From: Vladislav Yasevich <vladislav.yasevich@hp.com>
To: Wei Yongjun <yjwei@cn.fujitsu.com>
Cc: Jacek Luczak <difrost.kernel@gmail.com>,
Eric Dumazet <eric.dumazet@gmail.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH] SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict()
Date: Wed, 18 May 2011 08:33:19 -0400 [thread overview]
Message-ID: <4DD3BC8F.9050802@hp.com> (raw)
In-Reply-To: <4DD38B30.9090601@cn.fujitsu.com>
On 05/18/2011 05:02 AM, Wei Yongjun wrote:
> fix the race between sctp_bind_addr_free() and sctp_bind_addr_conflict(), maybe you just
> need to remove the socket from the port hash before empty the bind address list.
> some thing like this, not test.
>
> diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
> index c8cc24e..924d846 100644
> --- a/net/sctp/endpointola.c
> +++ b/net/sctp/endpointola.c
> @@ -268,12 +268,13 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
>
> /* Cleanup. */
> sctp_inq_free(&ep->base.inqueue);
> - sctp_bind_addr_free(&ep->base.bind_addr);
>
> /* Remove and free the port */
> if (sctp_sk(ep->base.sk)->bind_hash)
> sctp_put_port(ep->base.sk);
>
> + sctp_bind_addr_free(&ep->base.bind_addr);
> +
> /* Give up our hold on the sock. */
> if (ep->base.sk)
> sock_put(ep->base.sk);
>
>
I am not sure that this will guarantee avoidance of this crash, even though it is the right
thing to do in general.
We simply make the race condition much smaller and much harder to hit. Potentially, one
cpu may be doing lookup of the socket while the other is doing the destroy. If the lookup cpu
finds the socket just as this code removes the socket from the hash, we still have this potential
race condition.
I agree with Eric, rcu_read_lock() is not strictly necessary, as what we are really after is call_rcu()
based destruction. We need to delay memory destruction for the rcu grace period.
Thinking a little more about how bind_addr_clean() is used, it would probably benefit from getting
converted to call_rcu(). That function is used as local clean-up in case of malloc failure; however,
that doesn't preclude a potential race. The fact that we do not have this race simply points out that
we don't have any kind of parallel lookup that can hit it (and the code confirms it). This doesn't
mean that we wouldn't have it in the future.
-vlad
next prev parent reply other threads:[~2011-05-18 12:33 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-18 7:01 [PATCH] SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict() Jacek Luczak
2011-05-18 7:48 ` Eric Dumazet
2011-05-18 8:06 ` Jacek Luczak
2011-05-18 8:29 ` Eric Dumazet
2011-05-18 9:02 ` Wei Yongjun
2011-05-18 11:01 ` Jacek Luczak
2011-05-18 11:41 ` Eric Dumazet
2011-05-18 11:58 ` Jacek Luczak
2011-05-18 12:33 ` Vladislav Yasevich [this message]
2011-05-18 12:47 ` Jacek Luczak
2011-05-18 12:50 ` Eric Dumazet
2011-05-18 13:11 ` Jacek Luczak
2011-05-18 13:20 ` Eric Dumazet
2011-05-18 13:32 ` Vladislav Yasevich
2011-05-18 13:39 ` Jacek Luczak
2011-05-18 12:06 ` Jacek Luczak
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DD3BC8F.9050802@hp.com \
--to=vladislav.yasevich@hp.com \
--cc=difrost.kernel@gmail.com \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=yjwei@cn.fujitsu.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).