mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-09-20 09:31:09 +00:00
eefc1b1d10
Now that the backlog processing is called with BH enabled, we have to
disable BH before taking the socket lock via bh_lock_sock() otherwise
it may dead lock:
sctp_backlog_rcv()
bh_lock_sock(sk);
if (sock_owned_by_user(sk)) {
if (sk_add_backlog(sk, skb, sk->sk_rcvbuf))
sctp_chunk_free(chunk);
else
backloged = 1;
} else
sctp_inq_push(inqueue, chunk);
bh_unlock_sock(sk);
while sctp_inq_push() was disabling/enabling BH, but enabling BH
triggers pending softirq, which then may try to re-lock the socket in
sctp_rcv().
[ 219.187215] <IRQ>
[ 219.187217] [<ffffffff817ca3e0>] _raw_spin_lock+0x20/0x30
[ 219.187223] [<ffffffffa041888c>] sctp_rcv+0x48c/0xba0 [sctp]
[ 219.187225] [<ffffffff816e7db2>] ? nf_iterate+0x62/0x80
[ 219.187226] [<ffffffff816f1b14>] ip_local_deliver_finish+0x94/0x1e0
[ 219.187228] [<ffffffff816f1e1f>] ip_local_deliver+0x6f/0xf0
[ 219.187229] [<ffffffff816f1a80>] ? ip_rcv_finish+0x3b0/0x3b0
[ 219.187230] [<ffffffff816f17a8>] ip_rcv_finish+0xd8/0x3b0
[ 219.187232] [<ffffffff816f2122>] ip_rcv+0x282/0x3a0
[ 219.187233] [<ffffffff810d8bb6>] ? update_curr+0x66/0x180
[ 219.187235] [<ffffffff816abac4>] __netif_receive_skb_core+0x524/0xa90
[ 219.187236] [<ffffffff810d8e00>] ? update_cfs_shares+0x30/0xf0
[ 219.187237] [<ffffffff810d557c>] ? __enqueue_entity+0x6c/0x70
[ 219.187239] [<ffffffff810dc454>] ? enqueue_entity+0x204/0xdf0
[ 219.187240] [<ffffffff816ac048>] __netif_receive_skb+0x18/0x60
[ 219.187242] [<ffffffff816ad1ce>] process_backlog+0x9e/0x140
[ 219.187243] [<ffffffff816ac8ec>] net_rx_action+0x22c/0x370
[ 219.187245] [<ffffffff817cd352>] __do_softirq+0x112/0x2e7
[ 219.187247] [<ffffffff817cc3bc>] do_softirq_own_stack+0x1c/0x30
[ 219.187247] <EOI>
[ 219.187248] [<ffffffff810aa1c8>] do_softirq.part.14+0x38/0x40
[ 219.187249] [<ffffffff810aa24d>] __local_bh_enable_ip+0x7d/0x80
[ 219.187254] [<ffffffffa0408428>] sctp_inq_push+0x68/0x80 [sctp]
[ 219.187258] [<ffffffffa04190f1>] sctp_backlog_rcv+0x151/0x1c0 [sctp]
[ 219.187260] [<ffffffff81692b07>] __release_sock+0x87/0xf0
[ 219.187261] [<ffffffff81692ba0>] release_sock+0x30/0xa0
[ 219.187265] [<ffffffffa040e46d>] sctp_accept+0x17d/0x210 [sctp]
[ 219.187266] [<ffffffff810e7510>] ? prepare_to_wait_event+0xf0/0xf0
[ 219.187268] [<ffffffff8172d52c>] inet_accept+0x3c/0x130
[ 219.187269] [<ffffffff8168d7a3>] SYSC_accept4+0x103/0x210
[ 219.187271] [<ffffffff817ca2ba>] ? _raw_spin_unlock_bh+0x1a/0x20
[ 219.187272] [<ffffffff81692bfc>] ? release_sock+0x8c/0xa0
[ 219.187276] [<ffffffffa0413e22>] ? sctp_inet_listen+0x62/0x1b0 [sctp]
[ 219.187277] [<ffffffff8168f2d0>] SyS_accept+0x10/0x20
Fixes: 860fbbc343 ("sctp: prepare for socket backlog behavior change")
Cc: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
266 lines
7.4 KiB
C
266 lines
7.4 KiB
C
/* SCTP kernel implementation
|
|
* Copyright (c) 1999-2000 Cisco, Inc.
|
|
* Copyright (c) 1999-2001 Motorola, Inc.
|
|
* Copyright (c) 2002 International Business Machines, Corp.
|
|
*
|
|
* This file is part of the SCTP kernel implementation
|
|
*
|
|
* These functions are the methods for accessing the SCTP inqueue.
|
|
*
|
|
* An SCTP inqueue is a queue into which you push SCTP packets
|
|
* (which might be bundles or fragments of chunks) and out of which you
|
|
* pop SCTP whole chunks.
|
|
*
|
|
* This SCTP implementation is free software;
|
|
* you can redistribute it and/or modify it under the terms of
|
|
* the GNU General Public License as published by
|
|
* the Free Software Foundation; either version 2, or (at your option)
|
|
* any later version.
|
|
*
|
|
* This SCTP implementation is distributed in the hope that it
|
|
* will be useful, but WITHOUT ANY WARRANTY; without even the implied
|
|
* ************************
|
|
* warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
|
|
* See the GNU General Public License for more details.
|
|
*
|
|
* You should have received a copy of the GNU General Public License
|
|
* along with GNU CC; see the file COPYING. If not, see
|
|
* <http://www.gnu.org/licenses/>.
|
|
*
|
|
* Please send any bug reports or fixes you make to the
|
|
* email address(es):
|
|
* lksctp developers <linux-sctp@vger.kernel.org>
|
|
*
|
|
* Written or modified by:
|
|
* La Monte H.P. Yarroll <piggy@acm.org>
|
|
* Karl Knutson <karl@athena.chicago.il.us>
|
|
*/
|
|
|
|
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
|
|
|
|
#include <net/sctp/sctp.h>
|
|
#include <net/sctp/sm.h>
|
|
#include <linux/interrupt.h>
|
|
#include <linux/slab.h>
|
|
|
|
/* Initialize an SCTP inqueue. */
|
|
void sctp_inq_init(struct sctp_inq *queue)
|
|
{
|
|
INIT_LIST_HEAD(&queue->in_chunk_list);
|
|
queue->in_progress = NULL;
|
|
|
|
/* Create a task for delivering data. */
|
|
INIT_WORK(&queue->immediate, NULL);
|
|
}
|
|
|
|
/* Release the memory associated with an SCTP inqueue. */
|
|
void sctp_inq_free(struct sctp_inq *queue)
|
|
{
|
|
struct sctp_chunk *chunk, *tmp;
|
|
|
|
/* Empty the queue. */
|
|
list_for_each_entry_safe(chunk, tmp, &queue->in_chunk_list, list) {
|
|
list_del_init(&chunk->list);
|
|
sctp_chunk_free(chunk);
|
|
}
|
|
|
|
/* If there is a packet which is currently being worked on,
|
|
* free it as well.
|
|
*/
|
|
if (queue->in_progress) {
|
|
sctp_chunk_free(queue->in_progress);
|
|
queue->in_progress = NULL;
|
|
}
|
|
}
|
|
|
|
/* Put a new packet in an SCTP inqueue.
|
|
* We assume that packet->sctp_hdr is set and in host byte order.
|
|
*/
|
|
void sctp_inq_push(struct sctp_inq *q, struct sctp_chunk *chunk)
|
|
{
|
|
/* Directly call the packet handling routine. */
|
|
if (chunk->rcvr->dead) {
|
|
sctp_chunk_free(chunk);
|
|
return;
|
|
}
|
|
|
|
/* We are now calling this either from the soft interrupt
|
|
* or from the backlog processing.
|
|
* Eventually, we should clean up inqueue to not rely
|
|
* on the BH related data structures.
|
|
*/
|
|
list_add_tail(&chunk->list, &q->in_chunk_list);
|
|
if (chunk->asoc)
|
|
chunk->asoc->stats.ipackets++;
|
|
q->immediate.func(&q->immediate);
|
|
}
|
|
|
|
/* Peek at the next chunk on the inqeue. */
|
|
struct sctp_chunkhdr *sctp_inq_peek(struct sctp_inq *queue)
|
|
{
|
|
struct sctp_chunk *chunk;
|
|
sctp_chunkhdr_t *ch = NULL;
|
|
|
|
chunk = queue->in_progress;
|
|
/* If there is no more chunks in this packet, say so */
|
|
if (chunk->singleton ||
|
|
chunk->end_of_packet ||
|
|
chunk->pdiscard)
|
|
return NULL;
|
|
|
|
ch = (sctp_chunkhdr_t *)chunk->chunk_end;
|
|
|
|
return ch;
|
|
}
|
|
|
|
|
|
/* Extract a chunk from an SCTP inqueue.
|
|
*
|
|
* WARNING: If you need to put the chunk on another queue, you need to
|
|
* make a shallow copy (clone) of it.
|
|
*/
|
|
struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
|
|
{
|
|
struct sctp_chunk *chunk;
|
|
sctp_chunkhdr_t *ch = NULL;
|
|
|
|
/* The assumption is that we are safe to process the chunks
|
|
* at this time.
|
|
*/
|
|
|
|
chunk = queue->in_progress;
|
|
if (chunk) {
|
|
/* There is a packet that we have been working on.
|
|
* Any post processing work to do before we move on?
|
|
*/
|
|
if (chunk->singleton ||
|
|
chunk->end_of_packet ||
|
|
chunk->pdiscard) {
|
|
if (chunk->head_skb == chunk->skb) {
|
|
chunk->skb = skb_shinfo(chunk->skb)->frag_list;
|
|
goto new_skb;
|
|
}
|
|
if (chunk->skb->next) {
|
|
chunk->skb = chunk->skb->next;
|
|
goto new_skb;
|
|
}
|
|
|
|
if (chunk->head_skb)
|
|
chunk->skb = chunk->head_skb;
|
|
sctp_chunk_free(chunk);
|
|
chunk = queue->in_progress = NULL;
|
|
} else {
|
|
/* Nothing to do. Next chunk in the packet, please. */
|
|
ch = (sctp_chunkhdr_t *) chunk->chunk_end;
|
|
/* Force chunk->skb->data to chunk->chunk_end. */
|
|
skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
|
|
/* We are guaranteed to pull a SCTP header. */
|
|
}
|
|
}
|
|
|
|
/* Do we need to take the next packet out of the queue to process? */
|
|
if (!chunk) {
|
|
struct list_head *entry;
|
|
|
|
next_chunk:
|
|
/* Is the queue empty? */
|
|
entry = sctp_list_dequeue(&queue->in_chunk_list);
|
|
if (!entry)
|
|
return NULL;
|
|
|
|
chunk = list_entry(entry, struct sctp_chunk, list);
|
|
|
|
/* Linearize if it's not GSO */
|
|
if ((skb_shinfo(chunk->skb)->gso_type & SKB_GSO_SCTP) != SKB_GSO_SCTP &&
|
|
skb_is_nonlinear(chunk->skb)) {
|
|
if (skb_linearize(chunk->skb)) {
|
|
__SCTP_INC_STATS(dev_net(chunk->skb->dev), SCTP_MIB_IN_PKT_DISCARDS);
|
|
sctp_chunk_free(chunk);
|
|
goto next_chunk;
|
|
}
|
|
|
|
/* Update sctp_hdr as it probably changed */
|
|
chunk->sctp_hdr = sctp_hdr(chunk->skb);
|
|
}
|
|
|
|
if ((skb_shinfo(chunk->skb)->gso_type & SKB_GSO_SCTP) == SKB_GSO_SCTP) {
|
|
/* GSO-marked skbs but without frags, handle
|
|
* them normally
|
|
*/
|
|
if (skb_shinfo(chunk->skb)->frag_list)
|
|
chunk->head_skb = chunk->skb;
|
|
|
|
/* skbs with "cover letter" */
|
|
if (chunk->head_skb && chunk->skb->data_len == chunk->skb->len)
|
|
chunk->skb = skb_shinfo(chunk->skb)->frag_list;
|
|
|
|
if (WARN_ON(!chunk->skb)) {
|
|
__SCTP_INC_STATS(dev_net(chunk->skb->dev), SCTP_MIB_IN_PKT_DISCARDS);
|
|
sctp_chunk_free(chunk);
|
|
goto next_chunk;
|
|
}
|
|
}
|
|
|
|
if (chunk->asoc)
|
|
sock_rps_save_rxhash(chunk->asoc->base.sk, chunk->skb);
|
|
|
|
queue->in_progress = chunk;
|
|
|
|
new_skb:
|
|
/* This is the first chunk in the packet. */
|
|
ch = (sctp_chunkhdr_t *) chunk->skb->data;
|
|
chunk->singleton = 1;
|
|
chunk->data_accepted = 0;
|
|
chunk->pdiscard = 0;
|
|
chunk->auth = 0;
|
|
chunk->has_asconf = 0;
|
|
chunk->end_of_packet = 0;
|
|
if (chunk->head_skb) {
|
|
struct sctp_input_cb
|
|
*cb = SCTP_INPUT_CB(chunk->skb),
|
|
*head_cb = SCTP_INPUT_CB(chunk->head_skb);
|
|
|
|
cb->chunk = head_cb->chunk;
|
|
cb->af = head_cb->af;
|
|
}
|
|
}
|
|
|
|
chunk->chunk_hdr = ch;
|
|
chunk->chunk_end = ((__u8 *)ch) + WORD_ROUND(ntohs(ch->length));
|
|
skb_pull(chunk->skb, sizeof(sctp_chunkhdr_t));
|
|
chunk->subh.v = NULL; /* Subheader is no longer valid. */
|
|
|
|
if (chunk->chunk_end + sizeof(sctp_chunkhdr_t) <
|
|
skb_tail_pointer(chunk->skb)) {
|
|
/* This is not a singleton */
|
|
chunk->singleton = 0;
|
|
} else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
|
|
/* Discard inside state machine. */
|
|
chunk->pdiscard = 1;
|
|
chunk->chunk_end = skb_tail_pointer(chunk->skb);
|
|
} else {
|
|
/* We are at the end of the packet, so mark the chunk
|
|
* in case we need to send a SACK.
|
|
*/
|
|
chunk->end_of_packet = 1;
|
|
}
|
|
|
|
pr_debug("+++sctp_inq_pop+++ chunk:%p[%s], length:%d, skb->len:%d\n",
|
|
chunk, sctp_cname(SCTP_ST_CHUNK(chunk->chunk_hdr->type)),
|
|
ntohs(chunk->chunk_hdr->length), chunk->skb->len);
|
|
|
|
return chunk;
|
|
}
|
|
|
|
/* Set a top-half handler.
|
|
*
|
|
* Originally, we the top-half handler was scheduled as a BH. We now
|
|
* call the handler directly in sctp_inq_push() at a time that
|
|
* we know we are lock safe.
|
|
* The intent is that this routine will pull stuff out of the
|
|
* inqueue and process it.
|
|
*/
|
|
void sctp_inq_set_th_handler(struct sctp_inq *q, work_func_t callback)
|
|
{
|
|
INIT_WORK(&q->immediate, callback);
|
|
}
|