leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
e88f2be832
linux/net/tipc
History
Jon Maloy e88f2be832 tipc: fix race condition at topology server receive 
We have identified a race condition during reception of socket
events and messages in the topology server.

- The function tipc_close_conn() is releasing the corresponding
  struct tipc_subscriber instance without considering that there
  may still be items in the receive work queue. When those are
  scheduled, in the function tipc_receive_from_work(), they are
  using the subscriber pointer stored in struct tipc_conn, without
  first checking if this is valid or not. This will sometimes
  lead to crashes, as the next call of tipc_conn_recvmsg() will
  access the now deleted item.
  We fix this by making the usage of this pointer conditional on
  whether the connection is active or not. I.e., we check the condition
  test_bit(CF_CONNECTED) before making the call tipc_conn_recvmsg().

- Since the two functions may be running on different cores, the
  condition test described above is not enough. tipc_close_conn()
  may come in between and delete the subscriber item after the condition
  test is done, but before tipc_conn_recv_msg() is finished. This
  happens less frequently than the problem described above, but leads
  to the same symptoms.

  We fix this by using the existing sk_callback_lock for mutual
  exclusion in the two functions. In addition, we have to move
  a call to tipc_conn_terminate() outside the mentioned lock to
  avoid deadlock.

Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Jon Maloy <jon.maloy@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-01-16 14:42:41 -05:00
..
addr.c tipc: simplify include dependencies 2015-05-14 12:24:45 -04:00
addr.h tipc: introduce constants for tipc address validation 2016-07-26 14:26:42 -07:00
bcast.c tipc: fall back to smaller MTU if allocation of local send skb fails 2017-12-01 15:21:25 -05:00
bcast.h tipc: make replicast a user selectable option 2017-01-20 12:10:17 -05:00
bearer.c tipc: error path leak fixes in tipc_enable_bearer() 2017-12-27 10:54:59 -05:00
bearer.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
core.c netns: make struct pernet_operations::id unsigned int 2016-11-18 10:59:15 -05:00
core.h net: tipc: remove unused hardirq.h 2018-01-08 20:59:25 -05:00
discover.c net: tipc: Convert timers to use timer_setup() 2017-11-01 12:38:45 +09:00
discover.h tipc: eliminate buffer leak in bearer layer 2016-04-07 17:00:13 -04:00
eth_media.c tipc: make media address offset a common define 2015-02-27 18:18:48 -05:00
group.c tipc: improve poll() for group member socket 2018-01-09 12:35:58 -05:00
group.h tipc: improve poll() for group member socket 2018-01-09 12:35:58 -05:00
ib_media.c tipc: rename media/msg related definitions 2015-02-27 18:18:48 -05:00
Kconfig tipc: add ip/udp media type 2015-03-05 22:08:42 -05:00
link.c tipc: fall back to smaller MTU if allocation of local send skb fails 2017-12-01 15:21:25 -05:00
link.h tipc: transfer broadcast nacks in link state messages 2016-09-02 17:10:24 -07:00
Makefile Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-11-04 09:26:51 +09:00
monitor.c tipc: fix tipc_mon_delete() oops in tipc_enable_bearer() error path 2017-12-27 10:55:00 -05:00
monitor.h tipc: dump monitor attributes 2016-07-26 14:26:42 -07:00
msg.c tipc: fall back to smaller MTU if allocation of local send skb fails 2017-12-01 15:21:25 -05:00
msg.h tipc: fall back to smaller MTU if allocation of local send skb fails 2017-12-01 15:21:25 -05:00
name_distr.c tipc: allocate user memory with GFP_KERNEL flag 2017-01-16 13:31:53 -05:00
name_distr.h tipc: reduce code dependency between binding table and node layer 2015-11-20 14:06:10 -05:00
name_table.c tipc: fix bug during lookup of multicast destination nodes 2018-01-15 14:27:13 -05:00
name_table.h tipc: fix bug during lookup of multicast destination nodes 2018-01-15 14:27:13 -05:00
net.c netlink: pass extended ACK struct where available 2017-04-13 13:58:22 -04:00
net.h tipc: add peer removal functionality 2016-08-18 23:36:07 -07:00
netlink_compat.c net: tipc: constify genl_ops 2017-08-23 22:31:38 -07:00
netlink.c netlink: pass extended ACK struct to parsing functions 2017-04-13 13:58:22 -04:00
netlink.h tipc: make cluster size threshold for monitoring configurable 2016-07-26 14:26:42 -07:00
node.c tipc: enforce valid ratio between skb truesize and contents 2017-11-16 10:49:00 +09:00
node.h tipc: introduce communication groups 2017-10-13 08:46:00 -07:00
server.c tipc: fix race condition at topology server receive 2018-01-16 14:42:41 -05:00
server.h tipc: fix race condition at topology server receive 2018-01-16 14:42:41 -05:00
socket.c tipc: fix bug during lookup of multicast destination nodes 2018-01-15 14:27:13 -05:00
socket.h tipc: redesign connection-level flow control 2016-05-03 15:51:16 -04:00
subscr.c tipc: fix race condition at topology server receive 2018-01-16 14:42:41 -05:00
subscr.h tipc: improve groupcast scope handling 2018-01-09 12:35:58 -05:00
sysctl.c tipc: add name distributor resiliency queue 2014-09-01 17:51:48 -07:00
udp_media.c tipc: call tipc_rcv() only if bearer is up in tipc_udp_recv() 2017-12-01 15:14:22 -05:00
udp_media.h tipc: add UDP remoteip dump to netlink API 2016-08-26 21:38:41 -07:00