linux/net/rds
Sowmini Varadhan 9c79440e2c RDS: TCP: fix race windows in send-path quiescence by rds_tcp_accept_one()
The send path needs to be quiesced before resetting callbacks from
rds_tcp_accept_one(), and commit eb19284026 ("RDS:TCP: Synchronize
rds_tcp_accept_one with rds_send_xmit when resetting t_sock") achieves
this using the c_state and RDS_IN_XMIT bit following the pattern
used by rds_conn_shutdown(). However this leaves the possibility
of a race window as shown in the sequence below
    take t_conn_lock in rds_tcp_conn_connect
    send outgoing syn to peer
    drop t_conn_lock in rds_tcp_conn_connect
    incoming from peer triggers rds_tcp_accept_one, conn is
	marked CONNECTING
    wait for RDS_IN_XMIT to quiesce any rds_send_xmit threads
    call rds_tcp_reset_callbacks
    [.. race-window where incoming syn-ack can cause the conn
	to be marked UP from rds_tcp_state_change ..]
    lock_sock called from rds_tcp_reset_callbacks, and we set
	t_sock to null
As soon as the conn is marked UP in the race-window above, rds_send_xmit()
threads will proceed to rds_tcp_xmit and may encounter a null-pointer
deref on the t_sock.

Given that rds_tcp_state_change() is invoked in softirq context, whereas
rds_tcp_reset_callbacks() is in workq context, and testing for RDS_IN_XMIT
after lock_sock could result in a deadlock with tcp_sendmsg, this
commit fixes the race by using a new c_state, RDS_TCP_RESETTING, which
will prevent a transition to RDS_CONN_UP from rds_tcp_state_change().

Signed-off-by: Sowmini Varadhan <sowmini.varadhan@oracle.com>
Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-06-07 15:10:15 -07:00
..
af_rds.c RDS: Add support for SO_TIMESTAMP for incoming messages 2016-03-02 14:13:17 -05:00
bind.c RDS: convert bind hash table to re-sizable hashtable 2015-11-02 15:36:23 -05:00
cong.c RDS: Fix the atomicity for congestion map update 2016-04-16 19:01:05 -04:00
connection.c RDS: fix race condition when sending a message on unbound socket 2015-11-24 17:20:09 -05:00
ib_cm.c RDS: fix endianness for dp_ack_seq 2016-04-16 19:01:05 -04:00
ib_fmr.c RDS: IB: move FMR code to its own file 2016-03-02 14:13:18 -05:00
ib_frmr.c IB/core: Add passing an offset into the SG to ib_map_mr_sg 2016-05-13 13:37:11 -04:00
ib_mr.h RDS: IB: Support Fastreg MR (FRMR) memory registration mode 2016-03-02 14:13:19 -05:00
ib_rdma.c RDS: IB: Support Fastreg MR (FRMR) memory registration mode 2016-03-02 14:13:19 -05:00
ib_recv.c RDS: fix congestion map corruption for PAGE_SIZE > 4k 2016-04-07 16:58:28 -04:00
ib_ring.c
ib_send.c RDS: IB: Remove the RDS_IB_SEND_OP dependency 2016-03-02 14:13:17 -05:00
ib_stats.c RDS: IB: add mr reused stats 2016-03-02 14:13:19 -05:00
ib_sysctl.c net: Convert uses of typedef ctl_table to struct ctl_table 2013-06-13 02:36:09 -07:00
ib.c RDS: IB: add Fastreg MR (FRMR) detection support 2016-03-02 14:13:19 -05:00
ib.h RDS: IB: Support Fastreg MR (FRMR) memory registration mode 2016-03-02 14:13:19 -05:00
info.c rds: fix an integer overflow test in rds_info_getsockopt() 2015-08-03 15:20:16 -07:00
info.h
Kconfig RDS: Drop stale iWARP RDMA transport 2016-03-02 14:13:17 -05:00
loop.c RDS: use gfp flags from caller in conn_alloc() 2012-03-22 19:29:58 -04:00
loop.h
Makefile RDS: IB: Support Fastreg MR (FRMR) memory registration mode 2016-03-02 14:13:19 -05:00
message.c rds: Make rds_message_copy_from_user() return 0 on success. 2015-02-07 22:41:56 -08:00
page.c RDS: memory allocated must be align to 8 2016-04-07 16:58:27 -04:00
rdma_transport.c RDS: IB: handle the RDMA CM time wait event 2016-03-02 14:13:19 -05:00
rdma_transport.h RDS: Drop stale iWARP RDMA transport 2016-03-02 14:13:17 -05:00
rdma.c RDS: Fix rds MR reference count in rds_rdma_unuse() 2015-08-25 16:28:10 -07:00
rds.h RDS: TCP: fix race windows in send-path quiescence by rds_tcp_accept_one() 2016-06-07 15:10:15 -07:00
recv.c rds: fix an infoleak in rds_inc_info_copy 2016-06-02 21:32:37 -07:00
send.c RDS: TCP: Retransmit half-sent datagrams when switching sockets in rds_tcp_reset_callbacks 2016-06-07 15:10:15 -07:00
stats.c net/rds: zero last byte for strncpy 2013-03-08 00:35:44 -05:00
sysctl.c net: rds: use correct size for max unacked packets and bytes 2015-02-04 16:07:27 -08:00
tcp_connect.c RDS: TCP: fix race windows in send-path quiescence by rds_tcp_accept_one() 2016-06-07 15:10:15 -07:00
tcp_listen.c RDS: TCP: fix race windows in send-path quiescence by rds_tcp_accept_one() 2016-06-07 15:10:15 -07:00
tcp_recv.c rds: tcp: block BH in TCP callbacks 2016-05-19 11:36:49 -07:00
tcp_send.c rds: tcp: block BH in TCP callbacks 2016-05-19 11:36:49 -07:00
tcp_stats.c net: rds: fix const array syntax 2011-07-01 16:16:19 -07:00
tcp.c RDS: TCP: fix race windows in send-path quiescence by rds_tcp_accept_one() 2016-06-07 15:10:15 -07:00
tcp.h RDS: TCP: Add/use rds_tcp_reset_callbacks to reset tcp socket safely 2016-06-07 15:10:15 -07:00
threads.c RDS: TCP: fix race windows in send-path quiescence by rds_tcp_accept_one() 2016-06-07 15:10:15 -07:00
transport.c RDS-TCP: Make RDS-TCP work correctly when it is set up in a netns other than init_net 2015-08-07 11:29:57 -07:00