Commit 134af346 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller

[DCCP]: Fix sock_orphan dead lock

Calling sock_orphan inside bh_lock_sock in dccp_close can lead to dead
locks.  For example, the inet_diag code holds sk_callback_lock without
disabling BH.  If an inbound packet arrives during that admittedly tiny
window, it will cause a dead lock on bh_lock_sock.  Another possible
path would be through sock_wfree if the network device driver frees the
tx skb in process context with BH enabled.

We can fix this by moving sock_orphan out of bh_lock_sock.

The tricky bit is to work out when we need to destroy the socket
ourselves and when it has already been destroyed by someone else.

By moving sock_orphan before the release_sock we can solve this
problem.  This is because as long as we own the socket lock its
state cannot change.

So we simply record the socket state before the release_sock
and then check the state again after we regain the socket lock.
If the socket state has transitioned to DCCP_CLOSED in the time being,
we know that the socket has been destroyed.  Otherwise the socket is
still ours to keep.

This problem was discoverd by Ingo Molnar using his lock validator.
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 1c29fc49
...@@ -848,6 +848,7 @@ static int dccp_close_state(struct sock *sk) ...@@ -848,6 +848,7 @@ static int dccp_close_state(struct sock *sk)
void dccp_close(struct sock *sk, long timeout) void dccp_close(struct sock *sk, long timeout)
{ {
struct sk_buff *skb; struct sk_buff *skb;
int state;
lock_sock(sk); lock_sock(sk);
...@@ -882,6 +883,11 @@ void dccp_close(struct sock *sk, long timeout) ...@@ -882,6 +883,11 @@ void dccp_close(struct sock *sk, long timeout)
sk_stream_wait_close(sk, timeout); sk_stream_wait_close(sk, timeout);
adjudge_to_death: adjudge_to_death:
state = sk->sk_state;
sock_hold(sk);
sock_orphan(sk);
atomic_inc(sk->sk_prot->orphan_count);
/* /*
* It is the last release_sock in its life. It will remove backlog. * It is the last release_sock in its life. It will remove backlog.
*/ */
...@@ -894,8 +900,9 @@ void dccp_close(struct sock *sk, long timeout) ...@@ -894,8 +900,9 @@ void dccp_close(struct sock *sk, long timeout)
bh_lock_sock(sk); bh_lock_sock(sk);
BUG_TRAP(!sock_owned_by_user(sk)); BUG_TRAP(!sock_owned_by_user(sk));
sock_hold(sk); /* Have we already been destroyed by a softirq or backlog? */
sock_orphan(sk); if (state != DCCP_CLOSED && sk->sk_state == DCCP_CLOSED)
goto out;
/* /*
* The last release_sock may have processed the CLOSE or RESET * The last release_sock may have processed the CLOSE or RESET
...@@ -915,12 +922,12 @@ void dccp_close(struct sock *sk, long timeout) ...@@ -915,12 +922,12 @@ void dccp_close(struct sock *sk, long timeout)
#endif #endif
} }
atomic_inc(sk->sk_prot->orphan_count);
if (sk->sk_state == DCCP_CLOSED) if (sk->sk_state == DCCP_CLOSED)
inet_csk_destroy_sock(sk); inet_csk_destroy_sock(sk);
/* Otherwise, socket is reprieved until protocol close. */ /* Otherwise, socket is reprieved until protocol close. */
out:
bh_unlock_sock(sk); bh_unlock_sock(sk);
local_bh_enable(); local_bh_enable();
sock_put(sk); sock_put(sk);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment