releases/4.0.8/sctp-fix-asconf-list-handling.patch

   1 From foo@baz Fri Jul  3 19:59:52 PDT 2015
   2 From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
   3 Date: Fri, 12 Jun 2015 10:16:41 -0300
   4 Subject: sctp: fix ASCONF list handling
   5
   6 From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
   7
   8 [ Upstream commit 2d45a02d0166caf2627fe91897c6ffc3b19514c4 ]
   9
  10 ->auto_asconf_splist is per namespace and mangled by functions like
  11 sctp_setsockopt_auto_asconf() which doesn't guarantee any serialization.
  12
  13 Also, the call to inet_sk_copy_descendant() was backuping
  14 ->auto_asconf_list through the copy but was not honoring
  15 ->do_auto_asconf, which could lead to list corruption if it was
  16 different between both sockets.
  17
  18 This commit thus fixes the list handling by using ->addr_wq_lock
  19 spinlock to protect the list. A special handling is done upon socket
  20 creation and destruction for that. Error handlig on sctp_init_sock()
  21 will never return an error after having initialized asconf, so
  22 sctp_destroy_sock() can be called without addrq_wq_lock. The lock now
  23 will be take on sctp_close_sock(), before locking the socket, so we
  24 don't do it in inverse order compared to sctp_addr_wq_timeout_handler().
  25
  26 Instead of taking the lock on sctp_sock_migrate() for copying and
  27 restoring the list values, it's preferred to avoid rewritting it by
  28 implementing sctp_copy_descendant().
  29
  30 Issue was found with a test application that kept flipping sysctl
  31 default_auto_asconf on and off, but one could trigger it by issuing
  32 simultaneous setsockopt() calls on multiple sockets or by
  33 creating/destroying sockets fast enough. This is only triggerable
  34 locally.
  35
  36 Fixes: 9f7d653b67ae ("sctp: Add Auto-ASCONF support (core).")
  37 Reported-by: Ji Jianwen <jiji@redhat.com>
  38 Suggested-by: Neil Horman <nhorman@tuxdriver.com>
  39 Suggested-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
  40 Acked-by: Hannes Frederic Sowa <hannes@stressinduktion.org>
  41 Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
  42 Signed-off-by: David S. Miller <davem@davemloft.net>
  43 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  44 ---
  45  include/net/netns/sctp.h   |    1 +
  46  include/net/sctp/structs.h |    4 ++++
  47  net/sctp/socket.c          |   43 ++++++++++++++++++++++++++++++++-----------
  48  3 files changed, 37 insertions(+), 11 deletions(-)
  49
  50 --- a/include/net/netns/sctp.h
  51 +++ b/include/net/netns/sctp.h
  52 @@ -31,6 +31,7 @@ struct netns_sctp {
  53         struct list_head addr_waitq;
  54         struct timer_list addr_wq_timer;
  55         struct list_head auto_asconf_splist;
  56 +       /* Lock that protects both addr_waitq and auto_asconf_splist */
  57         spinlock_t addr_wq_lock;
  58
  59         /* Lock that protects the local_addr_list writers */
  60 --- a/include/net/sctp/structs.h
  61 +++ b/include/net/sctp/structs.h
  62 @@ -223,6 +223,10 @@ struct sctp_sock {
  63         atomic_t pd_mode;
  64         /* Receive to here while partial delivery is in effect. */
  65         struct sk_buff_head pd_lobby;
  66 +
  67 +       /* These must be the last fields, as they will skipped on copies,
  68 +        * like on accept and peeloff operations
  69 +        */
  70         struct list_head auto_asconf_list;
  71         int do_auto_asconf;
  72  };
  73 --- a/net/sctp/socket.c
  74 +++ b/net/sctp/socket.c
  75 @@ -1533,8 +1533,10 @@ static void sctp_close(struct sock *sk,
  76
  77         /* Supposedly, no process has access to the socket, but
  78          * the net layers still may.
  79 +        * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
  80 +        * held and that should be grabbed before socket lock.
  81          */
  82 -       local_bh_disable();
  83 +       spin_lock_bh(&net->sctp.addr_wq_lock);
  84         bh_lock_sock(sk);
  85
  86         /* Hold the sock, since sk_common_release() will put sock_put()
  87 @@ -1544,7 +1546,7 @@ static void sctp_close(struct sock *sk,
  88         sk_common_release(sk);
  89
  90         bh_unlock_sock(sk);
  91 -       local_bh_enable();
  92 +       spin_unlock_bh(&net->sctp.addr_wq_lock);
  93
  94         sock_put(sk);
  95
  96 @@ -3587,6 +3589,7 @@ static int sctp_setsockopt_auto_asconf(s
  97         if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
  98                 return 0;
  99
 100 +       spin_lock_bh(&sock_net(sk)->sctp.addr_wq_lock);
 101         if (val == 0 && sp->do_auto_asconf) {
 102                 list_del(&sp->auto_asconf_list);
 103                 sp->do_auto_asconf = 0;
 104 @@ -3595,6 +3598,7 @@ static int sctp_setsockopt_auto_asconf(s
 105                     &sock_net(sk)->sctp.auto_asconf_splist);
 106                 sp->do_auto_asconf = 1;
 107         }
 108 +       spin_unlock_bh(&sock_net(sk)->sctp.addr_wq_lock);
 109         return 0;
 110  }
 111
 112 @@ -4128,18 +4132,28 @@ static int sctp_init_sock(struct sock *s
 113         local_bh_disable();
 114         percpu_counter_inc(&sctp_sockets_allocated);
 115         sock_prot_inuse_add(net, sk->sk_prot, 1);
 116 +
 117 +       /* Nothing can fail after this block, otherwise
 118 +        * sctp_destroy_sock() will be called without addr_wq_lock held
 119 +        */
 120         if (net->sctp.default_auto_asconf) {
 121 +               spin_lock(&sock_net(sk)->sctp.addr_wq_lock);
 122                 list_add_tail(&sp->auto_asconf_list,
 123                     &net->sctp.auto_asconf_splist);
 124                 sp->do_auto_asconf = 1;
 125 -       } else
 126 +               spin_unlock(&sock_net(sk)->sctp.addr_wq_lock);
 127 +       } else {
 128                 sp->do_auto_asconf = 0;
 129 +       }
 130 +
 131         local_bh_enable();
 132
 133         return 0;
 134  }
 135
 136 -/* Cleanup any SCTP per socket resources.  */
 137 +/* Cleanup any SCTP per socket resources. Must be called with
 138 + * sock_net(sk)->sctp.addr_wq_lock held if sp->do_auto_asconf is true
 139 + */
 140  static void sctp_destroy_sock(struct sock *sk)
 141  {
 142         struct sctp_sock *sp;
 143 @@ -7202,6 +7216,19 @@ void sctp_copy_sock(struct sock *newsk,
 144         newinet->mc_list = NULL;
 145  }
 146
 147 +static inline void sctp_copy_descendant(struct sock *sk_to,
 148 +                                       const struct sock *sk_from)
 149 +{
 150 +       int ancestor_size = sizeof(struct inet_sock) +
 151 +                           sizeof(struct sctp_sock) -
 152 +                           offsetof(struct sctp_sock, auto_asconf_list);
 153 +
 154 +       if (sk_from->sk_family == PF_INET6)
 155 +               ancestor_size += sizeof(struct ipv6_pinfo);
 156 +
 157 +       __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
 158 +}
 159 +
 160  /* Populate the fields of the newsk from the oldsk and migrate the assoc
 161   * and its messages to the newsk.
 162   */
 163 @@ -7216,7 +7243,6 @@ static void sctp_sock_migrate(struct soc
 164         struct sk_buff *skb, *tmp;
 165         struct sctp_ulpevent *event;
 166         struct sctp_bind_hashbucket *head;
 167 -       struct list_head tmplist;
 168
 169         /* Migrate socket buffer sizes and all the socket level options to the
 170          * new socket.
 171 @@ -7224,12 +7250,7 @@ static void sctp_sock_migrate(struct soc
 172         newsk->sk_sndbuf = oldsk->sk_sndbuf;
 173         newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
 174         /* Brute force copy old sctp opt. */
 175 -       if (oldsp->do_auto_asconf) {
 176 -               memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
 177 -               inet_sk_copy_descendant(newsk, oldsk);
 178 -               memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
 179 -       } else
 180 -               inet_sk_copy_descendant(newsk, oldsk);
 181 +       sctp_copy_descendant(newsk, oldsk);
 182
 183         /* Restore the ep value that was overwritten with the above structure
 184          * copy.