * > @@ -684,10 +686,13 @@ static void tcp_v4_send_reset(struct sock *sk, struct sk_buff *skb) > arg.bound_dev_if = sk->sk_bound_dev_if; > > arg.tos = ip_hdr(skb)->tos; > + > + local_lock(tcp_sk_lock); > ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), > skb, &TCP_SKB_CB(skb)->header.h4.opt, > ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, > &arg, arg.iov[0].iov_len); > + local_unlock(tcp_sk_lock); > > TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS); > TCP_INC_STATS_BH(net, TCP_MIB_OUTRSTS); > @@ -769,10 +774,12 @@ static void tcp_v4_send_ack(struct net *net, > if (oif) > arg.bound_dev_if = oif; > arg.tos = tos; > + local_lock(tcp_sk_lock); > ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), > skb, &TCP_SKB_CB(skb)->header.h4.opt, > ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, > &arg, arg.iov[0].iov_len); > + local_unlock(tcp_sk_lock); > > TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS); > }