From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Ji Jianwen <jiji@redhat.com>,
Neil Horman <nhorman@tuxdriver.com>,
Hannes Frederic Sowa <hannes@stressinduktion.org>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.14 04/30] sctp: fix ASCONF list handling
Date: Wed, 8 Jul 2015 00:34:03 -0700 [thread overview]
Message-ID: <20150708073156.689926657@linuxfoundation.org> (raw)
In-Reply-To: <20150708073155.841723465@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
[ Upstream commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 ]
->auto_asconf_splist is per namespace and mangled by functions like
sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
Also, the call to inet_sk_copy_descendant() was backuping
->auto_asconf_list through the copy but was not honoring
->do_auto_asconf, which could lead to list corruption if it was
different between both sockets.
This commit thus fixes the list handling by using ->addr_wq_lock
spinlock to protect the list. A special handling is done upon socket
creation and destruction for that. Error handlig on sctp_init_sock()
will never return an error after having initialized asconf, so
sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
will be take on sctp_close_sock(), before locking the socket, so we
don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
Instead of taking the lock on sctp_sock_migrate() for copying and
restoring the list values, it's preferred to avoid rewritting it by
implementing sctp_copy_descendant().
Issue was found with a test application that kept flipping sysctl
default_auto_asconf on and off, but one could trigger it by issuing
simultaneous setsockopt() calls on multiple sockets or by
creating/destroying sockets fast enough. This is only triggerable
locally.
Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
Reported-by: Ji Jianwen <jiji@redhat.com>
Suggested-by: Neil Horman <nhorman@tuxdriver.com>
Suggested-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/netns/sctp.h | 1 +
include/net/sctp/structs.h | 4 ++++
net/sctp/socket.c | 43 ++++++++++++++++++++++++++++++++-----------
3 files changed, 37 insertions(+), 11 deletions(-)
--- a/include/net/netns/sctp.h
+++ b/include/net/netns/sctp.h
@@ -31,6 +31,7 @@ struct netns_sctp {
struct list_head addr_waitq;
struct timer_list addr_wq_timer;
struct list_head auto_asconf_splist;
+ /* Lock that protects both addr_waitq and auto_asconf_splist */
spinlock_t addr_wq_lock;
/* Lock that protects the local_addr_list writers */
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -219,6 +219,10 @@ struct sctp_sock {
atomic_t pd_mode;
/* Receive to here while partial delivery is in effect. */
struct sk_buff_head pd_lobby;
+
+ /* These must be the last fields, as they will skipped on copies,
+ * like on accept and peeloff operations
+ */
struct list_head auto_asconf_list;
int do_auto_asconf;
};
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1532,8 +1532,10 @@ static void sctp_close(struct sock *sk,
/* Supposedly, no process has access to the socket, but
* the net layers still may.
+ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
+ * held and that should be grabbed before socket lock.
*/
- local_bh_disable();
+ spin_lock_bh(&net->sctp.addr_wq_lock);
bh_lock_sock(sk);
/* Hold the sock, since sk_common_release() will put sock_put()
@@ -1543,7 +1545,7 @@ static void sctp_close(struct sock *sk,
sk_common_release(sk);
bh_unlock_sock(sk);
- local_bh_enable();
+ spin_unlock_bh(&net->sctp.addr_wq_lock);
sock_put(sk);
@@ -3511,6 +3513,7 @@ static int sctp_setsockopt_auto_asconf(s
if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
return 0;
+ spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock);
if (val == 0 && sp->do_auto_asconf) {
list_del(&sp->auto_asconf_list);
sp->do_auto_asconf = 0;
@@ -3519,6 +3522,7 @@ static int sctp_setsockopt_auto_asconf(s
&sock_net(sk)->sctp.auto_asconf_splist);
sp->do_auto_asconf = 1;
}
+ spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock);
return 0;
}
@@ -4009,18 +4013,28 @@ static int sctp_init_sock(struct sock *s
local_bh_disable();
percpu_counter_inc(&sctp_sockets_allocated);
sock_prot_inuse_add(net, sk->sk_prot, 1);
+
+ /* Nothing can fail after this block, otherwise
+ * sctp_destroy_sock() will be called without addr_wq_lock held
+ */
if (net->sctp.default_auto_asconf) {
+ spin_lock(&sock_net(sk)->sctp.addr_wq_lock);
list_add_tail(&sp->auto_asconf_list,
&net->sctp.auto_asconf_splist);
sp->do_auto_asconf = 1;
- } else
+ spin_unlock(&sock_net(sk)->sctp.addr_wq_lock);
+ } else {
sp->do_auto_asconf = 0;
+ }
+
local_bh_enable();
return 0;
}
-/* Cleanup any SCTP per socket resources. */
+/* Cleanup any SCTP per socket resources. Must be called with
+ * sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true
+ */
static void sctp_destroy_sock(struct sock *sk)
{
struct sctp_sock *sp;
@@ -6973,6 +6987,19 @@ void sctp_copy_sock(struct sock *newsk,
newinet->mc_list = NULL;
}
+static inline void sctp_copy_descendant(struct sock *sk_to,
+ const struct sock *sk_from)
+{
+ int ancestor_size = sizeof(struct inet_sock) +
+ sizeof(struct sctp_sock) -
+ offsetof(struct sctp_sock, auto_asconf_list);
+
+ if (sk_from->sk_family == PF_INET6)
+ ancestor_size += sizeof(struct ipv6_pinfo);
+
+ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
+}
+
/* Populate the fields of the newsk from the oldsk and migrate the assoc
* and its messages to the newsk.
*/
@@ -6987,7 +7014,6 @@ static void sctp_sock_migrate(struct soc
struct sk_buff *skb, *tmp;
struct sctp_ulpevent *event;
struct sctp_bind_hashbucket *head;
- struct list_head tmplist;
/* Migrate socket buffer sizes and all the socket level options to the
* new socket.
@@ -6995,12 +7021,7 @@ static void sctp_sock_migrate(struct soc
newsk->sk_sndbuf = oldsk->sk_sndbuf;
newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
/* Brute force copy old sctp opt. */
- if (oldsp->do_auto_asconf) {
- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
- inet_sk_copy_descendant(newsk, oldsk);
- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
- } else
- inet_sk_copy_descendant(newsk, oldsk);
+ sctp_copy_descendant(newsk, oldsk);
/* Restore the ep value that was overwritten with the above structure
* copy.
next prev parent reply other threads:[~2015-07-08 8:29 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-08 7:33 [PATCH 3.14 00/30] 3.14.48-stable review Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 01/30] sparc: Use GFP_ATOMIC in ldc_alloc_exp_dring() as it can be called in softirq context Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 02/30] bridge: fix multicast router rlist endless loop Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 03/30] net: dont wait for order-3 page allocation Greg Kroah-Hartman
2015-07-08 7:34 ` Greg Kroah-Hartman [this message]
2015-07-08 7:34 ` [PATCH 3.14 05/30] bridge: fix br_stp_set_bridge_priority race conditions Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 06/30] packet: read num_members once in packet_rcv_fanout() Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 07/30] packet: avoid out of bounds read in round robin fanout Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 08/30] neigh: do not modify unlinked entries Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 09/30] tcp: Do not call tcp_fastopen_reset_cipher from interrupt context Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 10/30] net: phy: fix phy link up when limiting speed via device tree Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 11/30] sctp: Fix race between OOTB responce and route removal Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 12/30] crypto: talitos - avoid memleak in talitos_alg_alloc() Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 13/30] Revert "crypto: talitos - convert to use be16_add_cpu()" Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 14/30] iommu/amd: Handle large pages correctly in free_pagetable Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 15/30] intel_pstate: set BYT MSR with wrmsrl_on_cpu() Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 16/30] arm: KVM: force execution of HCPTR access on VM exit Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 17/30] powerpc/perf: Fix book3s kernel to userspace backtraces Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 18/30] x86/PCI: Use host bridge _CRS info on systems with >32 bit addressing Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 19/30] x86/PCI: Use host bridge _CRS info on Foxconn K8M890-8237A Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 20/30] MIPS: Fix KVM guest fixmap address Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 22/30] fs: Fix S_NOSEC handling Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 23/30] vfs: Remove incorrect debugging WARN in prepend_path Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 24/30] vfs: Ignore unlocked mounts in fs_fully_visible Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 25/30] arm/arm64: KVM: Require in-kernel vgic for the arch timers Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 26/30] arm64: KVM: Fix TLB invalidation by IPA/VMID Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 27/30] arm64: KVM: Fix HCR setting for 32bit guests Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 28/30] arm64: KVM: Do not use pgd_index to index stage-2 pgd Greg Kroah-Hartman
2015-07-08 7:34 ` [PATCH 3.14 30/30] x86/iosf: Add Kconfig prompt for IOSF_MBI selection Greg Kroah-Hartman
2015-07-08 14:07 ` [PATCH 3.14 00/30] 3.14.48-stable review Guenter Roeck
2015-07-08 14:57 ` Sudip Mukherjee
2015-07-08 16:33 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150708073156.689926657@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=hannes@stressinduktion.org \
--cc=jiji@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=marcelo.leitner@gmail.com \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).