From: lizf@kernel.org
To: stable@vger.kernel.org
Cc: linux-kernel@vger.kernel.org,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Zefan Li <lizefan@huawei.com>
Subject: [PATCH 3.4 29/65] sctp: fix ASCONF list handling
Date: Tue, 20 Oct 2015 08:47:39 +0800 [thread overview]
Message-ID: <1445302095-4695-29-git-send-email-lizf@kernel.org> (raw)
In-Reply-To: <1445302030-4607-1-git-send-email-lizf@kernel.org>
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
3.4.110-rc1 review patch. If anyone has any objections, please let me know.
------------------
commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 upstream.
->auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
Also, the call to inet_sk_copy_descendant() was backuping
->auto_asconf_list through the copy but was not honoring
->do_auto_asconf, which could lead to list corruption if it was
different between both sockets.
This commit thus fixes the list handling by using ->addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().
Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.
Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen <jiji@redhat.com>
Suggested-by: Neil Horman <nhorman@tuxdriver.com>
Suggested-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
[lizf: Backported to 3.4:
- use global spinlock instead of per-namespace lock]
Signed-off-by: Zefan Li <lizefan@huawei.com>
---
include/net/sctp/structs.h | 5 +++++
net/sctp/socket.c | 43 ++++++++++++++++++++++++++++++++-----------
2 files changed, 37 insertions(+), 11 deletions(-)
diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 88949a9..4ea0ec6 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -209,6 +209,7 @@ extern struct sctp_globals {
struct list_head addr_waitq;
struct timer_list addr_wq_timer;
struct list_head auto_asconf_splist;
+ /* Lock that protects both addr_waitq and auto_asconf_splist */
spinlock_t addr_wq_lock;
/* Lock that protects the local_addr_list writers */
@@ -355,6 +356,10 @@ struct sctp_sock {
atomic_t pd_mode;
/* Receive to here while partial delivery is in effect. */
struct sk_buff_head pd_lobby;
+
+ /* These must be the last fields, as they will skipped on copies,
+ * like on accept and peeloff operations
+ */
struct list_head auto_asconf_list;
int do_auto_asconf;
};
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 0c0bd2f..bc7b5de 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1539,8 +1539,10 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
/* Supposedly, no process has access to the socket, but
* the net layers still may.
+ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
+ * held and that should be grabbed before socket lock.
*/
- sctp_local_bh_disable();
+ spin_lock_bh(&sctp_globals.addr_wq_lock);
sctp_bh_lock_sock(sk);
/* Hold the sock, since sk_common_release() will put sock_put()
@@ -1550,7 +1552,7 @@ SCTP_STATIC void sctp_close(struct sock *sk, long timeout)
sk_common_release(sk);
sctp_bh_unlock_sock(sk);
- sctp_local_bh_enable();
+ spin_unlock_bh(&sctp_globals.addr_wq_lock);
sock_put(sk);
@@ -3492,6 +3494,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
return 0;
+ spin_lock_bh(&sctp_globals.addr_wq_lock);
if (val == 0 && sp->do_auto_asconf) {
list_del(&sp->auto_asconf_list);
sp->do_auto_asconf = 0;
@@ -3500,6 +3503,7 @@ static int sctp_setsockopt_auto_asconf(struct sock *sk, char __user *optval,
&sctp_auto_asconf_splist);
sp->do_auto_asconf = 1;
}
+ spin_unlock_bh(&sctp_globals.addr_wq_lock);
return 0;
}
@@ -3935,18 +3939,28 @@ SCTP_STATIC int sctp_init_sock(struct sock *sk)
local_bh_disable();
percpu_counter_inc(&sctp_sockets_allocated);
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+
+ /* Nothing can fail after this block, otherwise
+ * sctp_destroy_sock() will be called without addr_wq_lock held
+ */
if (sctp_default_auto_asconf) {
+ spin_lock(&sctp_globals.addr_wq_lock);
list_add_tail(&sp->auto_asconf_list,
&sctp_auto_asconf_splist);
sp->do_auto_asconf = 1;
- } else
+ spin_unlock(&sctp_globals.addr_wq_lock);
+ } else {
sp->do_auto_asconf = 0;
+ }
+
local_bh_enable();
return 0;
}
-/* Cleanup any SCTP per socket resources. */
+/* Cleanup any SCTP per socket resources. Must be called with
+ * sctp_globals.addr_wq_lock held if sp->do_auto_asconf is true
+ */
SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
{
struct sctp_sock *sp;
@@ -6746,6 +6760,19 @@ void sctp_copy_sock(struct sock *newsk, struct sock *sk,
newinet->mc_list = NULL;
}
+static inline void sctp_copy_descendant(struct sock *sk_to,
+ const struct sock *sk_from)
+{
+ int ancestor_size = sizeof(struct inet_sock) +
+ sizeof(struct sctp_sock) -
+ offsetof(struct sctp_sock, auto_asconf_list);
+
+ if (sk_from->sk_family == PF_INET6)
+ ancestor_size += sizeof(struct ipv6_pinfo);
+
+ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
+}
+
/* Populate the fields of the newsk from the oldsk and migrate the assoc
* and its messages to the newsk.
*/
@@ -6760,7 +6787,6 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
struct sk_buff *skb, *tmp;
struct sctp_ulpevent *event;
struct sctp_bind_hashbucket *head;
- struct list_head tmplist;
/* Migrate socket buffer sizes and all the socket level options to the
* new socket.
@@ -6768,12 +6794,7 @@ static void sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
newsk->sk_sndbuf = oldsk->sk_sndbuf;
newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
/* Brute force copy old sctp opt. */
- if (oldsp->do_auto_asconf) {
- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
- inet_sk_copy_descendant(newsk, oldsk);
- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
- } else
- inet_sk_copy_descendant(newsk, oldsk);
+ sctp_copy_descendant(newsk, oldsk);
/* Restore the ep value that was overwritten with the above structure
* copy.
--
1.9.1
next prev parent reply other threads:[~2015-10-20 1:01 UTC|newest]
Thread overview: 77+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-10-20 0:47 [PATCH 3.4 00/65] 3.4.110-rc1 review lizf
2015-10-20 0:47 ` [PATCH 3.4 01/65] hrtimer: Allow concurrent hrtimer_start() for self restarting timers lizf
2015-10-20 0:47 ` [PATCH 3.4 02/65] mtd: fix: avoid race condition when accessing mtd->usecount lizf
2015-10-20 0:47 ` [PATCH 3.4 03/65] crypto: talitos - avoid memleak in talitos_alg_alloc() lizf
2015-10-20 0:47 ` [PATCH 3.4 04/65] ASoC: wm8737: Fixup setting VMID Impedance control register lizf
2015-10-20 0:47 ` [PATCH 3.4 05/65] ASoC: wm8903: Fix define for WM8903_VMID_RES_250K lizf
2015-10-20 0:47 ` [PATCH 3.4 06/65] ASoC: wm8955: Fix setting wrong register for WM8955_K_8_0_MASK bits lizf
2015-10-20 0:47 ` [PATCH 3.4 07/65] pktgen: adjust spacing in proc file interface output lizf
2015-10-20 0:47 ` [PATCH 3.4 08/65] pktgen: document ability to add same device to several threads lizf
2015-10-20 0:47 ` [PATCH 3.4 09/65] tty/serial: at91: RS485 mode: 0 is valid for delay_rts_after_send lizf
2015-10-20 0:47 ` [PATCH 3.4 10/65] rndis_wlan: harmless issue calling set_bit() lizf
2015-10-20 0:47 ` [PATCH 3.4 11/65] drm/radeon: take the mode_config mutex when dealing with hpds (v2) lizf
2015-10-20 0:47 ` [PATCH 3.4 12/65] usb: dwc3: gadget: return error if command sent to DEPCMD register fails lizf
2015-10-20 0:47 ` [PATCH 3.4 13/65] rcu: Correctly handle non-empty Tiny RCU callback list with none ready lizf
2015-10-20 0:47 ` [PATCH 3.4 14/65] mtd: dc21285: use raw spinlock functions for nw_gpio_lock lizf
2015-10-20 0:47 ` [PATCH 3.4 15/65] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe lizf
2015-10-20 0:47 ` [PATCH 3.4 16/65] usb: core: Fix USB 3.0 devices lost in NOTATTACHED state after a hub port reset lizf
2015-10-20 0:47 ` [PATCH 3.4 17/65] fixing infinite OPEN loop in 4.0 stateid recovery lizf
[not found] ` <3B7DC48D-0D7F-4F9A-9CE0-FAC640F60199@netapp.com>
2015-10-21 8:04 ` Zefan Li
2015-10-20 0:47 ` [PATCH 3.4 18/65] NFS: Fix size of NFSACL SETACL operations lizf
2015-10-20 0:47 ` [PATCH 3.4 19/65] SUNRPC: Fix a memory leak in the backchannel code lizf
2015-10-20 0:47 ` [PATCH 3.4 20/65] ipr: Increase default adapter init stage change timeout lizf
2015-10-20 0:47 ` [PATCH 3.4 21/65] ath3k: add support of 13d3:3474 AR3012 device lizf
2015-10-20 0:47 ` [PATCH 3.4 22/65] ath9k: fix DMA stop sequence for AR9003+ lizf
2015-10-20 0:47 ` [PATCH 3.4 23/65] regulator: core: fix constraints output buffer lizf
2015-10-20 0:47 ` [PATCH 3.4 24/65] x86/PCI: Use host bridge _CRS info on Foxconn K8M890-8237A lizf
2015-10-20 0:47 ` [PATCH 3.4 25/65] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup lizf
2015-10-20 0:47 ` [PATCH 3.4 26/65] ASoC: wm8960: the enum of "DAC Polarity" should be wm8960_enum[1] lizf
2015-10-20 0:47 ` [PATCH 3.4 27/65] ext4: fix race between truncate and __ext4_journalled_writepage() lizf
2015-10-20 0:47 ` [PATCH 3.4 28/65] Disable write buffering on Toshiba ToPIC95 lizf
2015-10-20 0:47 ` lizf [this message]
2015-10-20 0:47 ` [PATCH 3.4 30/65] jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() lizf
2015-10-20 0:47 ` [PATCH 3.4 31/65] regmap: Fix regmap_bulk_read in BE mode lizf
2015-10-20 0:47 ` [PATCH 3.4 32/65] jbd2: fix ocfs2 corrupt when updating journal superblock fails lizf
2015-10-20 0:47 ` [PATCH 3.4 33/65] ideapad: fix software rfkill setting lizf
2015-10-20 0:47 ` [PATCH 3.4 34/65] mmc: card: Fixup request missing in mmc_blk_issue_rw_rq lizf
2015-10-20 0:47 ` [PATCH 3.4 35/65] nfs: increase size of EXCHANGE_ID name string buffer lizf
2015-10-20 0:47 ` [PATCH 3.4 36/65] bridge: fix br_stp_set_bridge_priority race conditions lizf
2015-10-20 0:47 ` [PATCH 3.4 37/65] ext4: call sync_blockdev() before invalidate_bdev() in put_super() lizf
2015-10-20 0:47 ` [PATCH 3.4 38/65] packet: read num_members once in packet_rcv_fanout() lizf
2015-10-20 0:47 ` [PATCH 3.4 39/65] packet: avoid out of bounds read in round robin fanout lizf
2015-10-20 0:47 ` [PATCH 3.4 40/65] ext4: don't retry file block mapping on bigalloc fs with non-extent file lizf
2015-10-20 0:47 ` [PATCH 3.4 41/65] watchdog: omap: assert the counter being stopped before reprogramming lizf
2015-10-20 0:47 ` [PATCH 3.4 42/65] bridge: multicast: restore router configuration on port link down/up lizf
2015-10-20 0:47 ` [PATCH 3.4 43/65] stmmac: troubleshoot unexpected bits in des0 & des1 lizf
2015-10-20 0:47 ` [PATCH 3.4 44/65] mm: kmemleak: allow safe memory scanning during kmemleak disabling lizf
2015-10-20 0:47 ` [PATCH 3.4 45/65] dell-laptop: Fix allocating & freeing SMI buffer page lizf
2015-10-20 0:47 ` [PATCH 3.4 46/65] tracing/filter: Do not WARN on operand count going below zero lizf
2015-10-20 0:47 ` [PATCH 3.4 47/65] tracing/filter: Do not allow infix to exceed end of string lizf
2015-10-20 0:47 ` [PATCH 3.4 48/65] __bitmap_parselist: fix bug in empty string handling lizf
2015-10-20 0:47 ` [PATCH 3.4 49/65] agp/intel: Fix typo in needs_ilk_vtd_wa() lizf
2015-10-20 0:48 ` [PATCH 3.4 50/65] crush: fix a bug in tree bucket decode lizf
2015-10-20 0:48 ` [PATCH 3.4 51/65] fuse: initialize fc->release before calling it lizf
2015-10-20 0:48 ` [PATCH 3.4 52/65] ACPICA: Tables: Fix an issue that FACS initialization is performed twice lizf
2015-10-20 13:35 ` Moore, Robert
2015-10-21 1:24 ` Zheng, Lv
2015-10-20 0:48 ` [PATCH 3.4 53/65] KVM: x86: make vapics_in_nmi_mode atomic lizf
2015-10-20 0:48 ` [PATCH 3.4 54/65] KVM: x86: properly restore LVT0 lizf
2015-10-20 0:48 ` [PATCH 3.4 55/65] 9p: forgetting to cancel request on interrupted zero-copy RPC lizf
2015-10-20 0:48 ` [PATCH 3.4 56/65] Revert "drm/i915: Don't skip request retirement if the active list is empty" lizf
2015-10-20 0:48 ` [PATCH 3.4 57/65] Revert "drm/radeon: Use drm_calloc_ab for CS relocs" lizf
2015-10-20 0:48 ` [PATCH 3.4 58/65] drm/radeon: partially revert "fix VM_CONTEXT*_PAGE_TABLE_END_ADDR handling" lizf
2015-10-20 0:48 ` [PATCH 3.4 59/65] crypto: s390/ghash: Fix incorrect backport of a1cae34e23b1 lizf
2015-10-20 0:48 ` [PATCH 3.4 60/65] ARM: Fix incorrect backport of 0b59d8806a31 lizf
2015-10-20 0:48 ` [PATCH 3.4 61/65] usb: dwc3: Reset the transfer resource index on SET_INTERFACE lizf
2015-10-20 0:48 ` [PATCH 3.4 62/65] jbd2: avoid infinite loop when destroying aborted journal lizf
2015-10-20 0:48 ` [PATCH 3.4 63/65] IB/qib: Change lkey table allocation to support more MRs lizf
2015-10-20 0:48 ` [PATCH 3.4 64/65] dcache: Handle escaped paths in prepend_path lizf
2015-10-20 0:48 ` [PATCH 3.4 65/65] vfs: Test for and handle paths that are unreachable from their mnt_root lizf
2015-10-20 1:06 ` [PATCH 3.4 00/65] 3.4.110-rc1 review Zefan Li
2015-10-20 2:17 ` Guenter Roeck
2015-10-20 7:05 ` Geert Uytterhoeven
2015-10-20 8:23 ` Zefan Li
2015-10-20 8:59 ` Geert Uytterhoeven
2015-10-20 12:56 ` Guenter Roeck
2015-10-20 13:15 ` Guenter Roeck
2015-10-21 8:05 ` Zefan Li
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1445302095-4695-29-git-send-email-lizf@kernel.org \
--to=lizf@kernel.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lizefan@huawei.com \
--cc=marcelo.leitner@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).