Re: [PATCH net v2] net: sctp: test if association is dead in sctp_wake_up_waiters

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 04/08/2014 07:32 PM, Daniel Borkmann wrote:
> In function sctp_wake_up_waiters(), we need to involve a test
> if the association is declared dead. If so, we don't have any
> reference to a possible sibling association anymore and need
> to invoke sctp_write_space() instead and normally walk the
> socket's associations and notify them of new wmem space. The
> reason for special casing is that, otherwise, we could run
> into the following issue:
> 
> sctp_association_free()
> `-> list_del(&asoc->asocs)         <-- poisons list pointer
>     asoc->base.dead = true
>     sctp_outq_free(&asoc->outqueue)
>     `-> __sctp_outq_teardown()
>      `-> sctp_chunk_free()
>       `-> consume_skb()
>        `-> sctp_wfree()
>         `-> sctp_wake_up_waiters() <-- dereferences poisoned pointers
>                                        if asoc->ep->sndbuf_policy=0
> 
> Therefore, only walk the list in an 'optimized' way if we find
> that the current association is still active. We could also use
> list_del_init() in addition when we call sctp_association_free(),
> but as Vlad suggests, we want to trap such bugs and thus leave
> it poisoned as is. Stress-testing seems fine now.
> 
> Fixes: cd253f9f357d ("net: sctp: wake up all assocs if sndbuf policy is per socket")
> Signed-off-by: Daniel Borkmann <dborkman@xxxxxxxxxx>
> Cc: Vlad Yasevich <vyasevic@xxxxxxxxxx>

Acked-by: Vlad Yasevich <vyasevic@xxxxxxxxxx>

-vlad
> ---
>  v1->v2:
>   - leave list_del()
> 
>  net/sctp/socket.c | 6 ++++++
>  1 file changed, 6 insertions(+)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 5f83a6a..270d5bd 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -6604,6 +6604,12 @@ static void sctp_wake_up_waiters(struct sock *sk,
>  	if (asoc->ep->sndbuf_policy)
>  		return __sctp_write_space(asoc);
>  
> +	/* If association goes down and is just flushing its
> +	 * outq, then just normally notify others.
> +	 */
> +	if (asoc->base.dead)
> +		return sctp_write_space(sk);
> +
>  	/* Accounting for the sndbuf space is per socket, so we
>  	 * need to wake up others, try to be fair and in case of
>  	 * other associations, let them have a go first instead
> 

--
To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Networking Development]     [Linux OMAP]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux