Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp135200ybh; Tue, 17 Mar 2020 19:47:21 -0700 (PDT) X-Google-Smtp-Source: ADFU+vs9Tu9GoyXjQa7OYJ0EtAJtd7QTd0j6WUT/AsLSpfxpQd6b2lR9J3mDQHI18U/k6oDM4S90 X-Received: by 2002:a05:6830:118d:: with SMTP id u13mr1957253otq.41.1584499641253; Tue, 17 Mar 2020 19:47:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584499641; cv=none; d=google.com; s=arc-20160816; b=bvd/10khjijVyLoKWoggPnCAWMNwPNgWVpc2GL9KPsLH5NqmbDlVSqR4IKx1JdX+Cw RYu2AQWrVDZLkKQPXehJciR7Vi55kjlG3GlbaiDfKAbvw8EY3O0zwZHEY2R8cDlwi0Wu xvVj6kRXO8NmqVHITyavU3OXn2tYb03+tUDY6wweE3VVMzDoNiTsIv+qVRtKdgGrpaNJ wFgNDJm5J5eYKEEwGMflqvaXGfzT0wkTgFbqvN4rUUYqt9f/ufEw8n8kwX6aLiljycvz NEeeuIO0+rGc7rVZ3bPZcSBbpZXhugJ+gsR2uX8DRlrcrH6YWu9nX9bY39VQ9QFtcv/U KohA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=HmI0RMPyhwlmaO8Qr7O9Xwp+ugsNgOEyCsiabbFK+es=; b=I912qRk7thzIzPyuQnfRX1mFOTb2sqGKpChdcVmOgcAOAOMtoqNlMVd5NzWu+COuCI 8P0tr7bPvDq4Gv0jbme7aaiZP1GqZ2ruBG70QqIPI6nXuK6W9Ap01ak+qCjd6Ohqi+aQ D9e4tDBvJiC/IM03eATuTQ/k/A299d9JzYL2GvRgJDanJbTcV09tPl/adQJtF06rGxXz sj3UR/vgOnNH4T/IYdJNPmYn7QLQk7sS74HJqIFBZFNH/bTWPNAVgYXmWq/rt8LqGeRc bYX3UUmd3X82PLsHrgzZRoQCjzRxcpK3Vbr0lOQYsB50NJlZfcyPPn7Foho3eu9pogre r3bA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LMuX11Zc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j2si2511821oii.195.2020.03.17.19.47.09; Tue, 17 Mar 2020 19:47:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=LMuX11Zc; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726733AbgCRCqC (ORCPT + 99 others); Tue, 17 Mar 2020 22:46:02 -0400 Received: from mail-io1-f67.google.com ([209.85.166.67]:40117 "EHLO mail-io1-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726229AbgCRCqC (ORCPT ); Tue, 17 Mar 2020 22:46:02 -0400 Received: by mail-io1-f67.google.com with SMTP id h18so2753305ioh.7; Tue, 17 Mar 2020 19:46:01 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=HmI0RMPyhwlmaO8Qr7O9Xwp+ugsNgOEyCsiabbFK+es=; b=LMuX11ZcSHF+tQU/KnFmGjilz6BcVP9hrain8dbHYPIzaa5KbpfEbnSpeyp1hqEf9l G6lPWklk3sO3sM2mfRCimJrXcFy0YXJcejafLHYk3XQdD31OzC7sUoD04wfnB+B8cffZ pPIiZX6XmLIZZd8dcNBAwujCFEUhttz4FnTJNcG1Mm/xbaf0/P4nKf7m+Z20jJtOQgFB VempRnbs/TbDOBJW1RCUW1skWKemlVu0GW4f3+Ybm0ra702K7zQpd8WNsmZHNLhzEtEq AeVQLWv89pmydguSPfw53CREspyEK9wmtCEM80seLYrd73XiiRQ2cHtnw8r8tnpYhjN6 3bEQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=HmI0RMPyhwlmaO8Qr7O9Xwp+ugsNgOEyCsiabbFK+es=; b=eg8VPz9zttXgyZq9stPqVxB+AKbQKLbsXJjMe2+qKh/SIbd7x5gGzAdye8sGPR6hP+ adD+y8yWiowWvJk4jriI6pwLH9kThd/9ZLyD6ovXoowGysRCjuI7GIkgno+XoBHnpsrY j7eTpvT5mD2o+GG+GT/4Tna/y5x3rAZ2sznzF2g5Bm5V7ZwD++nlfzJQIXEwFLxNuuQ/ WfTFqtzc7uLSkw2DFf48gYOViSVBBh+CrD+7CX80HGZU5usRrLnkz6p++F3dnr+oCPBn 2lml1Q47a7cOdYehqCiNlRJRe/ssiE7ApdktWpFlEahdL/CNC//t0A38r6eH3hMB5OYl 5GeA== X-Gm-Message-State: ANhLgQ3i644KeMQ+l6Ic8FyM8377YLocFtVyQzRuGnhab1PqACFYfUqd vVl0W83Axkc70DMzitoDme+fuvCOxCuwu7IJ0PmZm+k3 X-Received: by 2002:a6b:f404:: with SMTP id i4mr1715360iog.175.1584499561560; Tue, 17 Mar 2020 19:46:01 -0700 (PDT) MIME-Version: 1.0 References: <20200317155536.10227-1-hqjagain@gmail.com> <20200317173039.GA3828@localhost.localdomain> In-Reply-To: <20200317173039.GA3828@localhost.localdomain> From: Qiujun Huang Date: Wed, 18 Mar 2020 10:45:51 +0800 Message-ID: Subject: Re: [PATCH v2] sctp: fix refcount bug in sctp_wfree To: Marcelo Ricardo Leitner Cc: "David S. Miller" , vyasevich@gmail.com, nhorman@tuxdriver.com, Jakub Kicinski , linux-sctp@vger.kernel.org, netdev , LKML , anenbupt@gmail.com Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Mar 18, 2020 at 1:30 AM Marcelo Ricardo Leitner wrote: > > Hi, > > On Tue, Mar 17, 2020 at 11:55:36PM +0800, Qiujun Huang wrote: > > Do accounting for skb's real sk. > > In some case skb->sk != asoc->base.sk: > > > > migrate routing sctp_check_transmitted routing > > ------------ --------------- > sctp_close(); > lock_sock(sk2); > sctp_primitive_ABORT(); > sctp_do_sm(); > sctp_cmd_interpreter(); > sctp_cmd_process_sack(); > sctp_outq_sack(); > sctp_check_transmitted(); > > lock_sock(sk1); > sctp_getsockopt_peeloff(); > sctp_do_peeloff(); > sctp_sock_migrate(); > > lock_sock_nested(sk2); > > mv the transmitted skb to > > the it's local tlist > > > How can sctp_do_sm() be called in the 2nd column so that it bypasses > the locks in the left column, allowing this mv to happen? > > > > > sctp_for_each_tx_datachunk( > > sctp_clear_owner_w); > > sctp_assoc_migrate(); > > sctp_for_each_tx_datachunk( > > sctp_set_owner_w); > > > > put the skb back to the > > assoc lists > > ---------------------------------------------------- > > > > The skbs which held bysctp_check_transmitted were not changed > > to newsk. They were not dealt with by sctp_for_each_tx_datachunk > > (sctp_clear_owner_w/sctp_set_owner_w). > > It would make sense but I'm missing one step earlier, I'm not seeing > how the move to local list is allowed/possible in there. It really > shouldn't be possible. I totally agree that. My mistake. So I added some log in my test showing the case: The backtrace: sctp_close sctp_primitive_ABORT sctp_do_sm sctp_association_free __sctp_outq_teardown /* Throw away unacknowledged chunks. */ list_for_each_entry(transport, &q->asoc->peer.transport_addr_list, transports) { printk("[%d]deal with transmitted %#llx from transport %#llx %s, %d\n", raw_smp_processor_id(), &transport->transmitted, transport, __func__, __LINE__); while ((lchunk = sctp_list_dequeue(&transport->transmitted)) != NULL) { The trouble skb is from another peer sk in the same asoc, but accounted to the base.sk.