Re: [PATCH] sctp: check transport existence before processing a send primitive

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Ricardo Cañuelo Navarro" <rcn@igalia.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	kernel-dev@igalia.com, linux-sctp@vger.kernel.org,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: Re: [PATCH] sctp: check transport existence before processing a send primitive
Date: Thu, 03 Apr 2025 11:58:00 +0200	[thread overview]
Message-ID: <87tt75efdj.fsf@igalia.com> (raw)
In-Reply-To: <CADvbK_dTX3c9wgMa8bDW-Hg-5gGJ7sJzN5s8xtGwwYW9FE=rcg@mail.gmail.com>

Thanks for reviewing, answers below:

On Wed, Apr 02 2025 at 15:40:56, Xin Long <lucien.xin@gmail.com> wrote:
> The data send path:
>
>   sctp_endpoint_lookup_assoc() ->
>   sctp_sendmsg_to_asoc()
>
> And the transport removal path:
>
>   sctp_sf_do_asconf() ->
>   sctp_process_asconf() ->
>   sctp_assoc_rm_peer()
>
> are both protected by the same socket lock.
>
> Additionally, when a path is removed, sctp_assoc_rm_peer() updates the
> transport of all existing chunks in the send queues (peer->transmitted
> and asoc->outqueue.out_chunk_list) to NULL.
>
> It will be great if you can reproduce the issue locally and help check
> how the potential race occurs.

That's true but if there isn't enough space in the send buffer, then
sctp_sendmsg_to_asoc() will release the lock temporarily.

The scenario that the reproducer generates is the following:

        Thread A                                  Thread B
        --------------------                      --------------------
(1)     sctp_sendmsg()
          lock_sock()
          sctp_sendmsg_to_asoc()
            sctp_wait_for_sndbuf()
              release_sock()
                                                  sctp_setsockopt(SCTP_SOCKOPT_BINDX_REM)
                                                    lock_sock()
                                                    sctp_setsockopt_bindx()
                                                    sctp_send_asconf_del_ip()
                                                      ...
                                                    release_sock()
                                                      process rcv backlog:
                                                        sctp_do_sm()
                                                          sctp_sf_do_asconf()
                                                            ...
                                                              sctp_assoc_rm_peer()
              lock_sock()
(2)          chunk->transport = transport
             sctp_primitive_SEND()
               ...
               sctp_outq_select_transport()
*BUG*            switch (new_transport->state)


Notes:
------

Both threads operate on the same socket.

1. Here, sctp_endpoint_lookup_assoc() finds and returns an existing
association and transport.

2. At this point, `transport` is already deleted. chunk->transport is
not set to NULL because sctp_assoc_rm_peer() ran _before_ the transport
was assigned to the chunk.

> We should avoid an extra hashtable lookup on this hot TX path, as it would
> negatively impact performance.

Good point. I can't really tell the performance impact of the lookup
here, my experience with the SCTP implementation is very limited. Do you
have any suggestions or alternatives about how to deal with this?

Thanks,
Ricardo

next prev parent reply	other threads:[~2025-04-03  9:58 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-04-02 10:25 [PATCH] sctp: check transport existence before processing a send primitive Ricardo Cañuelo Navarro
2025-04-02 13:21 ` Simon Horman
2025-04-02 13:37   ` Ricardo Cañuelo Navarro
2025-04-02 14:03     ` Ricardo Cañuelo Navarro
2025-04-02 19:40 ` Xin Long
2025-04-03  9:58   ` Ricardo Cañuelo Navarro [this message]
2025-04-03 14:42     ` Xin Long
2025-04-03 18:44       ` Xin Long
2025-04-04 10:04         ` Ricardo Cañuelo Navarro
2025-04-04 14:22           ` Xin Long
2025-04-07  7:37             ` Ricardo Cañuelo Navarro

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=87tt75efdj.fsf@igalia.com \
    --to=rcn@igalia.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=kernel-dev@igalia.com \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-sctp@vger.kernel.org \
    --cc=lucien.xin@gmail.com \
    --cc=marcelo.leitner@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    --cc=stable@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).