tipc: fix deadlock during socket release
A deadlock might occur if name table is withdrawn in socket release
routine, and while packets are still being received from bearer.
CPU0 CPU1
T0: recv_msg() release()
T1: tipc_recv_msg() tipc_withdraw()
T2: [grab node lock] [grab port lock]
T3: tipc_link_wakeup_ports() tipc_nametbl_withdraw()
T4: [grab port lock]* named_cluster_distribute()
T5: wakeupdispatch() tipc_link_send()
T6: [grab node lock]*
The opposite order of holding port lock and node lock on above two
different paths may result in a deadlock. If socket lock instead of
port lock is used to protect port instance in tipc_withdraw(), the
reverse order of holding port lock and node lock will be eliminated,
as a result, the deadlock is killed as well.
Reported-by: Lars Everbrand <lars.everbrand@ericsson.com>
Reviewed-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Ying Xue
committed by
David S. Miller
David S. Miller
parent
8eb9bff0ed
commit
84602761ca
@@ -354,7 +354,7 @@ static int release(struct socket *sock)
|
||||
* Delete TIPC port; this ensures no more messages are queued
|
||||
* (also disconnects an active connection & sends a 'FIN-' to peer)
|
||||
*/
|
||||
res = tipc_deleteport(tport->ref);
|
||||
res = tipc_deleteport(tport);
|
||||
|
||||
/* Discard any remaining (connection-based) messages in receive queue */
|
||||
__skb_queue_purge(&sk->sk_receive_queue);
|
||||
@@ -386,30 +386,46 @@ static int release(struct socket *sock)
|
||||
*/
|
||||
static int bind(struct socket *sock, struct sockaddr *uaddr, int uaddr_len)
|
||||
{
|
||||
struct sock *sk = sock->sk;
|
||||
struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
|
||||
u32 portref = tipc_sk_port(sock->sk)->ref;
|
||||
struct tipc_port *tport = tipc_sk_port(sock->sk);
|
||||
int res = -EINVAL;
|
||||
|
||||
if (unlikely(!uaddr_len))
|
||||
return tipc_withdraw(portref, 0, NULL);
|
||||
lock_sock(sk);
|
||||
if (unlikely(!uaddr_len)) {
|
||||
res = tipc_withdraw(tport, 0, NULL);
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (uaddr_len < sizeof(struct sockaddr_tipc))
|
||||
return -EINVAL;
|
||||
if (addr->family != AF_TIPC)
|
||||
return -EAFNOSUPPORT;
|
||||
if (uaddr_len < sizeof(struct sockaddr_tipc)) {
|
||||
res = -EINVAL;
|
||||
goto exit;
|
||||
}
|
||||
if (addr->family != AF_TIPC) {
|
||||
res = -EAFNOSUPPORT;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if (addr->addrtype == TIPC_ADDR_NAME)
|
||||
addr->addr.nameseq.upper = addr->addr.nameseq.lower;
|
||||
else if (addr->addrtype != TIPC_ADDR_NAMESEQ)
|
||||
return -EAFNOSUPPORT;
|
||||
else if (addr->addrtype != TIPC_ADDR_NAMESEQ) {
|
||||
res = -EAFNOSUPPORT;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
if ((addr->addr.nameseq.type < TIPC_RESERVED_TYPES) &&
|
||||
(addr->addr.nameseq.type != TIPC_TOP_SRV) &&
|
||||
(addr->addr.nameseq.type != TIPC_CFG_SRV))
|
||||
return -EACCES;
|
||||
(addr->addr.nameseq.type != TIPC_CFG_SRV)) {
|
||||
res = -EACCES;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
return (addr->scope > 0) ?
|
||||
tipc_publish(portref, addr->scope, &addr->addr.nameseq) :
|
||||
tipc_withdraw(portref, -addr->scope, &addr->addr.nameseq);
|
||||
res = (addr->scope > 0) ?
|
||||
tipc_publish(tport, addr->scope, &addr->addr.nameseq) :
|
||||
tipc_withdraw(tport, -addr->scope, &addr->addr.nameseq);
|
||||
exit:
|
||||
release_sock(sk);
|
||||
return res;
|
||||
}
|
||||
|
||||
/**
|
||||
|
||||
Reference in New Issue
Block a user