Received: by 2002:ac0:da4c:0:0:0:0:0 with SMTP id a12csp1148003imi;
        Fri, 22 Jul 2022 19:01:27 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1u56djcF71SwenyKY9nJYWYTFXRKeYpHPmpg42gJh+tYLRCg+knlD1GX+dfNeC/HfDuMwrF
X-Received: by 2002:a17:907:d8b:b0:72f:4645:1730 with SMTP id go11-20020a1709070d8b00b0072f46451730mr2052166ejc.724.1658541686875;
        Fri, 22 Jul 2022 19:01:26 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1658541686; cv=none;
        d=google.com; s=arc-20160816;
        b=kLg6PYH95El2zaGsM715q9ODf8ksk+218n41KF6Q+6B3r7myFGXv+/G9wnji/U22Vj
         AgAwWx+VDfHYNwNOwkFdJaZNnoEsUugDxyPICbpZeKggw4tj1elYUmap6dDD/zfQVHCu
         AjVuv+evwvgr9bkg5xxzEDDnI8RUx7zJUXqoVCSFmSRoqUEbwRL977ZeVGvma6/fkUgL
         zXeFwBbIRiQu/fBOgL+YtRemCsGyVjl/eAHlw3h8LgR+r8GuksxL+suCPgUCoSJmdcYr
         64a7L3T0EbQEwZC8ir2PXSAiHjHos2FXZlQax1ESOEmU1iU/VpSRYz4fKyIpcKHWKzhB
         6EHw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:message-id:date:subject:cc:to:from;
        bh=kfn+2xfhCJWLdXHQEgWmQIPvUyXBZey2T5dX9Ik9978=;
        b=xT0F0kCro7hmpJg3tc+IMflWKBtrUJDgElBoSRBrwz09WNsqtTO0S1VR8O4IM1nTUP
         eTNoE2YGimgaZmiyy5++BA5PhCrUqozO9grnNotJYeKGCqg2p64zANCakW3HAxZcrpE6
         dosSzml5UmZwxHRl45Qw+yLaPPEpfcifOlVgkZnJRrrgv6bGmR89NyQpcBJcyQh0mez4
         MxbTYkuMsVuUesDaMdACP84h7dY7wimWiVRk+oKarr/vEzmhstczmBqwsPXFicl4Vs2Q
         chrJD8XtRu6JOCUc4xMAkj3K9Tj2tMqH3sRFh+6909pad+q69vh9qga0aq6w6pwf8gjx
         BsYQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id s27-20020a170906355b00b0070f8f93e1f5si6331572eja.306.2022.07.22.19.01.01;
        Fri, 22 Jul 2022 19:01:26 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231751AbiGWB6m (ORCPT <rfc822;algowarbles@gmail.com>
        + 99 others); Fri, 22 Jul 2022 21:58:42 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47048 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229461AbiGWB6k (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 22 Jul 2022 21:58:40 -0400
Received: from azure-sdnproxy-1.icoremail.net (azure-sdnproxy.icoremail.net [52.187.6.220])
        by lindbergh.monkeyblade.net (Postfix) with SMTP id ADA4D7B1FA;
        Fri, 22 Jul 2022 18:58:36 -0700 (PDT)
Received: from ubuntu.localdomain (unknown [106.117.76.127])
        by mail-app4 (Coremail) with SMTP id cS_KCgC3L8+yVdtiwTkdAQ--.30584S2;
        Sat, 23 Jul 2022 09:58:18 +0800 (CST)
From:   Duoming Zhou <duoming@zju.edu.cn>
To:     linux-sctp@vger.kernel.org
Cc:     vyasevich@gmail.com, nhorman@tuxdriver.com,
        marcelo.leitner@gmail.com, davem@davemloft.net,
        edumazet@google.com, kuba@kernel.org, pabeni@redhat.com,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Duoming Zhou <duoming@zju.edu.cn>
Subject: [PATCH net] sctp: fix sleep in atomic context bug in timer handlers
Date:   Sat, 23 Jul 2022 09:58:09 +0800
Message-Id: <20220723015809.11553-1-duoming@zju.edu.cn>
X-Mailer: git-send-email 2.17.1
X-CM-TRANSID: cS_KCgC3L8+yVdtiwTkdAQ--.30584S2
X-Coremail-Antispam: 1UD129KBjvJXoW7AF1DXrWruFWDKF4rKrWUXFb_yoW8Xw1rpr
        yDuF4FqF17tF18ZFZ5ur4Fqw1akws7J34DKF40kwn5A398Jr4YgFy8KrWSyrWxurWUZFWY
        va15K347Gr1jkFJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUUvG14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
        rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
        1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U
        JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc
        CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
        2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
        W8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2
        Y2ka0xkIwI1lc2xSY4AK67AK6w4l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr
        0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY
        17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcV
        C0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWUJVWUCwCI42IY
        6I8E87Iv67AKxVWUJVW8JwCI42IY6I8E87Iv6xkF7I0E14v26r4j6r4UJbIYCTnIWIevJa
        73UjIFyTuYvjfUOMKZDUUUU
X-CM-SenderInfo: qssqjiasttq6lmxovvfxof0/1tbiAgcAAVZdtay58AADsc
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_PASS,
        SPF_PASS autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

There are sleep in atomic context bugs in timer handlers of sctp
such as sctp_generate_t3_rtx_event(), sctp_generate_probe_event(),
sctp_generate_t1_init_event(), sctp_generate_timeout_event(),
sctp_generate_t3_rtx_event() and so on.

The root cause is sctp_sched_prio_init_sid() with GFP_KERNEL parameter
that may sleep could be called by different timer handlers which is in
interrupt context.

One of the call paths that could trigger bug is shown below:

      (interrupt context)
sctp_generate_probe_event
  sctp_do_sm
    sctp_side_effects
      sctp_cmd_interpreter
        sctp_outq_teardown
          sctp_outq_init
            sctp_sched_set_sched
              n->init_sid(..,GFP_KERNEL)
                sctp_sched_prio_init_sid //may sleep

This patch changes gfp_t parameter of init_sid in sctp_sched_set_sched()
from GFP_KERNEL to GFP_ATOMIC in order to prevent sleep in atomic
context bugs.

Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
---
 net/sctp/stream_sched.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/stream_sched.c b/net/sctp/stream_sched.c
index 518b1b9bf89..1ad565ed562 100644
--- a/net/sctp/stream_sched.c
+++ b/net/sctp/stream_sched.c
@@ -160,7 +160,7 @@ int sctp_sched_set_sched(struct sctp_association *asoc,
 		if (!SCTP_SO(&asoc->stream, i)->ext)
 			continue;
 
-		ret = n->init_sid(&asoc->stream, i, GFP_KERNEL);
+		ret = n->init_sid(&asoc->stream, i, GFP_ATOMIC);
 		if (ret)
 			goto err;
 	}
-- 
2.17.1