Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp693188ybg;
        Mon, 1 Jun 2020 11:51:15 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwHNmHWf9Mza2q8VdbFrkOmuF3z9EaUK/djTpTm1+/h8Qubt66ol9Zc87tRq8nkgaA4A2Ip
X-Received: by 2002:a05:6402:311c:: with SMTP id dc28mr7779026edb.184.1591037475177;
        Mon, 01 Jun 2020 11:51:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1591037475; cv=none;
        d=google.com; s=arc-20160816;
        b=PBYz36lEyvDajpeC6WPdfJq2EnNvjoIwpyAJ34Ec2XU0z1l1Dob8n8KNXxnXPK98QF
         95zh7BdN17B/IaG2/EP3SqYnNaRQnq5uADCi7rZy1etE22ykijB8m8J8kFiducprhQjY
         iMA3hDO4wjkQ1YdX0NI5qDujVrP8E4AER9P5vDSXYxjoS+y8g9YjAfV33oQkH9tN2ux0
         tvm8HR73A3CR4b1Zo9BEcUCd3w4MulkWvQh8ba81pNLlTp6CYPqcBwvrkgrYcCw4Ppaz
         7befXZlVaPj+tMjHCgYGrkaf4omc9aLJUmNzaAu2s9wkA730OU6lHhdMGeYIh/vfoUX1
         2hcQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=y48xzgW7UUWZjtsMsgdJ8Zd+QxyTipH45mpwjDutg6Y=;
        b=FGY5vZ3lInw1xaSQcnsejt4SAiUVIHke0SxCvIzpA9XUM9lOzid7yONIytZWGljoSB
         FOM/r245rnqfk1QHo7xB2isvFWq4phrszNxyQ8mlYRA0GUzavEemmaCi+dJNy5bWmJoP
         x1XHu8+do138R45TaWl0cgTh3tsHzDiORXfd9mCmQgR67+MW9SEpacjqx39tbcLOrKxb
         n3BWE8yEq/VAo5YUzmA8cV17TiRdXklV6ep4A8FFRoySAu6UoMXTbwHg70jaHv5OXqkk
         v0HKj8LzIxl+Ut6dSP0mOOmcKBd2rgWnHlHC+ElZfTjwRCPkaNpL4EKztdmCRy4VOnup
         grcQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=fydtuUh5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id bm5si129911edb.332.2020.06.01.11.50.52;
        Mon, 01 Jun 2020 11:51:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=fydtuUh5;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731132AbgFASs6 (ORCPT <rfc822;patchstalker@gmail.com>
        + 99 others); Mon, 1 Jun 2020 14:48:58 -0400
Received: from mail.kernel.org ([198.145.29.99]:53176 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730567AbgFASHT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 1 Jun 2020 14:07:19 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id DC1222068D;
        Mon,  1 Jun 2020 18:07:17 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1591034838;
        bh=XSEn190Tndzz1u6lmua3AGXG2CfzvcWuvZBGn3mQDa8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=fydtuUh5RApQ5mi16HhdmC7tDup5Q3BAb+dG02xs13fKVPMrzKrGu25h+uhiPKgWg
         PtPG2sZIjHKbXlp/xAimrgo1y17LlsKYwlCgwxQBdrPLr6QhKWtuxXyhGnbr/qFLSE
         lMj/YxIIUGTuLQF5oa1kYdRljo2eEG8//DacoADw=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Neil Horman <nhorman@tuxdriver.com>,
        Vlad Yasevich <vyasevich@gmail.com>,
        "David S. Miller" <davem@davemloft.net>, jere.leppanen@nokia.com,
        marcelo.leitner@gmail.com, netdev@vger.kernel.org
Subject: [PATCH 5.4 018/142] sctp: Dont add the shutdown timer if its already been added
Date:   Mon,  1 Jun 2020 19:52:56 +0200
Message-Id: <20200601174039.765838306@linuxfoundation.org>
X-Mailer: git-send-email 2.26.2
In-Reply-To: <20200601174037.904070960@linuxfoundation.org>
References: <20200601174037.904070960@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Neil Horman <nhorman@tuxdriver.com>

[ Upstream commit 20a785aa52c82246055a089e55df9dac47d67da1 ]

This BUG halt was reported a while back, but the patch somehow got
missed:

PID: 2879   TASK: c16adaa0  CPU: 1   COMMAND: "sctpn"
 #0 [f418dd28] crash_kexec at c04a7d8c
 #1 [f418dd7c] oops_end at c0863e02
 #2 [f418dd90] do_invalid_op at c040aaca
 #3 [f418de28] error_code (via invalid_op) at c08631a5
    EAX: f34baac0  EBX: 00000090  ECX: f418deb0  EDX: f5542950  EBP: 00000000
    DS:  007b      ESI: f34ba800  ES:  007b      EDI: f418dea0  GS:  00e0
    CS:  0060      EIP: c046fa5e  ERR: ffffffff  EFLAGS: 00010286
 #4 [f418de5c] add_timer at c046fa5e
 #5 [f418de68] sctp_do_sm at f8db8c77 [sctp]
 #6 [f418df30] sctp_primitive_SHUTDOWN at f8dcc1b5 [sctp]
 #7 [f418df48] inet_shutdown at c080baf9
 #8 [f418df5c] sys_shutdown at c079eedf
 #9 [f418df70] sys_socketcall at c079fe88
    EAX: ffffffda  EBX: 0000000d  ECX: bfceea90  EDX: 0937af98
    DS:  007b      ESI: 0000000c  ES:  007b      EDI: b7150ae4
    SS:  007b      ESP: bfceea7c  EBP: bfceeaa8  GS:  0033
    CS:  0073      EIP: b775c424  ERR: 00000066  EFLAGS: 00000282

It appears that the side effect that starts the shutdown timer was processed
multiple times, which can happen as multiple paths can trigger it.  This of
course leads to the BUG halt in add_timer getting called.

Fix seems pretty straightforward, just check before the timer is added if its
already been started.  If it has mod the timer instead to min(current
expiration, new expiration)

Its been tested but not confirmed to fix the problem, as the issue has only
occured in production environments where test kernels are enjoined from being
installed.  It appears to be a sane fix to me though.  Also, recentely,
Jere found a reproducer posted on list to confirm that this resolves the
issues

Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Vlad Yasevich <vyasevich@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: jere.leppanen@nokia.com
CC: marcelo.leitner@gmail.com
CC: netdev@vger.kernel.org
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 net/sctp/sm_sideeffect.c |   14 +++++++++++---
 1 file changed, 11 insertions(+), 3 deletions(-)

--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1522,9 +1522,17 @@ static int sctp_cmd_interpreter(enum sct
 			timeout = asoc->timeouts[cmd->obj.to];
 			BUG_ON(!timeout);
 
-			timer->expires = jiffies + timeout;
-			sctp_association_hold(asoc);
-			add_timer(timer);
+			/*
+			 * SCTP has a hard time with timer starts.  Because we process
+			 * timer starts as side effects, it can be hard to tell if we
+			 * have already started a timer or not, which leads to BUG
+			 * halts when we call add_timer. So here, instead of just starting
+			 * a timer, if the timer is already started, and just mod
+			 * the timer with the shorter of the two expiration times
+			 */
+			if (!timer_pending(timer))
+				sctp_association_hold(asoc);
+			timer_reduce(timer, jiffies + timeout);
 			break;
 
 		case SCTP_CMD_TIMER_RESTART: