OpenE2K
/
linux
6
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

tipc: fix deadlock during socket release 

A deadlock might occur if name table is withdrawn in socket release
routine, and while packets are still being received from bearer.

       CPU0                       CPU1
T0:   recv_msg()               release()
T1:   tipc_recv_msg()          tipc_withdraw()
T2:   [grab node lock]         [grab port lock]
T3:   tipc_link_wakeup_ports() tipc_nametbl_withdraw()
T4:   [grab port lock]*        named_cluster_distribute()
T5:   wakeupdispatch()         tipc_link_send()
T6:                            [grab node lock]*

The opposite order of holding port lock and node lock on above two
different paths may result in a deadlock. If socket lock instead of
port lock is used to protect port instance in tipc_withdraw(), the
reverse order of holding port lock and node lock will be eliminated,
as a result, the deadlock is killed as well.

Reported-by: Lars Everbrand <lars.everbrand@ericsson.com>
Reviewed-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Ying Xue 2013-12-27 10:18:28 +08:00 committed by David S. Miller
parent 8eb9bff0ed
commit 84602761ca
3 changed files with 50 additions and 49 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
net/tipc/port.c
View File

@ -251,18 +251,15 @@ struct tipc_port *tipc_createport(struct sock *sk,
return p_ptr; return p_ptr;
} }
int tipc_deleteport(u32 ref) int tipc_deleteport(struct tipc_port *p_ptr)
{ {
struct tipc_port *p_ptr;
struct sk_buff *buf = NULL; struct sk_buff *buf = NULL;
tipc_withdraw(ref, 0, NULL); tipc_withdraw(p_ptr, 0, NULL);
p_ptr = tipc_port_lock(ref);
if (!p_ptr)
return -EINVAL;
tipc_ref_discard(ref); spin_lock_bh(p_ptr->lock);
tipc_port_unlock(p_ptr); tipc_ref_discard(p_ptr->ref);
spin_unlock_bh(p_ptr->lock);
k_cancel_timer(&p_ptr->timer); k_cancel_timer(&p_ptr->timer);
if (p_ptr->connected) { if (p_ptr->connected) {
@ -704,47 +701,36 @@ int tipc_set_portimportance(u32 ref, unsigned int imp)
} }
int tipc_publish(u32 ref, unsigned int scope, struct tipc_name_seq const *seq) int tipc_publish(struct tipc_port *p_ptr, unsigned int scope,
struct tipc_name_seq const *seq)
{ {
struct tipc_port *p_ptr;
struct publication *publ; struct publication *publ;
u32 key; u32 key;
int res = -EINVAL;
p_ptr = tipc_port_lock(ref);
if (!p_ptr)
return -EINVAL;
if (p_ptr->connected) if (p_ptr->connected)
goto exit; return -EINVAL;
key = ref + p_ptr->pub_count + 1; key = p_ptr->ref + p_ptr->pub_count + 1;
if (key == ref) { if (key == p_ptr->ref)
res = -EADDRINUSE; return -EADDRINUSE;
goto exit;
}
publ = tipc_nametbl_publish(seq->type, seq->lower, seq->upper, publ = tipc_nametbl_publish(seq->type, seq->lower, seq->upper,
scope, p_ptr->ref, key); scope, p_ptr->ref, key);
if (publ) { if (publ) {
list_add(&publ->pport_list, &p_ptr->publications); list_add(&publ->pport_list, &p_ptr->publications);
p_ptr->pub_count++; p_ptr->pub_count++;
p_ptr->published = 1; p_ptr->published = 1;
res = 0; return 0;
} }
exit: return -EINVAL;
tipc_port_unlock(p_ptr);
return res;
} }
int tipc_withdraw(u32 ref, unsigned int scope, struct tipc_name_seq const *seq) int tipc_withdraw(struct tipc_port *p_ptr, unsigned int scope,
struct tipc_name_seq const *seq)
{ {
struct tipc_port *p_ptr;
struct publication *publ; struct publication *publ;
struct publication *tpubl; struct publication *tpubl;
int res = -EINVAL; int res = -EINVAL;
p_ptr = tipc_port_lock(ref);
if (!p_ptr)
return -EINVAL;
if (!seq) { if (!seq) {
list_for_each_entry_safe(publ, tpubl, list_for_each_entry_safe(publ, tpubl,
&p_ptr->publications, pport_list) { &p_ptr->publications, pport_list) {
@ -771,7 +757,6 @@ int tipc_withdraw(u32 ref, unsigned int scope, struct tipc_name_seq const *seq)
} }
if (list_empty(&p_ptr->publications)) if (list_empty(&p_ptr->publications))
p_ptr->published = 0; p_ptr->published = 0;
tipc_port_unlock(p_ptr);
return res; return res;
} }

6
net/tipc/port.h
View File

@ -116,7 +116,7 @@ int tipc_reject_msg(struct sk_buff *buf, u32 err);
void tipc_acknowledge(u32 port_ref, u32 ack); void tipc_acknowledge(u32 port_ref, u32 ack);
int tipc_deleteport(u32 portref); int tipc_deleteport(struct tipc_port *p_ptr);
int tipc_portimportance(u32 portref, unsigned int *importance); int tipc_portimportance(u32 portref, unsigned int *importance);
int tipc_set_portimportance(u32 portref, unsigned int importance); int tipc_set_portimportance(u32 portref, unsigned int importance);
@ -127,9 +127,9 @@ int tipc_set_portunreliable(u32 portref, unsigned int isunreliable);
int tipc_portunreturnable(u32 portref, unsigned int *isunreturnable); int tipc_portunreturnable(u32 portref, unsigned int *isunreturnable);
int tipc_set_portunreturnable(u32 portref, unsigned int isunreturnable); int tipc_set_portunreturnable(u32 portref, unsigned int isunreturnable);
int tipc_publish(u32 portref, unsigned int scope, int tipc_publish(struct tipc_port *p_ptr, unsigned int scope,
struct tipc_name_seq const *name_seq); struct tipc_name_seq const *name_seq);
int tipc_withdraw(u32 portref, unsigned int scope, int tipc_withdraw(struct tipc_port *p_ptr, unsigned int scope,
struct tipc_name_seq const *name_seq); struct tipc_name_seq const *name_seq);
int tipc_connect(u32 portref, struct tipc_portid const *port); int tipc_connect(u32 portref, struct tipc_portid const *port);

46
net/tipc/socket.c
View File

@ -354,7 +354,7 @@ static int release(struct socket *sock)
* Delete TIPC port; this ensures no more messages are queued * Delete TIPC port; this ensures no more messages are queued
* (also disconnects an active connection & sends a 'FIN-' to peer) * (also disconnects an active connection & sends a 'FIN-' to peer)
*/ */
res = tipc_deleteport(tport->ref); res = tipc_deleteport(tport);
/* Discard any remaining (connection-based) messages in receive queue */ /* Discard any remaining (connection-based) messages in receive queue */
__skb_queue_purge(&sk->sk_receive_queue); __skb_queue_purge(&sk->sk_receive_queue);
@ -386,30 +386,46 @@ static int release(struct socket *sock)
*/ */
static int bind(struct socket *sock, struct sockaddr *uaddr, int uaddr_len) static int bind(struct socket *sock, struct sockaddr *uaddr, int uaddr_len)
{ {
struct sock *sk = sock->sk;
struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr; struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
u32 portref = tipc_sk_port(sock->sk)->ref; struct tipc_port *tport = tipc_sk_port(sock->sk);
int res = -EINVAL;
if (unlikely(!uaddr_len)) lock_sock(sk);
return tipc_withdraw(portref, 0, NULL); if (unlikely(!uaddr_len)) {
res = tipc_withdraw(tport, 0, NULL);
goto exit;
}
if (uaddr_len < sizeof(struct sockaddr_tipc)) if (uaddr_len < sizeof(struct sockaddr_tipc)) {
return -EINVAL; res = -EINVAL;
if (addr->family != AF_TIPC) goto exit;
return -EAFNOSUPPORT; }
if (addr->family != AF_TIPC) {
res = -EAFNOSUPPORT;
goto exit;
}
if (addr->addrtype == TIPC_ADDR_NAME) if (addr->addrtype == TIPC_ADDR_NAME)
addr->addr.nameseq.upper = addr->addr.nameseq.lower; addr->addr.nameseq.upper = addr->addr.nameseq.lower;
else if (addr->addrtype != TIPC_ADDR_NAMESEQ) else if (addr->addrtype != TIPC_ADDR_NAMESEQ) {
return -EAFNOSUPPORT; res = -EAFNOSUPPORT;
goto exit;
}
if ((addr->addr.nameseq.type < TIPC_RESERVED_TYPES) && if ((addr->addr.nameseq.type < TIPC_RESERVED_TYPES) &&
(addr->addr.nameseq.type != TIPC_TOP_SRV) && (addr->addr.nameseq.type != TIPC_TOP_SRV) &&
(addr->addr.nameseq.type != TIPC_CFG_SRV)) (addr->addr.nameseq.type != TIPC_CFG_SRV)) {
return -EACCES; res = -EACCES;
goto exit;
}
return (addr->scope > 0) ? res = (addr->scope > 0) ?
tipc_publish(portref, addr->scope, &addr->addr.nameseq) : tipc_publish(tport, addr->scope, &addr->addr.nameseq) :
tipc_withdraw(portref, -addr->scope, &addr->addr.nameseq); tipc_withdraw(tport, -addr->scope, &addr->addr.nameseq);
exit:
release_sock(sk);
return res;
} }
/** /**