Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1783650ybb; Sat, 11 Apr 2020 11:45:30 -0700 (PDT) X-Google-Smtp-Source: APiQypIrbRI1R5Zs8Bq4v6zEZ5pd+tOstRy+KHhbcUsbT3qJkBFNumJYxIk2h9RCcVAjGP9AxO+n X-Received: by 2002:a37:8044:: with SMTP id b65mr9626457qkd.238.1586630730569; Sat, 11 Apr 2020 11:45:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586630730; cv=none; d=google.com; s=arc-20160816; b=Z10y9zxfUGhE2pmE8sZ575vOMvKdw/hzvGG1X9JsLocmhY1g7mg7zu019tjLLPXnmg ZDmJF4h174E2YHrtxmKxOKJK9XrIYLc9CCi48UYCq1selQW/9ax+6ivFJmv3efbhkKxv mUkQL8jcNhue9PRd0CM9rCph+201AQBbvWqBE5bGLuvAHtY2w2BRYVXDayJui1u4Qx3t HP7Nml31NpmtYQyT6IQ52cMdGDVCDKwDAeRahEo85HoT6JV9nfxhymdm1FJ4DEj7zJbr TS20VkDLbED9y8KZ7rSug8NLnM+sp3avPQP37a5DcFzRIzuEbCdSjKPwhlGnQx90R74P x+7g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=gv2Jmnc/kF+XLdJdYOpxXGZr2GETWXGd+W9QP2/fIf8=; b=zwT3Y6XlSqf+FuCBNxZL49qswTzWGpQygjBcPoZyNHqRoPyZ4kgSJIvZ5rQ5SlnvMG i+0HYNccrR0DXkLx1gTQkZCwgH5ENevpGaPfW3LC4zSJ+B5FZKsE6LyG6rHyBQ1BVZi9 JMW42oYe2VZqK9b+V46Gyp2HgNLsS6Tz1jHJKfdkgR3hIQNxL0y5z8CdIDkUUjHJgHTa V8x253zBJF08W2Zl7M8+xZtnjHfShX6sxNobozRXH5H0ruat/c2x9Xxf3U8GMYRTokjN oXrhLjbTX+PtuKwGRa9yyAiNituQyB9SNTHAsXDxYHWK9qpjS/DVgrfLQySCKUphOBmk FZCg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="M3atau/z"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id h19si3412763qkl.135.2020.04.11.11.45.15; Sat, 11 Apr 2020 11:45:30 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="M3atau/z"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726757AbgDKSnG (ORCPT + 99 others); Sat, 11 Apr 2020 14:43:06 -0400 Received: from us-smtp-1.mimecast.com ([205.139.110.61]:22981 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726140AbgDKSnG (ORCPT ); Sat, 11 Apr 2020 14:43:06 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1586630586; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=gv2Jmnc/kF+XLdJdYOpxXGZr2GETWXGd+W9QP2/fIf8=; b=M3atau/z0xhlpLP5VbfMxDg9w9+iQ7qAnMBwSdHJwNBTABA6oaHo6yFr1XIxZdFlHbV6S4 hWJl0gsdW2ppcf6hmtR0RSeteUVID1lZbyi1KiVNdZtDCIP7rTw4HHhL/ySl8K0KjHIrxz I1ZsVlp7NOuRF+j0KWrQUlxfKdIJL/U= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-470-j8tXNJuUMBaP77xx3hJH6Q-1; Sat, 11 Apr 2020 14:42:57 -0400 X-MC-Unique: j8tXNJuUMBaP77xx3hJH6Q-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id C00F618B5F69; Sat, 11 Apr 2020 18:42:53 +0000 (UTC) Received: from localhost.localdomain (ovpn-115-94.rdu2.redhat.com [10.10.115.94]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 65B5860C05; Sat, 11 Apr 2020 18:42:53 +0000 (UTC) Received: by localhost.localdomain (Postfix, from userid 1000) id 6CD12C5515; Sat, 11 Apr 2020 15:42:51 -0300 (-03) Date: Sat, 11 Apr 2020 15:42:51 -0300 From: Marcelo Ricardo Leitner To: Pavel Machek Cc: Greg Kroah-Hartman , linux-kernel@vger.kernel.org, stable@vger.kernel.org, Qiujun Huang , "David S. Miller" , syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com Subject: Re: [PATCH 4.19 03/54] sctp: fix refcount bug in sctp_wfree Message-ID: <20200411184251.GM3625@localhost.localdomain> References: <20200411115508.284500414@linuxfoundation.org> <20200411115508.593027768@linuxfoundation.org> <20200411182813.GA18221@duo.ucw.cz> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20200411182813.GA18221@duo.ucw.cz> X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Apr 11, 2020 at 08:28:13PM +0200, Pavel Machek wrote: > Hi! > > > The following case cause the bug: > > for the trouble SKB, it was in outq->transmitted list > > Ok... but this is one hell of "interesting" code. > > > --- a/net/sctp/socket.c > > +++ b/net/sctp/socket.c > > @@ -165,29 +165,44 @@ static void sctp_clear_owner_w(struct sc > > skb_orphan(chunk->skb); > > } > > > > +#define traverse_and_process() \ > > +do { \ > > + msg = chunk->msg; \ > > + if (msg == prev_msg) \ > > + continue; \ > > + list_for_each_entry(c, &msg->chunks, frag_list) { \ > > + if ((clear && asoc->base.sk == c->skb->sk) || \ > > + (!clear && asoc->base.sk != c->skb->sk)) \ > > + cb(c); \ > > + } \ > > + prev_msg = msg; \ > > +} while (0) > > Should this be function? > > Do you see how it does "continue"? But the do {} while(0) wrapper eats > the continue. "break" would be more clear here, but they are really > equivalent due to way this macro is used. > > It is just very, very confusing. Agree. The 'continue' itself slipped in on a refactoring and I didn't notice the confusing aspect of it. Initially, the code was written without the macro, and the continue refererred to the outter list_for_each_entry(). Marcelo