Received: by 10.223.185.116 with SMTP id b49csp6365849wrg; Wed, 28 Feb 2018 08:14:06 -0800 (PST) X-Google-Smtp-Source: AH8x224d+O390w181xDSd5DrYtmb8C7le62Ycf99vZ/hDXOiSLmTj4W2nIv6A81r/l3ldmP6EnyR X-Received: by 2002:a17:902:bc85:: with SMTP id bb5-v6mr18992715plb.425.1519834446251; Wed, 28 Feb 2018 08:14:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1519834446; cv=none; d=google.com; s=arc-20160816; b=VRmfcZljJqyZOvd7ge7GiaU3hRC0XZiy0A+cEmIenteuRyfoCHmrh2HhTaZmdWfEeW XFfs9eqk8fiNLYl7xsT71YSVZgGYOuGWymblVjLN9aJkCu+zJGmxmX0jiQ05MS6Qkdn+ jNWceWExF8132Kn1FpTIveJcKaYSkiVlN2VOefZBeT1mRzRdbNO1hGUJs/EeeeOrHtcP PrSYpt5sJlypHUzdOIcZeiJufi1IiifH4sItMrWh2UCgwPX0ZSCz71TyPs7v9dVYXWMY G555I2d2lhiCs7sUTd84JimC/TDyI8GxCrN7dBGNI8+M20aHwvDsBzF1TtBcXrZjJfCL ndpA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:subject:message-id:date:cc:to :from:mime-version:content-transfer-encoding:content-disposition :arc-authentication-results; bh=Zxo4dEvrBrRpCN0Q0DKa3KvVJCcZtlU4N//TIJhKLWs=; b=USA8Sfpm00Pvn9mgbMpCkRye8hvV0pYA6ztNKKZClC3jTwkEEJ5CyU2UixjcJlg6wf Dts3Fbg+LVCebVPXEyqBJfeU3mRO2fQUuY19dLOEXVTZLBfxX877d4L0H7NYfNxeux3L eeQgycEwL0G7i/9SlKoBRQM+YrSvh+P1+5qOem9mJnfK68yVhao5LZYFpj1Uzletm4rg b+I00Ka4hsHQIaaLmZRaFSWhLbibPaiJo+x6/8kkKa3HMYMRqk4K/ZxdNz7ZZ82sf+r2 MUAbd5ncCd/vCZfWCmyNOFaJ77e8eKETPgBlqkHkDE7D56yXNTKOS/qfINOHsEDXKKcs u9KQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l137si1060454pga.525.2018.02.28.08.13.51; Wed, 28 Feb 2018 08:14:06 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934559AbeB1QMf (ORCPT + 99 others); Wed, 28 Feb 2018 11:12:35 -0500 Received: from shadbolt.e.decadent.org.uk ([88.96.1.126]:35048 "EHLO shadbolt.e.decadent.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934523AbeB1QMb (ORCPT ); Wed, 28 Feb 2018 11:12:31 -0500 Received: from [2a02:8011:400e:2:6f00:88c8:c921:d332] (helo=deadeye) by shadbolt.decadent.org.uk with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.84_2) (envelope-from ) id 1er3Yp-0006Xg-Is; Wed, 28 Feb 2018 15:22:27 +0000 Received: from ben by deadeye with local (Exim 4.90_1) (envelope-from ) id 1er3Yk-0000Ge-03; Wed, 28 Feb 2018 15:22:22 +0000 Content-Type: text/plain; charset="UTF-8" Content-Disposition: inline Content-Transfer-Encoding: 8bit MIME-Version: 1.0 From: Ben Hutchings To: linux-kernel@vger.kernel.org, stable@vger.kernel.org CC: akpm@linux-foundation.org, "Xin Long" , "Neil Horman" , "David S. Miller" Date: Wed, 28 Feb 2018 15:20:18 +0000 Message-ID: X-Mailer: LinuxStableQueue (scripts by bwh) Subject: [PATCH 3.16 209/254] sctp: use the right sk after waking up from wait_buf sleep In-Reply-To: X-SA-Exim-Connect-IP: 2a02:8011:400e:2:6f00:88c8:c921:d332 X-SA-Exim-Mail-From: ben@decadent.org.uk X-SA-Exim-Scanned: No (on shadbolt.decadent.org.uk); SAEximRunCond expanded to false Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 3.16.55-rc1 review patch. If anyone has any objections, please let me know. ------------------ From: Xin Long commit cea0cc80a6777beb6eb643d4ad53690e1ad1d4ff upstream. Commit dfcb9f4f99f1 ("sctp: deny peeloff operation on asocs with threads sleeping on it") fixed the race between peeloff and wait sndbuf by checking waitqueue_active(&asoc->wait) in sctp_do_peeloff(). But it actually doesn't work, as even if waitqueue_active returns false the waiting sndbuf thread may still not yet hold sk lock. After asoc is peeled off, sk is not asoc->base.sk any more, then to hold the old sk lock couldn't make assoc safe to access. This patch is to fix this by changing to hold the new sk lock if sk is not asoc->base.sk, meanwhile, also set the sk in sctp_sendmsg with the new sk. With this fix, there is no more race between peeloff and waitbuf, the check 'waitqueue_active' in sctp_do_peeloff can be removed. Thanks Marcelo and Neil for making this clear. v1->v2: fix it by changing to lock the new sock instead of adding a flag in asoc. Suggested-by: Neil Horman Signed-off-by: Xin Long Acked-by: Neil Horman Signed-off-by: David S. Miller [bwh: Backported to 3.16: adjust context] Signed-off-by: Ben Hutchings --- net/sctp/socket.c | 21 +++++++++++---------- 1 file changed, 11 insertions(+), 10 deletions(-) --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -82,8 +82,8 @@ /* Forward declarations for internal helper functions. */ static int sctp_writeable(struct sock *sk); static void sctp_wfree(struct sk_buff *skb); -static int sctp_wait_for_sndbuf(struct sctp_association *, long *timeo_p, - size_t msg_len); +static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, + size_t msg_len, struct sock **orig_sk); static int sctp_wait_for_packet(struct sock *sk, int *err, long *timeo_p); static int sctp_wait_for_connect(struct sctp_association *, long *timeo_p); static int sctp_wait_for_accept(struct sock *sk, long timeo); @@ -1905,7 +1905,8 @@ static int sctp_sendmsg(struct kiocb *io timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); if (!sctp_wspace(asoc)) { - err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len); + /* sk can be changed by peel off when waiting for buf. */ + err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len, &sk); if (err) goto out_free; } @@ -4335,12 +4336,6 @@ int sctp_do_peeloff(struct sock *sk, sct if (!asoc) return -EINVAL; - /* If there is a thread waiting on more sndbuf space for - * sending on this asoc, it cannot be peeled. - */ - if (waitqueue_active(&asoc->wait)) - return -EBUSY; - /* An association cannot be branched off from an already peeled-off * socket, nor is this supported for tcp style sockets. */ @@ -6737,7 +6732,7 @@ void sctp_sock_rfree(struct sk_buff *skb /* Helper function to wait for space in the sndbuf. */ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p, - size_t msg_len) + size_t msg_len, struct sock **orig_sk) { struct sock *sk = asoc->base.sk; int err = 0; @@ -6770,11 +6765,17 @@ static int sctp_wait_for_sndbuf(struct s release_sock(sk); current_timeo = schedule_timeout(current_timeo); lock_sock(sk); + if (sk != asoc->base.sk) { + release_sock(sk); + sk = asoc->base.sk; + lock_sock(sk); + } *timeo_p = current_timeo; } out: + *orig_sk = sk; finish_wait(&asoc->wait, &wait); /* Release the association's refcnt. */