672ecbe1c9
In tipc_topsrv_kern_subscr() when s->tipc_conn_new() fails
we call tipc_close_conn() to clean up, but in this case
calling conn_put() is just enough.
This fixes the folllowing crash:
kasan: GPF could be caused by NULL-ptr deref or user memory access
general protection fault: 0000 [#1] SMP KASAN
Dumping ftrace buffer:
(ftrace buffer empty)
Modules linked in:
CPU: 0 PID: 3085 Comm: syzkaller064164 Not tainted 4.15.0-rc1+ #137
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
task: 00000000c24413a5 task.stack: 000000005e8160b5
RIP: 0010:__lock_acquire+0xd55/0x47f0 kernel/locking/lockdep.c:3378
RSP: 0018:ffff8801cb5474a8 EFLAGS: 00010002
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000000000
RDX: 0000000000000004 RSI: 0000000000000000 RDI: ffffffff85ecb400
RBP: ffff8801cb547830 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000000 R11: ffffffff87489d60 R12: ffff8801cd2980c0
R13: 0000000000000000 R14: 0000000000000001 R15: 0000000000000020
FS: 00000000014ee880(0000) GS:ffff8801db400000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffee2426e40 CR3: 00000001cb85a000 CR4: 00000000001406f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
lock_acquire+0x1d5/0x580 kernel/locking/lockdep.c:4004
__raw_spin_lock_bh include/linux/spinlock_api_smp.h:135 [inline]
_raw_spin_lock_bh+0x31/0x40 kernel/locking/spinlock.c:175
spin_lock_bh include/linux/spinlock.h:320 [inline]
tipc_subscrb_subscrp_delete+0x8f/0x470 net/tipc/subscr.c:201
tipc_subscrb_delete net/tipc/subscr.c:238 [inline]
tipc_subscrb_release_cb+0x17/0x30 net/tipc/subscr.c:316
tipc_close_conn+0x171/0x270 net/tipc/server.c:204
tipc_topsrv_kern_subscr+0x724/0x810 net/tipc/server.c:514
tipc_group_create+0x702/0x9c0 net/tipc/group.c:184
tipc_sk_join net/tipc/socket.c:2747 [inline]
tipc_setsockopt+0x249/0xc10 net/tipc/socket.c:2861
SYSC_setsockopt net/socket.c:1851 [inline]
SyS_setsockopt+0x189/0x360 net/socket.c:1830
entry_SYSCALL_64_fastpath+0x1f/0x96
Fixes: 14c04493cb ("tipc: add ability to order and receive topology events in driver")
Reported-by: syzbot <syzkaller@googlegroups.com>
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
706 lines
17 KiB
C
706 lines
17 KiB
C
/*
|
|
* net/tipc/server.c: TIPC server infrastructure
|
|
*
|
|
* Copyright (c) 2012-2013, Wind River Systems
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the names of the copyright holders nor the names of its
|
|
* contributors may be used to endorse or promote products derived from
|
|
* this software without specific prior written permission.
|
|
*
|
|
* Alternatively, this software may be distributed under the terms of the
|
|
* GNU General Public License ("GPL") version 2 as published by the Free
|
|
* Software Foundation.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#include "server.h"
|
|
#include "core.h"
|
|
#include "socket.h"
|
|
#include "addr.h"
|
|
#include "msg.h"
|
|
#include <net/sock.h>
|
|
#include <linux/module.h>
|
|
|
|
/* Number of messages to send before rescheduling */
|
|
#define MAX_SEND_MSG_COUNT 25
|
|
#define MAX_RECV_MSG_COUNT 25
|
|
#define CF_CONNECTED 1
|
|
#define CF_SERVER 2
|
|
|
|
#define sock2con(x) ((struct tipc_conn *)(x)->sk_user_data)
|
|
|
|
/**
|
|
* struct tipc_conn - TIPC connection structure
|
|
* @kref: reference counter to connection object
|
|
* @conid: connection identifier
|
|
* @sock: socket handler associated with connection
|
|
* @flags: indicates connection state
|
|
* @server: pointer to connected server
|
|
* @rwork: receive work item
|
|
* @usr_data: user-specified field
|
|
* @rx_action: what to do when connection socket is active
|
|
* @outqueue: pointer to first outbound message in queue
|
|
* @outqueue_lock: control access to the outqueue
|
|
* @outqueue: list of connection objects for its server
|
|
* @swork: send work item
|
|
*/
|
|
struct tipc_conn {
|
|
struct kref kref;
|
|
int conid;
|
|
struct socket *sock;
|
|
unsigned long flags;
|
|
struct tipc_server *server;
|
|
struct work_struct rwork;
|
|
int (*rx_action) (struct tipc_conn *con);
|
|
void *usr_data;
|
|
struct list_head outqueue;
|
|
spinlock_t outqueue_lock;
|
|
struct work_struct swork;
|
|
};
|
|
|
|
/* An entry waiting to be sent */
|
|
struct outqueue_entry {
|
|
struct list_head list;
|
|
struct kvec iov;
|
|
struct sockaddr_tipc dest;
|
|
};
|
|
|
|
static void tipc_recv_work(struct work_struct *work);
|
|
static void tipc_send_work(struct work_struct *work);
|
|
static void tipc_clean_outqueues(struct tipc_conn *con);
|
|
|
|
static void tipc_conn_kref_release(struct kref *kref)
|
|
{
|
|
struct tipc_conn *con = container_of(kref, struct tipc_conn, kref);
|
|
struct tipc_server *s = con->server;
|
|
struct sockaddr_tipc *saddr = s->saddr;
|
|
struct socket *sock = con->sock;
|
|
struct sock *sk;
|
|
|
|
if (sock) {
|
|
sk = sock->sk;
|
|
if (test_bit(CF_SERVER, &con->flags)) {
|
|
__module_get(sock->ops->owner);
|
|
__module_get(sk->sk_prot_creator->owner);
|
|
}
|
|
saddr->scope = -TIPC_NODE_SCOPE;
|
|
kernel_bind(sock, (struct sockaddr *)saddr, sizeof(*saddr));
|
|
sock_release(sock);
|
|
con->sock = NULL;
|
|
}
|
|
spin_lock_bh(&s->idr_lock);
|
|
idr_remove(&s->conn_idr, con->conid);
|
|
s->idr_in_use--;
|
|
spin_unlock_bh(&s->idr_lock);
|
|
tipc_clean_outqueues(con);
|
|
kfree(con);
|
|
}
|
|
|
|
static void conn_put(struct tipc_conn *con)
|
|
{
|
|
kref_put(&con->kref, tipc_conn_kref_release);
|
|
}
|
|
|
|
static void conn_get(struct tipc_conn *con)
|
|
{
|
|
kref_get(&con->kref);
|
|
}
|
|
|
|
static struct tipc_conn *tipc_conn_lookup(struct tipc_server *s, int conid)
|
|
{
|
|
struct tipc_conn *con;
|
|
|
|
spin_lock_bh(&s->idr_lock);
|
|
con = idr_find(&s->conn_idr, conid);
|
|
if (con && test_bit(CF_CONNECTED, &con->flags))
|
|
conn_get(con);
|
|
else
|
|
con = NULL;
|
|
spin_unlock_bh(&s->idr_lock);
|
|
return con;
|
|
}
|
|
|
|
static void sock_data_ready(struct sock *sk)
|
|
{
|
|
struct tipc_conn *con;
|
|
|
|
read_lock_bh(&sk->sk_callback_lock);
|
|
con = sock2con(sk);
|
|
if (con && test_bit(CF_CONNECTED, &con->flags)) {
|
|
conn_get(con);
|
|
if (!queue_work(con->server->rcv_wq, &con->rwork))
|
|
conn_put(con);
|
|
}
|
|
read_unlock_bh(&sk->sk_callback_lock);
|
|
}
|
|
|
|
static void sock_write_space(struct sock *sk)
|
|
{
|
|
struct tipc_conn *con;
|
|
|
|
read_lock_bh(&sk->sk_callback_lock);
|
|
con = sock2con(sk);
|
|
if (con && test_bit(CF_CONNECTED, &con->flags)) {
|
|
conn_get(con);
|
|
if (!queue_work(con->server->send_wq, &con->swork))
|
|
conn_put(con);
|
|
}
|
|
read_unlock_bh(&sk->sk_callback_lock);
|
|
}
|
|
|
|
static void tipc_register_callbacks(struct socket *sock, struct tipc_conn *con)
|
|
{
|
|
struct sock *sk = sock->sk;
|
|
|
|
write_lock_bh(&sk->sk_callback_lock);
|
|
|
|
sk->sk_data_ready = sock_data_ready;
|
|
sk->sk_write_space = sock_write_space;
|
|
sk->sk_user_data = con;
|
|
|
|
con->sock = sock;
|
|
|
|
write_unlock_bh(&sk->sk_callback_lock);
|
|
}
|
|
|
|
static void tipc_unregister_callbacks(struct tipc_conn *con)
|
|
{
|
|
struct sock *sk = con->sock->sk;
|
|
|
|
write_lock_bh(&sk->sk_callback_lock);
|
|
sk->sk_user_data = NULL;
|
|
write_unlock_bh(&sk->sk_callback_lock);
|
|
}
|
|
|
|
static void tipc_close_conn(struct tipc_conn *con)
|
|
{
|
|
struct tipc_server *s = con->server;
|
|
|
|
if (test_and_clear_bit(CF_CONNECTED, &con->flags)) {
|
|
if (con->sock)
|
|
tipc_unregister_callbacks(con);
|
|
|
|
if (con->conid)
|
|
s->tipc_conn_release(con->conid, con->usr_data);
|
|
|
|
/* We shouldn't flush pending works as we may be in the
|
|
* thread. In fact the races with pending rx/tx work structs
|
|
* are harmless for us here as we have already deleted this
|
|
* connection from server connection list.
|
|
*/
|
|
if (con->sock)
|
|
kernel_sock_shutdown(con->sock, SHUT_RDWR);
|
|
conn_put(con);
|
|
}
|
|
}
|
|
|
|
static struct tipc_conn *tipc_alloc_conn(struct tipc_server *s)
|
|
{
|
|
struct tipc_conn *con;
|
|
int ret;
|
|
|
|
con = kzalloc(sizeof(struct tipc_conn), GFP_ATOMIC);
|
|
if (!con)
|
|
return ERR_PTR(-ENOMEM);
|
|
|
|
kref_init(&con->kref);
|
|
INIT_LIST_HEAD(&con->outqueue);
|
|
spin_lock_init(&con->outqueue_lock);
|
|
INIT_WORK(&con->swork, tipc_send_work);
|
|
INIT_WORK(&con->rwork, tipc_recv_work);
|
|
|
|
spin_lock_bh(&s->idr_lock);
|
|
ret = idr_alloc(&s->conn_idr, con, 0, 0, GFP_ATOMIC);
|
|
if (ret < 0) {
|
|
kfree(con);
|
|
spin_unlock_bh(&s->idr_lock);
|
|
return ERR_PTR(-ENOMEM);
|
|
}
|
|
con->conid = ret;
|
|
s->idr_in_use++;
|
|
spin_unlock_bh(&s->idr_lock);
|
|
|
|
set_bit(CF_CONNECTED, &con->flags);
|
|
con->server = s;
|
|
|
|
return con;
|
|
}
|
|
|
|
static int tipc_receive_from_sock(struct tipc_conn *con)
|
|
{
|
|
struct msghdr msg = {};
|
|
struct tipc_server *s = con->server;
|
|
struct sockaddr_tipc addr;
|
|
struct kvec iov;
|
|
void *buf;
|
|
int ret;
|
|
|
|
buf = kmem_cache_alloc(s->rcvbuf_cache, GFP_ATOMIC);
|
|
if (!buf) {
|
|
ret = -ENOMEM;
|
|
goto out_close;
|
|
}
|
|
|
|
iov.iov_base = buf;
|
|
iov.iov_len = s->max_rcvbuf_size;
|
|
msg.msg_name = &addr;
|
|
ret = kernel_recvmsg(con->sock, &msg, &iov, 1, iov.iov_len,
|
|
MSG_DONTWAIT);
|
|
if (ret <= 0) {
|
|
kmem_cache_free(s->rcvbuf_cache, buf);
|
|
goto out_close;
|
|
}
|
|
|
|
s->tipc_conn_recvmsg(sock_net(con->sock->sk), con->conid, &addr,
|
|
con->usr_data, buf, ret);
|
|
|
|
kmem_cache_free(s->rcvbuf_cache, buf);
|
|
|
|
return 0;
|
|
|
|
out_close:
|
|
if (ret != -EWOULDBLOCK)
|
|
tipc_close_conn(con);
|
|
else if (ret == 0)
|
|
/* Don't return success if we really got EOF */
|
|
ret = -EAGAIN;
|
|
|
|
return ret;
|
|
}
|
|
|
|
static int tipc_accept_from_sock(struct tipc_conn *con)
|
|
{
|
|
struct tipc_server *s = con->server;
|
|
struct socket *sock = con->sock;
|
|
struct socket *newsock;
|
|
struct tipc_conn *newcon;
|
|
int ret;
|
|
|
|
ret = kernel_accept(sock, &newsock, O_NONBLOCK);
|
|
if (ret < 0)
|
|
return ret;
|
|
|
|
newcon = tipc_alloc_conn(con->server);
|
|
if (IS_ERR(newcon)) {
|
|
ret = PTR_ERR(newcon);
|
|
sock_release(newsock);
|
|
return ret;
|
|
}
|
|
|
|
newcon->rx_action = tipc_receive_from_sock;
|
|
tipc_register_callbacks(newsock, newcon);
|
|
|
|
/* Notify that new connection is incoming */
|
|
newcon->usr_data = s->tipc_conn_new(newcon->conid);
|
|
if (!newcon->usr_data) {
|
|
sock_release(newsock);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
/* Wake up receive process in case of 'SYN+' message */
|
|
newsock->sk->sk_data_ready(newsock->sk);
|
|
return ret;
|
|
}
|
|
|
|
static struct socket *tipc_create_listen_sock(struct tipc_conn *con)
|
|
{
|
|
struct tipc_server *s = con->server;
|
|
struct socket *sock = NULL;
|
|
int ret;
|
|
|
|
ret = sock_create_kern(s->net, AF_TIPC, SOCK_SEQPACKET, 0, &sock);
|
|
if (ret < 0)
|
|
return NULL;
|
|
ret = kernel_setsockopt(sock, SOL_TIPC, TIPC_IMPORTANCE,
|
|
(char *)&s->imp, sizeof(s->imp));
|
|
if (ret < 0)
|
|
goto create_err;
|
|
ret = kernel_bind(sock, (struct sockaddr *)s->saddr, sizeof(*s->saddr));
|
|
if (ret < 0)
|
|
goto create_err;
|
|
|
|
switch (s->type) {
|
|
case SOCK_STREAM:
|
|
case SOCK_SEQPACKET:
|
|
con->rx_action = tipc_accept_from_sock;
|
|
|
|
ret = kernel_listen(sock, 0);
|
|
if (ret < 0)
|
|
goto create_err;
|
|
break;
|
|
case SOCK_DGRAM:
|
|
case SOCK_RDM:
|
|
con->rx_action = tipc_receive_from_sock;
|
|
break;
|
|
default:
|
|
pr_err("Unknown socket type %d\n", s->type);
|
|
goto create_err;
|
|
}
|
|
|
|
/* As server's listening socket owner and creator is the same module,
|
|
* we have to decrease TIPC module reference count to guarantee that
|
|
* it remains zero after the server socket is created, otherwise,
|
|
* executing "rmmod" command is unable to make TIPC module deleted
|
|
* after TIPC module is inserted successfully.
|
|
*
|
|
* However, the reference count is ever increased twice in
|
|
* sock_create_kern(): one is to increase the reference count of owner
|
|
* of TIPC socket's proto_ops struct; another is to increment the
|
|
* reference count of owner of TIPC proto struct. Therefore, we must
|
|
* decrement the module reference count twice to ensure that it keeps
|
|
* zero after server's listening socket is created. Of course, we
|
|
* must bump the module reference count twice as well before the socket
|
|
* is closed.
|
|
*/
|
|
module_put(sock->ops->owner);
|
|
module_put(sock->sk->sk_prot_creator->owner);
|
|
set_bit(CF_SERVER, &con->flags);
|
|
|
|
return sock;
|
|
|
|
create_err:
|
|
kernel_sock_shutdown(sock, SHUT_RDWR);
|
|
sock_release(sock);
|
|
return NULL;
|
|
}
|
|
|
|
static int tipc_open_listening_sock(struct tipc_server *s)
|
|
{
|
|
struct socket *sock;
|
|
struct tipc_conn *con;
|
|
|
|
con = tipc_alloc_conn(s);
|
|
if (IS_ERR(con))
|
|
return PTR_ERR(con);
|
|
|
|
sock = tipc_create_listen_sock(con);
|
|
if (!sock) {
|
|
idr_remove(&s->conn_idr, con->conid);
|
|
s->idr_in_use--;
|
|
kfree(con);
|
|
return -EINVAL;
|
|
}
|
|
|
|
tipc_register_callbacks(sock, con);
|
|
return 0;
|
|
}
|
|
|
|
static struct outqueue_entry *tipc_alloc_entry(void *data, int len)
|
|
{
|
|
struct outqueue_entry *entry;
|
|
void *buf;
|
|
|
|
entry = kmalloc(sizeof(struct outqueue_entry), GFP_ATOMIC);
|
|
if (!entry)
|
|
return NULL;
|
|
|
|
buf = kmemdup(data, len, GFP_ATOMIC);
|
|
if (!buf) {
|
|
kfree(entry);
|
|
return NULL;
|
|
}
|
|
|
|
entry->iov.iov_base = buf;
|
|
entry->iov.iov_len = len;
|
|
|
|
return entry;
|
|
}
|
|
|
|
static void tipc_free_entry(struct outqueue_entry *e)
|
|
{
|
|
kfree(e->iov.iov_base);
|
|
kfree(e);
|
|
}
|
|
|
|
static void tipc_clean_outqueues(struct tipc_conn *con)
|
|
{
|
|
struct outqueue_entry *e, *safe;
|
|
|
|
spin_lock_bh(&con->outqueue_lock);
|
|
list_for_each_entry_safe(e, safe, &con->outqueue, list) {
|
|
list_del(&e->list);
|
|
tipc_free_entry(e);
|
|
}
|
|
spin_unlock_bh(&con->outqueue_lock);
|
|
}
|
|
|
|
int tipc_conn_sendmsg(struct tipc_server *s, int conid,
|
|
struct sockaddr_tipc *addr, void *data, size_t len)
|
|
{
|
|
struct outqueue_entry *e;
|
|
struct tipc_conn *con;
|
|
|
|
con = tipc_conn_lookup(s, conid);
|
|
if (!con)
|
|
return -EINVAL;
|
|
|
|
if (!test_bit(CF_CONNECTED, &con->flags)) {
|
|
conn_put(con);
|
|
return 0;
|
|
}
|
|
|
|
e = tipc_alloc_entry(data, len);
|
|
if (!e) {
|
|
conn_put(con);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
if (addr)
|
|
memcpy(&e->dest, addr, sizeof(struct sockaddr_tipc));
|
|
|
|
spin_lock_bh(&con->outqueue_lock);
|
|
list_add_tail(&e->list, &con->outqueue);
|
|
spin_unlock_bh(&con->outqueue_lock);
|
|
|
|
if (!queue_work(s->send_wq, &con->swork))
|
|
conn_put(con);
|
|
return 0;
|
|
}
|
|
|
|
void tipc_conn_terminate(struct tipc_server *s, int conid)
|
|
{
|
|
struct tipc_conn *con;
|
|
|
|
con = tipc_conn_lookup(s, conid);
|
|
if (con) {
|
|
tipc_close_conn(con);
|
|
conn_put(con);
|
|
}
|
|
}
|
|
|
|
bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type,
|
|
u32 lower, u32 upper, int *conid)
|
|
{
|
|
struct tipc_subscriber *scbr;
|
|
struct tipc_subscr sub;
|
|
struct tipc_server *s;
|
|
struct tipc_conn *con;
|
|
|
|
sub.seq.type = type;
|
|
sub.seq.lower = lower;
|
|
sub.seq.upper = upper;
|
|
sub.timeout = TIPC_WAIT_FOREVER;
|
|
sub.filter = TIPC_SUB_PORTS;
|
|
*(u32 *)&sub.usr_handle = port;
|
|
|
|
con = tipc_alloc_conn(tipc_topsrv(net));
|
|
if (IS_ERR(con))
|
|
return false;
|
|
|
|
*conid = con->conid;
|
|
s = con->server;
|
|
scbr = s->tipc_conn_new(*conid);
|
|
if (!scbr) {
|
|
conn_put(con);
|
|
return false;
|
|
}
|
|
|
|
con->usr_data = scbr;
|
|
con->sock = NULL;
|
|
s->tipc_conn_recvmsg(net, *conid, NULL, scbr, &sub, sizeof(sub));
|
|
return true;
|
|
}
|
|
|
|
void tipc_topsrv_kern_unsubscr(struct net *net, int conid)
|
|
{
|
|
struct tipc_conn *con;
|
|
|
|
con = tipc_conn_lookup(tipc_topsrv(net), conid);
|
|
if (!con)
|
|
return;
|
|
tipc_close_conn(con);
|
|
conn_put(con);
|
|
}
|
|
|
|
static void tipc_send_kern_top_evt(struct net *net, struct tipc_event *evt)
|
|
{
|
|
u32 port = *(u32 *)&evt->s.usr_handle;
|
|
u32 self = tipc_own_addr(net);
|
|
struct sk_buff_head evtq;
|
|
struct sk_buff *skb;
|
|
|
|
skb = tipc_msg_create(TOP_SRV, 0, INT_H_SIZE, sizeof(*evt),
|
|
self, self, port, port, 0);
|
|
if (!skb)
|
|
return;
|
|
msg_set_dest_droppable(buf_msg(skb), true);
|
|
memcpy(msg_data(buf_msg(skb)), evt, sizeof(*evt));
|
|
skb_queue_head_init(&evtq);
|
|
__skb_queue_tail(&evtq, skb);
|
|
tipc_sk_rcv(net, &evtq);
|
|
}
|
|
|
|
static void tipc_send_to_sock(struct tipc_conn *con)
|
|
{
|
|
struct tipc_server *s = con->server;
|
|
struct outqueue_entry *e;
|
|
struct tipc_event *evt;
|
|
struct msghdr msg;
|
|
int count = 0;
|
|
int ret;
|
|
|
|
spin_lock_bh(&con->outqueue_lock);
|
|
while (test_bit(CF_CONNECTED, &con->flags)) {
|
|
e = list_entry(con->outqueue.next, struct outqueue_entry, list);
|
|
if ((struct list_head *) e == &con->outqueue)
|
|
break;
|
|
|
|
spin_unlock_bh(&con->outqueue_lock);
|
|
|
|
if (con->sock) {
|
|
memset(&msg, 0, sizeof(msg));
|
|
msg.msg_flags = MSG_DONTWAIT;
|
|
if (s->type == SOCK_DGRAM || s->type == SOCK_RDM) {
|
|
msg.msg_name = &e->dest;
|
|
msg.msg_namelen = sizeof(struct sockaddr_tipc);
|
|
}
|
|
ret = kernel_sendmsg(con->sock, &msg, &e->iov, 1,
|
|
e->iov.iov_len);
|
|
if (ret == -EWOULDBLOCK || ret == 0) {
|
|
cond_resched();
|
|
goto out;
|
|
} else if (ret < 0) {
|
|
goto send_err;
|
|
}
|
|
} else {
|
|
evt = e->iov.iov_base;
|
|
tipc_send_kern_top_evt(s->net, evt);
|
|
}
|
|
/* Don't starve users filling buffers */
|
|
if (++count >= MAX_SEND_MSG_COUNT) {
|
|
cond_resched();
|
|
count = 0;
|
|
}
|
|
|
|
spin_lock_bh(&con->outqueue_lock);
|
|
list_del(&e->list);
|
|
tipc_free_entry(e);
|
|
}
|
|
spin_unlock_bh(&con->outqueue_lock);
|
|
out:
|
|
return;
|
|
|
|
send_err:
|
|
tipc_close_conn(con);
|
|
}
|
|
|
|
static void tipc_recv_work(struct work_struct *work)
|
|
{
|
|
struct tipc_conn *con = container_of(work, struct tipc_conn, rwork);
|
|
int count = 0;
|
|
|
|
while (test_bit(CF_CONNECTED, &con->flags)) {
|
|
if (con->rx_action(con))
|
|
break;
|
|
|
|
/* Don't flood Rx machine */
|
|
if (++count >= MAX_RECV_MSG_COUNT) {
|
|
cond_resched();
|
|
count = 0;
|
|
}
|
|
}
|
|
conn_put(con);
|
|
}
|
|
|
|
static void tipc_send_work(struct work_struct *work)
|
|
{
|
|
struct tipc_conn *con = container_of(work, struct tipc_conn, swork);
|
|
|
|
if (test_bit(CF_CONNECTED, &con->flags))
|
|
tipc_send_to_sock(con);
|
|
|
|
conn_put(con);
|
|
}
|
|
|
|
static void tipc_work_stop(struct tipc_server *s)
|
|
{
|
|
destroy_workqueue(s->rcv_wq);
|
|
destroy_workqueue(s->send_wq);
|
|
}
|
|
|
|
static int tipc_work_start(struct tipc_server *s)
|
|
{
|
|
s->rcv_wq = alloc_ordered_workqueue("tipc_rcv", 0);
|
|
if (!s->rcv_wq) {
|
|
pr_err("can't start tipc receive workqueue\n");
|
|
return -ENOMEM;
|
|
}
|
|
|
|
s->send_wq = alloc_ordered_workqueue("tipc_send", 0);
|
|
if (!s->send_wq) {
|
|
pr_err("can't start tipc send workqueue\n");
|
|
destroy_workqueue(s->rcv_wq);
|
|
return -ENOMEM;
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
int tipc_server_start(struct tipc_server *s)
|
|
{
|
|
int ret;
|
|
|
|
spin_lock_init(&s->idr_lock);
|
|
idr_init(&s->conn_idr);
|
|
s->idr_in_use = 0;
|
|
|
|
s->rcvbuf_cache = kmem_cache_create(s->name, s->max_rcvbuf_size,
|
|
0, SLAB_HWCACHE_ALIGN, NULL);
|
|
if (!s->rcvbuf_cache)
|
|
return -ENOMEM;
|
|
|
|
ret = tipc_work_start(s);
|
|
if (ret < 0) {
|
|
kmem_cache_destroy(s->rcvbuf_cache);
|
|
return ret;
|
|
}
|
|
ret = tipc_open_listening_sock(s);
|
|
if (ret < 0) {
|
|
tipc_work_stop(s);
|
|
kmem_cache_destroy(s->rcvbuf_cache);
|
|
return ret;
|
|
}
|
|
return ret;
|
|
}
|
|
|
|
void tipc_server_stop(struct tipc_server *s)
|
|
{
|
|
struct tipc_conn *con;
|
|
int id;
|
|
|
|
spin_lock_bh(&s->idr_lock);
|
|
for (id = 0; s->idr_in_use; id++) {
|
|
con = idr_find(&s->conn_idr, id);
|
|
if (con) {
|
|
spin_unlock_bh(&s->idr_lock);
|
|
tipc_close_conn(con);
|
|
spin_lock_bh(&s->idr_lock);
|
|
}
|
|
}
|
|
spin_unlock_bh(&s->idr_lock);
|
|
|
|
tipc_work_stop(s);
|
|
kmem_cache_destroy(s->rcvbuf_cache);
|
|
idr_destroy(&s->conn_idr);
|
|
}
|