<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/net/sctp/input.c, branch linux-4.7.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>sctp: fix BH handling on socket backlog</title>
<updated>2016-08-16T07:34:58+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2016-07-23T03:32:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2f9abe462b23e1f78cc55de4d92de58a63c9b710'/>
<id>2f9abe462b23e1f78cc55de4d92de58a63c9b710</id>
<content type='text'>
[ Upstream commit eefc1b1d105ee4d2ce907833ce675f1e9599b5e3 ]

Now that the backlog processing is called with BH enabled, we have to
disable BH before taking the socket lock via bh_lock_sock() otherwise
it may dead lock:

sctp_backlog_rcv()
                bh_lock_sock(sk);

                if (sock_owned_by_user(sk)) {
                        if (sk_add_backlog(sk, skb, sk-&gt;sk_rcvbuf))
                                sctp_chunk_free(chunk);
                        else
                                backloged = 1;
                } else
                        sctp_inq_push(inqueue, chunk);

                bh_unlock_sock(sk);

while sctp_inq_push() was disabling/enabling BH, but enabling BH
triggers pending softirq, which then may try to re-lock the socket in
sctp_rcv().

[  219.187215]  &lt;IRQ&gt;
[  219.187217]  [&lt;ffffffff817ca3e0&gt;] _raw_spin_lock+0x20/0x30
[  219.187223]  [&lt;ffffffffa041888c&gt;] sctp_rcv+0x48c/0xba0 [sctp]
[  219.187225]  [&lt;ffffffff816e7db2&gt;] ? nf_iterate+0x62/0x80
[  219.187226]  [&lt;ffffffff816f1b14&gt;] ip_local_deliver_finish+0x94/0x1e0
[  219.187228]  [&lt;ffffffff816f1e1f&gt;] ip_local_deliver+0x6f/0xf0
[  219.187229]  [&lt;ffffffff816f1a80&gt;] ? ip_rcv_finish+0x3b0/0x3b0
[  219.187230]  [&lt;ffffffff816f17a8&gt;] ip_rcv_finish+0xd8/0x3b0
[  219.187232]  [&lt;ffffffff816f2122&gt;] ip_rcv+0x282/0x3a0
[  219.187233]  [&lt;ffffffff810d8bb6&gt;] ? update_curr+0x66/0x180
[  219.187235]  [&lt;ffffffff816abac4&gt;] __netif_receive_skb_core+0x524/0xa90
[  219.187236]  [&lt;ffffffff810d8e00&gt;] ? update_cfs_shares+0x30/0xf0
[  219.187237]  [&lt;ffffffff810d557c&gt;] ? __enqueue_entity+0x6c/0x70
[  219.187239]  [&lt;ffffffff810dc454&gt;] ? enqueue_entity+0x204/0xdf0
[  219.187240]  [&lt;ffffffff816ac048&gt;] __netif_receive_skb+0x18/0x60
[  219.187242]  [&lt;ffffffff816ad1ce&gt;] process_backlog+0x9e/0x140
[  219.187243]  [&lt;ffffffff816ac8ec&gt;] net_rx_action+0x22c/0x370
[  219.187245]  [&lt;ffffffff817cd352&gt;] __do_softirq+0x112/0x2e7
[  219.187247]  [&lt;ffffffff817cc3bc&gt;] do_softirq_own_stack+0x1c/0x30
[  219.187247]  &lt;EOI&gt;
[  219.187248]  [&lt;ffffffff810aa1c8&gt;] do_softirq.part.14+0x38/0x40
[  219.187249]  [&lt;ffffffff810aa24d&gt;] __local_bh_enable_ip+0x7d/0x80
[  219.187254]  [&lt;ffffffffa0408428&gt;] sctp_inq_push+0x68/0x80 [sctp]
[  219.187258]  [&lt;ffffffffa04190f1&gt;] sctp_backlog_rcv+0x151/0x1c0 [sctp]
[  219.187260]  [&lt;ffffffff81692b07&gt;] __release_sock+0x87/0xf0
[  219.187261]  [&lt;ffffffff81692ba0&gt;] release_sock+0x30/0xa0
[  219.187265]  [&lt;ffffffffa040e46d&gt;] sctp_accept+0x17d/0x210 [sctp]
[  219.187266]  [&lt;ffffffff810e7510&gt;] ? prepare_to_wait_event+0xf0/0xf0
[  219.187268]  [&lt;ffffffff8172d52c&gt;] inet_accept+0x3c/0x130
[  219.187269]  [&lt;ffffffff8168d7a3&gt;] SYSC_accept4+0x103/0x210
[  219.187271]  [&lt;ffffffff817ca2ba&gt;] ? _raw_spin_unlock_bh+0x1a/0x20
[  219.187272]  [&lt;ffffffff81692bfc&gt;] ? release_sock+0x8c/0xa0
[  219.187276]  [&lt;ffffffffa0413e22&gt;] ? sctp_inet_listen+0x62/0x1b0 [sctp]
[  219.187277]  [&lt;ffffffff8168f2d0&gt;] SyS_accept+0x10/0x20

Fixes: 860fbbc343bf ("sctp: prepare for socket backlog behavior change")
Cc: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit eefc1b1d105ee4d2ce907833ce675f1e9599b5e3 ]

Now that the backlog processing is called with BH enabled, we have to
disable BH before taking the socket lock via bh_lock_sock() otherwise
it may dead lock:

sctp_backlog_rcv()
                bh_lock_sock(sk);

                if (sock_owned_by_user(sk)) {
                        if (sk_add_backlog(sk, skb, sk-&gt;sk_rcvbuf))
                                sctp_chunk_free(chunk);
                        else
                                backloged = 1;
                } else
                        sctp_inq_push(inqueue, chunk);

                bh_unlock_sock(sk);

while sctp_inq_push() was disabling/enabling BH, but enabling BH
triggers pending softirq, which then may try to re-lock the socket in
sctp_rcv().

[  219.187215]  &lt;IRQ&gt;
[  219.187217]  [&lt;ffffffff817ca3e0&gt;] _raw_spin_lock+0x20/0x30
[  219.187223]  [&lt;ffffffffa041888c&gt;] sctp_rcv+0x48c/0xba0 [sctp]
[  219.187225]  [&lt;ffffffff816e7db2&gt;] ? nf_iterate+0x62/0x80
[  219.187226]  [&lt;ffffffff816f1b14&gt;] ip_local_deliver_finish+0x94/0x1e0
[  219.187228]  [&lt;ffffffff816f1e1f&gt;] ip_local_deliver+0x6f/0xf0
[  219.187229]  [&lt;ffffffff816f1a80&gt;] ? ip_rcv_finish+0x3b0/0x3b0
[  219.187230]  [&lt;ffffffff816f17a8&gt;] ip_rcv_finish+0xd8/0x3b0
[  219.187232]  [&lt;ffffffff816f2122&gt;] ip_rcv+0x282/0x3a0
[  219.187233]  [&lt;ffffffff810d8bb6&gt;] ? update_curr+0x66/0x180
[  219.187235]  [&lt;ffffffff816abac4&gt;] __netif_receive_skb_core+0x524/0xa90
[  219.187236]  [&lt;ffffffff810d8e00&gt;] ? update_cfs_shares+0x30/0xf0
[  219.187237]  [&lt;ffffffff810d557c&gt;] ? __enqueue_entity+0x6c/0x70
[  219.187239]  [&lt;ffffffff810dc454&gt;] ? enqueue_entity+0x204/0xdf0
[  219.187240]  [&lt;ffffffff816ac048&gt;] __netif_receive_skb+0x18/0x60
[  219.187242]  [&lt;ffffffff816ad1ce&gt;] process_backlog+0x9e/0x140
[  219.187243]  [&lt;ffffffff816ac8ec&gt;] net_rx_action+0x22c/0x370
[  219.187245]  [&lt;ffffffff817cd352&gt;] __do_softirq+0x112/0x2e7
[  219.187247]  [&lt;ffffffff817cc3bc&gt;] do_softirq_own_stack+0x1c/0x30
[  219.187247]  &lt;EOI&gt;
[  219.187248]  [&lt;ffffffff810aa1c8&gt;] do_softirq.part.14+0x38/0x40
[  219.187249]  [&lt;ffffffff810aa24d&gt;] __local_bh_enable_ip+0x7d/0x80
[  219.187254]  [&lt;ffffffffa0408428&gt;] sctp_inq_push+0x68/0x80 [sctp]
[  219.187258]  [&lt;ffffffffa04190f1&gt;] sctp_backlog_rcv+0x151/0x1c0 [sctp]
[  219.187260]  [&lt;ffffffff81692b07&gt;] __release_sock+0x87/0xf0
[  219.187261]  [&lt;ffffffff81692ba0&gt;] release_sock+0x30/0xa0
[  219.187265]  [&lt;ffffffffa040e46d&gt;] sctp_accept+0x17d/0x210 [sctp]
[  219.187266]  [&lt;ffffffff810e7510&gt;] ? prepare_to_wait_event+0xf0/0xf0
[  219.187268]  [&lt;ffffffff8172d52c&gt;] inet_accept+0x3c/0x130
[  219.187269]  [&lt;ffffffff8168d7a3&gt;] SYSC_accept4+0x103/0x210
[  219.187271]  [&lt;ffffffff817ca2ba&gt;] ? _raw_spin_unlock_bh+0x1a/0x20
[  219.187272]  [&lt;ffffffff81692bfc&gt;] ? release_sock+0x8c/0xa0
[  219.187276]  [&lt;ffffffffa0413e22&gt;] ? sctp_inet_listen+0x62/0x1b0 [sctp]
[  219.187277]  [&lt;ffffffff8168f2d0&gt;] SyS_accept+0x10/0x20

Fixes: 860fbbc343bf ("sctp: prepare for socket backlog behavior change")
Cc: Eric Dumazet &lt;eric.dumazet@gmail.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: load transport header after sk_filter</title>
<updated>2016-07-19T05:46:52+00:00</updated>
<author>
<name>Willem de Bruijn</name>
<email>willemb@google.com</email>
</author>
<published>2016-07-16T21:33:15+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=c74bfbdba0e8d056e4ba579a666b5cdb8ec3cd35'/>
<id>c74bfbdba0e8d056e4ba579a666b5cdb8ec3cd35</id>
<content type='text'>
Do not cache pointers into the skb linear segment across sk_filter.
The function call can trigger pskb_expand_head.

Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Do not cache pointers into the skb linear segment across sk_filter.
The function call can trigger pskb_expand_head.

Signed-off-by: Willem de Bruijn &lt;willemb@google.com&gt;
Acked-by: Daniel Borkmann &lt;daniel@iogearbox.net&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: rename NET_{ADD|INC}_STATS_BH()</title>
<updated>2016-04-28T02:48:24+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-04-27T23:44:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=02a1d6e7a6bb025a77da77012190e1efc1970f1c'/>
<id>02a1d6e7a6bb025a77da77012190e1efc1970f1c</id>
<content type='text'>
Rename NET_INC_STATS_BH() to __NET_INC_STATS()
and NET_ADD_STATS_BH() to __NET_ADD_STATS()

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Rename NET_INC_STATS_BH() to __NET_INC_STATS()
and NET_ADD_STATS_BH() to __NET_ADD_STATS()

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: rename SCTP_INC_STATS_BH()</title>
<updated>2016-04-28T02:48:23+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-04-27T23:44:34+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=08e3baef65e2e9481637a1e8fb06089ca70be707'/>
<id>08e3baef65e2e9481637a1e8fb06089ca70be707</id>
<content type='text'>
Rename SCTP_INC_STATS_BH() to __SCTP_INC_STATS()

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Rename SCTP_INC_STATS_BH() to __SCTP_INC_STATS()

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: rename ICMP_INC_STATS_BH()</title>
<updated>2016-04-28T02:48:22+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2016-04-27T23:44:29+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=5d3848bc33b7d13fc97b5b6e0dccde2d0755bfd5'/>
<id>5d3848bc33b7d13fc97b5b6e0dccde2d0755bfd5</id>
<content type='text'>
Rename ICMP_INC_STATS_BH() to __ICMP_INC_STATS()

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Rename ICMP_INC_STATS_BH() to __ICMP_INC_STATS()

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: align MTU to a word</title>
<updated>2016-03-20T20:31:12+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2016-03-19T15:17:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=3822a5ff4bc32043fa9c7b6d6f125bcdca6da39c'/>
<id>3822a5ff4bc32043fa9c7b6d6f125bcdca6da39c</id>
<content type='text'>
SCTP is a protocol that is aligned to a word (4 bytes). Thus using bare
MTU can sometimes return values that are not aligned, like for loopback,
which is 65536 but ipv4_mtu() limits that to 65535. This mis-alignment
will cause the last non-aligned bytes to never be used and can cause
issues with congestion control.

So it's better to just consider a lower MTU and keep congestion control
calcs saner as they are based on PMTU.

Same applies to icmp frag needed messages, which is also fixed by this
patch.

One other effect of this is the inability to send MTU-sized packet
without queueing or fragmentation and without hitting Nagle. As the
check performed at sctp_packet_can_append_data():

if (chunk-&gt;skb-&gt;len + q-&gt;out_qlen &gt;= transport-&gt;pathmtu - packet-&gt;overhead)
	/* Enough data queued to fill a packet */
	return SCTP_XMIT_OK;

with the above example of MTU, if there are no other messages queued,
one cannot send a packet that just fits one packet (65532 bytes) and
without causing DATA chunk fragmentation or a delay.

v2:
 - Added WORD_TRUNC macro

Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
SCTP is a protocol that is aligned to a word (4 bytes). Thus using bare
MTU can sometimes return values that are not aligned, like for loopback,
which is 65536 but ipv4_mtu() limits that to 65535. This mis-alignment
will cause the last non-aligned bytes to never be used and can cause
issues with congestion control.

So it's better to just consider a lower MTU and keep congestion control
calcs saner as they are based on PMTU.

Same applies to icmp frag needed messages, which is also fixed by this
patch.

One other effect of this is the inability to send MTU-sized packet
without queueing or fragmentation and without hitting Nagle. As the
check performed at sctp_packet_can_append_data():

if (chunk-&gt;skb-&gt;len + q-&gt;out_qlen &gt;= transport-&gt;pathmtu - packet-&gt;overhead)
	/* Enough data queued to fill a packet */
	return SCTP_XMIT_OK;

with the above example of MTU, if there are no other messages queued,
one cannot send a packet that just fits one packet (65532 bytes) and
without causing DATA chunk fragmentation or a delay.

v2:
 - Added WORD_TRUNC macro

Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: allow sctp_transmit_packet and others to use gfp</title>
<updated>2016-03-14T02:29:07+00:00</updated>
<author>
<name>Marcelo Ricardo Leitner</name>
<email>marcelo.leitner@gmail.com</email>
</author>
<published>2016-03-10T21:33:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=cea8768f333e3f0bc231d8b815aa4a9e63fa990c'/>
<id>cea8768f333e3f0bc231d8b815aa4a9e63fa990c</id>
<content type='text'>
Currently sctp_sendmsg() triggers some calls that will allocate memory
with GFP_ATOMIC even when not necessary. In the case of
sctp_packet_transmit it will allocate a linear skb that will be used to
construct the packet and this may cause sends to fail due to ENOMEM more
often than anticipated specially with big MTUs.

This patch thus allows it to inherit gfp flags from upper calls so that
it can use GFP_KERNEL if it was triggered by a sctp_sendmsg call or
similar. All others, like retransmits or flushes started from BH, are
still allocated using GFP_ATOMIC.

In netperf tests this didn't result in any performance drawbacks when
memory is not too fragmented and made it trigger ENOMEM way less often.

Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Currently sctp_sendmsg() triggers some calls that will allocate memory
with GFP_ATOMIC even when not necessary. In the case of
sctp_packet_transmit it will allocate a linear skb that will be used to
construct the packet and this may cause sends to fail due to ENOMEM more
often than anticipated specially with big MTUs.

This patch thus allows it to inherit gfp flags from upper calls so that
it can use GFP_KERNEL if it was triggered by a sctp_sendmsg call or
similar. All others, like retransmits or flushes started from BH, are
still allocated using GFP_ATOMIC.

In netperf tests this didn't result in any performance drawbacks when
memory is not too fragmented and made it trigger ENOMEM way less often.

Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: move rcu_read_lock from __sctp_lookup_association to sctp_lookup_association</title>
<updated>2016-02-17T20:41:54+00:00</updated>
<author>
<name>Xin Long</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2016-02-15T06:28:03+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=f46c7011b062726b798fa3326b5b0c2711ead2a0'/>
<id>f46c7011b062726b798fa3326b5b0c2711ead2a0</id>
<content type='text'>
__sctp_lookup_association() is only invoked by sctp_v4_err() and
sctp_rcv(), both which run on the rx BH, and it has been protected
by rcu_read_lock [see ip_local_deliver_finish() / ipv6_rcv()].

So we can move it to sctp_lookup_association, only let
sctp_lookup_association use rcu_read_lock.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
__sctp_lookup_association() is only invoked by sctp_v4_err() and
sctp_rcv(), both which run on the rx BH, and it has been protected
by rcu_read_lock [see ip_local_deliver_finish() / ipv6_rcv()].

So we can move it to sctp_lookup_association, only let
sctp_lookup_association use rcu_read_lock.

Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: fix the transport dead race check by using atomic_add_unless on refcnt</title>
<updated>2016-01-28T23:59:32+00:00</updated>
<author>
<name>Xin Long</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2016-01-21T17:49:07+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1eed677933b816978abc4e3e18ecae5f254cb9be'/>
<id>1eed677933b816978abc4e3e18ecae5f254cb9be</id>
<content type='text'>
Now when __sctp_lookup_association is running in BH, it will try to
check if t-&gt;dead is set, but meanwhile other CPUs may be freeing this
transport and this assoc and if it happens that
__sctp_lookup_association checked t-&gt;dead a bit too early, it may think
that the association is still good while it was already freed.

So we fix this race by using atomic_add_unless in sctp_transport_hold.
After we get one transport from hashtable, we will hold it only when
this transport's refcnt is not 0, so that we can make sure t-&gt;asoc
cannot be freed before we hold the asoc again.

Note that sctp association is not freed using RCU so we can't use
atomic_add_unless() with it as it may just be too late for that either.

Fixes: 4f0087812648 ("sctp: apply rhashtable api to send/recv path")
Reported-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Now when __sctp_lookup_association is running in BH, it will try to
check if t-&gt;dead is set, but meanwhile other CPUs may be freeing this
transport and this assoc and if it happens that
__sctp_lookup_association checked t-&gt;dead a bit too early, it may think
that the association is still good while it was already freed.

So we fix this race by using atomic_add_unless in sctp_transport_hold.
After we get one transport from hashtable, we will hold it only when
this transport's refcnt is not 0, so that we can make sure t-&gt;asoc
cannot be freed before we hold the asoc again.

Note that sctp association is not freed using RCU so we can't use
atomic_add_unless() with it as it may just be too late for that either.

Fixes: 4f0087812648 ("sctp: apply rhashtable api to send/recv path")
Reported-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Signed-off-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: the temp asoc's transports should not be hashed/unhashed</title>
<updated>2016-01-18T00:11:44+00:00</updated>
<author>
<name>Xin Long</name>
<email>lucien.xin@gmail.com</email>
</author>
<published>2016-01-16T12:17:17+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=dd7445ad6be3809565272b0e724f2f00c2de1989'/>
<id>dd7445ad6be3809565272b0e724f2f00c2de1989</id>
<content type='text'>
Re-establish the previous behavior and avoid hashing temporary asocs by
checking t-&gt;asoc-&gt;temp in sctp_(un)hash_transport. Also, remove the
check of t-&gt;asoc-&gt;temp in __sctp_lookup_association, since they are
never hashed now.

Fixes: 4f0087812648 ("sctp: apply rhashtable api to send/recv path")
Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Reported-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Re-establish the previous behavior and avoid hashing temporary asocs by
checking t-&gt;asoc-&gt;temp in sctp_(un)hash_transport. Also, remove the
check of t-&gt;asoc-&gt;temp in __sctp_lookup_association, since they are
never hashed now.

Fixes: 4f0087812648 ("sctp: apply rhashtable api to send/recv path")
Signed-off-by: Xin Long &lt;lucien.xin@gmail.com&gt;
Acked-by: Marcelo Ricardo Leitner &lt;marcelo.leitner@gmail.com&gt;
Reported-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
</pre>
</div>
</content>
</entry>
</feed>
