e88f2be832
We have identified a race condition during reception of socket events and messages in the topology server. - The function tipc_close_conn() is releasing the corresponding struct tipc_subscriber instance without considering that there may still be items in the receive work queue. When those are scheduled, in the function tipc_receive_from_work(), they are using the subscriber pointer stored in struct tipc_conn, without first checking if this is valid or not. This will sometimes lead to crashes, as the next call of tipc_conn_recvmsg() will access the now deleted item. We fix this by making the usage of this pointer conditional on whether the connection is active or not. I.e., we check the condition test_bit(CF_CONNECTED) before making the call tipc_conn_recvmsg(). - Since the two functions may be running on different cores, the condition test described above is not enough. tipc_close_conn() may come in between and delete the subscriber item after the condition test is done, but before tipc_conn_recv_msg() is finished. This happens less frequently than the problem described above, but leads to the same symptoms. We fix this by using the existing sk_callback_lock for mutual exclusion in the two functions. In addition, we have to move a call to tipc_conn_terminate() outside the mentioned lock to avoid deadlock. Acked-by: Ying Xue <ying.xue@windriver.com> Signed-off-by: Jon Maloy <jon.maloy@ericsson.com> Signed-off-by: David S. Miller <davem@davemloft.net>
104 lines
3.9 KiB
C
104 lines
3.9 KiB
C
/*
|
|
* net/tipc/server.h: Include file for TIPC server code
|
|
*
|
|
* Copyright (c) 2012-2013, Wind River Systems
|
|
* All rights reserved.
|
|
*
|
|
* Redistribution and use in source and binary forms, with or without
|
|
* modification, are permitted provided that the following conditions are met:
|
|
*
|
|
* 1. Redistributions of source code must retain the above copyright
|
|
* notice, this list of conditions and the following disclaimer.
|
|
* 2. Redistributions in binary form must reproduce the above copyright
|
|
* notice, this list of conditions and the following disclaimer in the
|
|
* documentation and/or other materials provided with the distribution.
|
|
* 3. Neither the names of the copyright holders nor the names of its
|
|
* contributors may be used to endorse or promote products derived from
|
|
* this software without specific prior written permission.
|
|
*
|
|
* Alternatively, this software may be distributed under the terms of the
|
|
* GNU General Public License ("GPL") version 2 as published by the Free
|
|
* Software Foundation.
|
|
*
|
|
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS"
|
|
* AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
|
|
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
|
|
* ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE
|
|
* LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
|
|
* CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
|
|
* SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
|
|
* INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
|
|
* CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
|
|
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
|
|
* POSSIBILITY OF SUCH DAMAGE.
|
|
*/
|
|
|
|
#ifndef _TIPC_SERVER_H
|
|
#define _TIPC_SERVER_H
|
|
|
|
#include <linux/idr.h>
|
|
#include <linux/tipc.h>
|
|
#include <net/net_namespace.h>
|
|
|
|
#define TIPC_SERVER_NAME_LEN 32
|
|
#define TIPC_SUB_CLUSTER_SCOPE 0x20
|
|
#define TIPC_SUB_NODE_SCOPE 0x40
|
|
#define TIPC_SUB_NO_STATUS 0x80
|
|
|
|
/**
|
|
* struct tipc_server - TIPC server structure
|
|
* @conn_idr: identifier set of connection
|
|
* @idr_lock: protect the connection identifier set
|
|
* @idr_in_use: amount of allocated identifier entry
|
|
* @net: network namspace instance
|
|
* @rcvbuf_cache: memory cache of server receive buffer
|
|
* @rcv_wq: receive workqueue
|
|
* @send_wq: send workqueue
|
|
* @max_rcvbuf_size: maximum permitted receive message length
|
|
* @tipc_conn_new: callback will be called when new connection is incoming
|
|
* @tipc_conn_release: callback will be called before releasing the connection
|
|
* @tipc_conn_recvmsg: callback will be called when message arrives
|
|
* @saddr: TIPC server address
|
|
* @name: server name
|
|
* @imp: message importance
|
|
* @type: socket type
|
|
*/
|
|
struct tipc_server {
|
|
struct idr conn_idr;
|
|
spinlock_t idr_lock;
|
|
int idr_in_use;
|
|
struct net *net;
|
|
struct kmem_cache *rcvbuf_cache;
|
|
struct workqueue_struct *rcv_wq;
|
|
struct workqueue_struct *send_wq;
|
|
int max_rcvbuf_size;
|
|
void *(*tipc_conn_new)(int conid);
|
|
void (*tipc_conn_release)(int conid, void *usr_data);
|
|
int (*tipc_conn_recvmsg)(struct net *net, int conid,
|
|
struct sockaddr_tipc *addr, void *usr_data,
|
|
void *buf, size_t len);
|
|
struct sockaddr_tipc *saddr;
|
|
char name[TIPC_SERVER_NAME_LEN];
|
|
int imp;
|
|
int type;
|
|
};
|
|
|
|
int tipc_conn_sendmsg(struct tipc_server *s, int conid,
|
|
struct sockaddr_tipc *addr, void *data, size_t len);
|
|
|
|
bool tipc_topsrv_kern_subscr(struct net *net, u32 port, u32 type, u32 lower,
|
|
u32 upper, u32 filter, int *conid);
|
|
void tipc_topsrv_kern_unsubscr(struct net *net, int conid);
|
|
|
|
/**
|
|
* tipc_conn_terminate - terminate connection with server
|
|
*
|
|
* Note: Must call it in process context since it might sleep
|
|
*/
|
|
void tipc_conn_terminate(struct tipc_server *s, int conid);
|
|
int tipc_server_start(struct tipc_server *s);
|
|
|
|
void tipc_server_stop(struct tipc_server *s);
|
|
|
|
#endif
|