On Wed, 8 Feb 2023 at 20:21, Xin Long <lucien.xin@xxxxxxxxx> wrote: > > [...] > > We suspect a race condition between a connecting sctp socket > > and the diag query. > As it commented in sctp_transport_traverse_process(): > > "asoc can be peeled off " before callinsctp_sock_filter(). Actually, Ah, thank you for clarifying! I misunderstood the comment, and read it like "we hold the ep, otherwise ascoc can be peeled off". > the asoc can be peeled off from the ep anytime during it by another > thread, and placing a list_empty(&ep->asocs) check and returning > won't avoid it completely, as peeling off the asoc can happen after > your check. > > We actually don't care about the asoc peeling off during the dump, > as sctp diag can not work that accurately. There also shouldn't be Agree. This makes a lot of sense. > problems caused so far, as the "assoc" won't be used anywhere after > that check. > > To avoid the "type confused pointer" thing, maybe you can try to use > list_is_first() there: > > - struct sctp_association *assoc = > - list_entry(ep->asocs.next, struct sctp_association, asocs); > > /* find the ep only once through the transports by this condition */ > - if (tsp->asoc != assoc) > + if (!list_is_first(&tsp->asoc->asocs, &ep->asocs)) > return 0; > This is a very nice suggestion, which also avoids future issues in case assoc would be used. I'll do that in v2. Thank you! Best regards, Pietro
