Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp1237140pxu; Mon, 23 Nov 2020 15:34:42 -0800 (PST) X-Google-Smtp-Source: ABdhPJwac7cDbkFYE4otIHmeI07J1uPCUK3o2eIPa+zzctvH3/qE0QSmKYymV6mmac3aq063uUXS X-Received: by 2002:a50:e68a:: with SMTP id z10mr1564330edm.28.1606174482419; Mon, 23 Nov 2020 15:34:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1606174482; cv=none; d=google.com; s=arc-20160816; b=lZQ9aHH9MqkeyjfnWFeyWT34ZJV/GhCX/m3I1aUbShWG2CVxRS7fTQoxCRw4fEswiW CCDvGeILoCi0Bh5uNY7Y7GVNPp1v2OBdr6fvQkeOdXWHK9eG7WNwVJ7vpjBjl6h0sNe0 jH01H9ggUaNT35oxajLOhHsb5162fFm/zSYgzHTqgzMiJ1Fc4+C5mkdea1wuNFJN4Dwz k4rnv1I5xjGHaucTNSQHVvSH7x3POQyUoyGZt4EiCE9wift5HDosS5h5cQmwvHErxpEy iPo3hFfbiHyyp4UdAr14WrE+YTUjExHz2lkgct6es+xighRUliiwz2b5WGmDWHFWJ1YG kP7Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=n+6YnamS2gmfYyeZlVz/E5v/BwABvXCs+cXw2AQzeuQ=; b=YZGi9t6GrnP/N4BGjlcxP8JcrD5WjeO7w4OJF3urms7JUcKZ9sxNfuD4kmqL5hjMpP DITOj3NO7BluOutPVsX3+bcUxDCGr1G1yhG+tOkYfYKADXykf75+5051yp50ZeqwmWch VNTIlu2eGoySh+JSABCNnr+NniXBMi5KKzg1QrGVbuLtS0jLxZDul3ON424j3kfwt6k6 PBO7t5WZPVVuW+eIxuDixDLqeGOsqB+/1FRpjZ2ROqRlE0WooLSwZSgJQMB/JrJCHYfW Xh+BowcjX023SmjrZ9wTeXfAxa0IlA3daJtV6xsdhA6xg7Hddz5Ase9+n8ZNxRPJjCzf ZH/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="1cMw/1cF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b13si7326639eje.225.2020.11.23.15.34.19; Mon, 23 Nov 2020 15:34:42 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="1cMw/1cF"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730728AbgKWMaV (ORCPT + 99 others); Mon, 23 Nov 2020 07:30:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:40986 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730165AbgKWMaP (ORCPT ); Mon, 23 Nov 2020 07:30:15 -0500 Received: from localhost (83-86-74-64.cable.dynamic.v4.ziggo.nl [83.86.74.64]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 420F320781; Mon, 23 Nov 2020 12:30:14 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1606134614; bh=nqjcF6JBWvu9wm/xcmuYhnS7YRSnRIHpS25g8/DlIX0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1cMw/1cFqEPueMq79TXvPJ53sVF6DuccGNNZrU6mKRnkiiUP2WXZWPo4JnYuM7LoI 9hB2XY/RZfXJUql88bhu65EtfxT9YvARGcNgL6WrzN8SRAZvrS79BhC+fVvT6Nb3oz 0glQNBLhLY0fQjWdDmHsRbDflhbeoxM8nz84Wz4w= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Hangbin Liu , Xin Long , Marcelo Ricardo Leitner , Jakub Kicinski Subject: [PATCH 4.19 21/91] sctp: change to hold/put transport for proto_unreach_timer Date: Mon, 23 Nov 2020 13:21:41 +0100 Message-Id: <20201123121810.339376302@linuxfoundation.org> X-Mailer: git-send-email 2.29.2 In-Reply-To: <20201123121809.285416732@linuxfoundation.org> References: <20201123121809.285416732@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 057a10fa1f73d745c8e69aa54ab147715f5630ae ] A call trace was found in Hangbin's Codenomicon testing with debug kernel: [ 2615.981988] ODEBUG: free active (active state 0) object type: timer_list hint: sctp_generate_proto_unreach_event+0x0/0x3a0 [sctp] [ 2615.995050] WARNING: CPU: 17 PID: 0 at lib/debugobjects.c:328 debug_print_object+0x199/0x2b0 [ 2616.095934] RIP: 0010:debug_print_object+0x199/0x2b0 [ 2616.191533] Call Trace: [ 2616.194265] [ 2616.202068] debug_check_no_obj_freed+0x25e/0x3f0 [ 2616.207336] slab_free_freelist_hook+0xeb/0x140 [ 2616.220971] kfree+0xd6/0x2c0 [ 2616.224293] rcu_do_batch+0x3bd/0xc70 [ 2616.243096] rcu_core+0x8b9/0xd00 [ 2616.256065] __do_softirq+0x23d/0xacd [ 2616.260166] irq_exit+0x236/0x2a0 [ 2616.263879] smp_apic_timer_interrupt+0x18d/0x620 [ 2616.269138] apic_timer_interrupt+0xf/0x20 [ 2616.273711] This is because it holds asoc when transport->proto_unreach_timer starts and puts asoc when the timer stops, and without holding transport the transport could be freed when the timer is still running. So fix it by holding/putting transport instead for proto_unreach_timer in transport, just like other timers in transport. v1->v2: - Also use sctp_transport_put() for the "out_unlock:" path in sctp_generate_proto_unreach_event(), as Marcelo noticed. Fixes: 50b5d6ad6382 ("sctp: Fix a race between ICMP protocol unreachable and connect()") Reported-by: Hangbin Liu Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Link: https://lore.kernel.org/r/102788809b554958b13b95d33440f5448113b8d6.1605331373.git.lucien.xin@gmail.com Signed-off-by: Jakub Kicinski Signed-off-by: Greg Kroah-Hartman --- net/sctp/input.c | 4 ++-- net/sctp/sm_sideeffect.c | 4 ++-- net/sctp/transport.c | 2 +- 3 files changed, 5 insertions(+), 5 deletions(-) --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -461,7 +461,7 @@ void sctp_icmp_proto_unreachable(struct else { if (!mod_timer(&t->proto_unreach_timer, jiffies + (HZ/20))) - sctp_association_hold(asoc); + sctp_transport_hold(t); } } else { struct net *net = sock_net(sk); @@ -470,7 +470,7 @@ void sctp_icmp_proto_unreachable(struct "encountered!\n", __func__); if (del_timer(&t->proto_unreach_timer)) - sctp_association_put(asoc); + sctp_transport_put(t); sctp_do_sm(net, SCTP_EVENT_T_OTHER, SCTP_ST_OTHER(SCTP_EVENT_ICMP_PROTO_UNREACH), --- a/net/sctp/sm_sideeffect.c +++ b/net/sctp/sm_sideeffect.c @@ -434,7 +434,7 @@ void sctp_generate_proto_unreach_event(s /* Try again later. */ if (!mod_timer(&transport->proto_unreach_timer, jiffies + (HZ/20))) - sctp_association_hold(asoc); + sctp_transport_hold(transport); goto out_unlock; } @@ -450,7 +450,7 @@ void sctp_generate_proto_unreach_event(s out_unlock: bh_unlock_sock(sk); - sctp_association_put(asoc); + sctp_transport_put(transport); } /* Handle the timeout of the RE-CONFIG timer. */ --- a/net/sctp/transport.c +++ b/net/sctp/transport.c @@ -148,7 +148,7 @@ void sctp_transport_free(struct sctp_tra /* Delete the ICMP proto unreachable timer if it's active. */ if (del_timer(&transport->proto_unreach_timer)) - sctp_association_put(transport->asoc); + sctp_transport_put(transport); sctp_transport_put(transport); }