From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S965105AbcHaQBM convert rfc822-to-8bit (ORCPT ); Wed, 31 Aug 2016 12:01:12 -0400 Received: from Galois.linutronix.de ([146.0.238.70]:48469 "EHLO Galois.linutronix.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S933887AbcHaQBG (ORCPT ); Wed, 31 Aug 2016 12:01:06 -0400 From: Sebastian Andrzej Siewior To: linux-rt-users@vger.kernel.org Cc: linux-kernel@vger.kernel.org, tglx@linutronix.de, Steven Rostedt , netdev@vger.kernel.org, Sebastian Andrzej Siewior Subject: [RT PATCH 1/2] net: add back the missing serialization in ip_send_unicast_reply() Date: Wed, 31 Aug 2016 18:00:48 +0200 Message-Id: <20160831160049.14303-1-bigeasy@linutronix.de> X-Mailer: git-send-email 2.9.3 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8BIT Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Some time ago Sami Pietikäinen reported a crash on -RT in ip_send_unicast_reply() which was later fixed by Nicholas Mc Guire (v3.12.8-rt11). Later (v3.18.8) the code was reworked and I dropped the patch. As it turns out it was mistake. I have reports that the same crash is possible with a similar backtrace. It seems that vanilla protects access to this_cpu_ptr() via local_bh_disable(). This does not work on -RT since we can have NET_RX and NET_TX running in parallel on the same CPU. This is brings back the old locks. |Unable to handle kernel NULL pointer dereference at virtual address 00000010 |PC is at __ip_make_skb+0x198/0x3e8 |[] (__ip_make_skb) from [] (ip_push_pending_frames+0x20/0x40) |[] (ip_push_pending_frames) from [] (ip_send_unicast_reply+0x210/0x22c) |[] (ip_send_unicast_reply) from [] (tcp_v4_send_reset+0x190/0x1c0) |[] (tcp_v4_send_reset) from [] (tcp_v4_do_rcv+0x22c/0x288) |[] (tcp_v4_do_rcv) from [] (release_sock+0xb4/0x150) |[] (release_sock) from [] (tcp_close+0x240/0x454) |[] (tcp_close) from [] (inet_release+0x74/0x7c) |[] (inet_release) from [] (sock_release+0x30/0xb0) |[] (sock_release) from [] (sock_close+0x1c/0x24) |[] (sock_close) from [] (__fput+0xe8/0x20c) |[] (__fput) from [] (____fput+0x18/0x1c) |[] (____fput) from [] (task_work_run+0xa4/0xb8) |[] (task_work_run) from [] (do_work_pending+0xd0/0xe4) |[] (do_work_pending) from [] (work_pending+0xc/0x20) |Code: e3530001 8a000001 e3a00040 ea000011 (e5973010) Signed-off-by: Sebastian Andrzej Siewior --- net/ipv4/tcp_ipv4.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index ad450509029b..c5521d1f1263 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -62,6 +62,7 @@ #include #include #include +#include #include #include @@ -565,6 +566,7 @@ void tcp_v4_send_check(struct sock *sk, struct sk_buff *skb) } EXPORT_SYMBOL(tcp_v4_send_check); +static DEFINE_LOCAL_IRQ_LOCK(tcp_sk_lock); /* * This routine will send an RST to the other tcp. * @@ -689,10 +691,13 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb) offsetof(struct inet_timewait_sock, tw_bound_dev_if)); arg.tos = ip_hdr(skb)->tos; + + local_lock(tcp_sk_lock); ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), skb, &TCP_SKB_CB(skb)->header.h4.opt, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, &arg, arg.iov[0].iov_len); + local_unlock(tcp_sk_lock); TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS); TCP_INC_STATS_BH(net, TCP_MIB_OUTRSTS); @@ -774,10 +779,12 @@ static void tcp_v4_send_ack(struct net *net, if (oif) arg.bound_dev_if = oif; arg.tos = tos; + local_lock(tcp_sk_lock); ip_send_unicast_reply(*this_cpu_ptr(net->ipv4.tcp_sk), skb, &TCP_SKB_CB(skb)->header.h4.opt, ip_hdr(skb)->saddr, ip_hdr(skb)->daddr, &arg, arg.iov[0].iov_len); + local_unlock(tcp_sk_lock); TCP_INC_STATS_BH(net, TCP_MIB_OUTSEGS); } -- 2.9.3