mirror of
https://mirrors.bfsu.edu.cn/git/linux.git
synced 2024-12-12 21:44:06 +08:00
9ed7bfc795
When sctp_stream_outq_migrate() is called to release stream out resources,
the memory pointed to by prio_head in stream out is not released.
The memory leak information is as follows:
unreferenced object 0xffff88801fe79f80 (size 64):
comm "sctp_repo", pid 7957, jiffies 4294951704 (age 36.480s)
hex dump (first 32 bytes):
80 9f e7 1f 80 88 ff ff 80 9f e7 1f 80 88 ff ff ................
90 9f e7 1f 80 88 ff ff 90 9f e7 1f 80 88 ff ff ................
backtrace:
[<ffffffff81b215c6>] kmalloc_trace+0x26/0x60
[<ffffffff88ae517c>] sctp_sched_prio_set+0x4cc/0x770
[<ffffffff88ad64f2>] sctp_stream_init_ext+0xd2/0x1b0
[<ffffffff88aa2604>] sctp_sendmsg_to_asoc+0x1614/0x1a30
[<ffffffff88ab7ff1>] sctp_sendmsg+0xda1/0x1ef0
[<ffffffff87f765ed>] inet_sendmsg+0x9d/0xe0
[<ffffffff8754b5b3>] sock_sendmsg+0xd3/0x120
[<ffffffff8755446a>] __sys_sendto+0x23a/0x340
[<ffffffff87554651>] __x64_sys_sendto+0xe1/0x1b0
[<ffffffff89978b49>] do_syscall_64+0x39/0xb0
[<ffffffff89a0008b>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Link: https://syzkaller.appspot.com/bug?exrid=29c402e56c4760763cc0
Fixes: 637784ade2
("sctp: introduce priority based stream scheduler")
Reported-by: syzbot+29c402e56c4760763cc0@syzkaller.appspotmail.com
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Link: https://lore.kernel.org/r/20221126031720.378562-1-shaozhengchao@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
276 lines
6.1 KiB
C
276 lines
6.1 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/* SCTP kernel implementation
|
|
* (C) Copyright Red Hat Inc. 2017
|
|
*
|
|
* This file is part of the SCTP kernel implementation
|
|
*
|
|
* These functions manipulate sctp stream queue/scheduling.
|
|
*
|
|
* Please send any bug reports or fixes you make to the
|
|
* email addresched(es):
|
|
* lksctp developers <linux-sctp@vger.kernel.org>
|
|
*
|
|
* Written or modified by:
|
|
* Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
|
|
*/
|
|
|
|
#include <linux/list.h>
|
|
#include <net/sctp/sctp.h>
|
|
#include <net/sctp/sm.h>
|
|
#include <net/sctp/stream_sched.h>
|
|
|
|
/* First Come First Serve (a.k.a. FIFO)
|
|
* RFC DRAFT ndata Section 3.1
|
|
*/
|
|
static int sctp_sched_fcfs_set(struct sctp_stream *stream, __u16 sid,
|
|
__u16 value, gfp_t gfp)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static int sctp_sched_fcfs_get(struct sctp_stream *stream, __u16 sid,
|
|
__u16 *value)
|
|
{
|
|
*value = 0;
|
|
return 0;
|
|
}
|
|
|
|
static int sctp_sched_fcfs_init(struct sctp_stream *stream)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static int sctp_sched_fcfs_init_sid(struct sctp_stream *stream, __u16 sid,
|
|
gfp_t gfp)
|
|
{
|
|
return 0;
|
|
}
|
|
|
|
static void sctp_sched_fcfs_free_sid(struct sctp_stream *stream, __u16 sid)
|
|
{
|
|
}
|
|
|
|
static void sctp_sched_fcfs_free(struct sctp_stream *stream)
|
|
{
|
|
}
|
|
|
|
static void sctp_sched_fcfs_enqueue(struct sctp_outq *q,
|
|
struct sctp_datamsg *msg)
|
|
{
|
|
}
|
|
|
|
static struct sctp_chunk *sctp_sched_fcfs_dequeue(struct sctp_outq *q)
|
|
{
|
|
struct sctp_stream *stream = &q->asoc->stream;
|
|
struct sctp_chunk *ch = NULL;
|
|
struct list_head *entry;
|
|
|
|
if (list_empty(&q->out_chunk_list))
|
|
goto out;
|
|
|
|
if (stream->out_curr) {
|
|
ch = list_entry(stream->out_curr->ext->outq.next,
|
|
struct sctp_chunk, stream_list);
|
|
} else {
|
|
entry = q->out_chunk_list.next;
|
|
ch = list_entry(entry, struct sctp_chunk, list);
|
|
}
|
|
|
|
sctp_sched_dequeue_common(q, ch);
|
|
|
|
out:
|
|
return ch;
|
|
}
|
|
|
|
static void sctp_sched_fcfs_dequeue_done(struct sctp_outq *q,
|
|
struct sctp_chunk *chunk)
|
|
{
|
|
}
|
|
|
|
static void sctp_sched_fcfs_sched_all(struct sctp_stream *stream)
|
|
{
|
|
}
|
|
|
|
static void sctp_sched_fcfs_unsched_all(struct sctp_stream *stream)
|
|
{
|
|
}
|
|
|
|
static struct sctp_sched_ops sctp_sched_fcfs = {
|
|
.set = sctp_sched_fcfs_set,
|
|
.get = sctp_sched_fcfs_get,
|
|
.init = sctp_sched_fcfs_init,
|
|
.init_sid = sctp_sched_fcfs_init_sid,
|
|
.free_sid = sctp_sched_fcfs_free_sid,
|
|
.free = sctp_sched_fcfs_free,
|
|
.enqueue = sctp_sched_fcfs_enqueue,
|
|
.dequeue = sctp_sched_fcfs_dequeue,
|
|
.dequeue_done = sctp_sched_fcfs_dequeue_done,
|
|
.sched_all = sctp_sched_fcfs_sched_all,
|
|
.unsched_all = sctp_sched_fcfs_unsched_all,
|
|
};
|
|
|
|
static void sctp_sched_ops_fcfs_init(void)
|
|
{
|
|
sctp_sched_ops_register(SCTP_SS_FCFS, &sctp_sched_fcfs);
|
|
}
|
|
|
|
/* API to other parts of the stack */
|
|
|
|
static struct sctp_sched_ops *sctp_sched_ops[SCTP_SS_MAX + 1];
|
|
|
|
void sctp_sched_ops_register(enum sctp_sched_type sched,
|
|
struct sctp_sched_ops *sched_ops)
|
|
{
|
|
sctp_sched_ops[sched] = sched_ops;
|
|
}
|
|
|
|
void sctp_sched_ops_init(void)
|
|
{
|
|
sctp_sched_ops_fcfs_init();
|
|
sctp_sched_ops_prio_init();
|
|
sctp_sched_ops_rr_init();
|
|
}
|
|
|
|
int sctp_sched_set_sched(struct sctp_association *asoc,
|
|
enum sctp_sched_type sched)
|
|
{
|
|
struct sctp_sched_ops *n = sctp_sched_ops[sched];
|
|
struct sctp_sched_ops *old = asoc->outqueue.sched;
|
|
struct sctp_datamsg *msg = NULL;
|
|
struct sctp_chunk *ch;
|
|
int i, ret = 0;
|
|
|
|
if (old == n)
|
|
return ret;
|
|
|
|
if (sched > SCTP_SS_MAX)
|
|
return -EINVAL;
|
|
|
|
if (old) {
|
|
old->free(&asoc->stream);
|
|
|
|
/* Give the next scheduler a clean slate. */
|
|
for (i = 0; i < asoc->stream.outcnt; i++) {
|
|
struct sctp_stream_out_ext *ext = SCTP_SO(&asoc->stream, i)->ext;
|
|
|
|
if (!ext)
|
|
continue;
|
|
memset_after(ext, 0, outq);
|
|
}
|
|
}
|
|
|
|
asoc->outqueue.sched = n;
|
|
n->init(&asoc->stream);
|
|
for (i = 0; i < asoc->stream.outcnt; i++) {
|
|
if (!SCTP_SO(&asoc->stream, i)->ext)
|
|
continue;
|
|
|
|
ret = n->init_sid(&asoc->stream, i, GFP_ATOMIC);
|
|
if (ret)
|
|
goto err;
|
|
}
|
|
|
|
/* We have to requeue all chunks already queued. */
|
|
list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list) {
|
|
if (ch->msg == msg)
|
|
continue;
|
|
msg = ch->msg;
|
|
n->enqueue(&asoc->outqueue, msg);
|
|
}
|
|
|
|
return ret;
|
|
|
|
err:
|
|
n->free(&asoc->stream);
|
|
asoc->outqueue.sched = &sctp_sched_fcfs; /* Always safe */
|
|
|
|
return ret;
|
|
}
|
|
|
|
int sctp_sched_get_sched(struct sctp_association *asoc)
|
|
{
|
|
int i;
|
|
|
|
for (i = 0; i <= SCTP_SS_MAX; i++)
|
|
if (asoc->outqueue.sched == sctp_sched_ops[i])
|
|
return i;
|
|
|
|
return 0;
|
|
}
|
|
|
|
int sctp_sched_set_value(struct sctp_association *asoc, __u16 sid,
|
|
__u16 value, gfp_t gfp)
|
|
{
|
|
if (sid >= asoc->stream.outcnt)
|
|
return -EINVAL;
|
|
|
|
if (!SCTP_SO(&asoc->stream, sid)->ext) {
|
|
int ret;
|
|
|
|
ret = sctp_stream_init_ext(&asoc->stream, sid);
|
|
if (ret)
|
|
return ret;
|
|
}
|
|
|
|
return asoc->outqueue.sched->set(&asoc->stream, sid, value, gfp);
|
|
}
|
|
|
|
int sctp_sched_get_value(struct sctp_association *asoc, __u16 sid,
|
|
__u16 *value)
|
|
{
|
|
if (sid >= asoc->stream.outcnt)
|
|
return -EINVAL;
|
|
|
|
if (!SCTP_SO(&asoc->stream, sid)->ext)
|
|
return 0;
|
|
|
|
return asoc->outqueue.sched->get(&asoc->stream, sid, value);
|
|
}
|
|
|
|
void sctp_sched_dequeue_done(struct sctp_outq *q, struct sctp_chunk *ch)
|
|
{
|
|
if (!list_is_last(&ch->frag_list, &ch->msg->chunks) &&
|
|
!q->asoc->peer.intl_capable) {
|
|
struct sctp_stream_out *sout;
|
|
__u16 sid;
|
|
|
|
/* datamsg is not finish, so save it as current one,
|
|
* in case application switch scheduler or a higher
|
|
* priority stream comes in.
|
|
*/
|
|
sid = sctp_chunk_stream_no(ch);
|
|
sout = SCTP_SO(&q->asoc->stream, sid);
|
|
q->asoc->stream.out_curr = sout;
|
|
return;
|
|
}
|
|
|
|
q->asoc->stream.out_curr = NULL;
|
|
q->sched->dequeue_done(q, ch);
|
|
}
|
|
|
|
/* Auxiliary functions for the schedulers */
|
|
void sctp_sched_dequeue_common(struct sctp_outq *q, struct sctp_chunk *ch)
|
|
{
|
|
list_del_init(&ch->list);
|
|
list_del_init(&ch->stream_list);
|
|
q->out_qlen -= ch->skb->len;
|
|
}
|
|
|
|
int sctp_sched_init_sid(struct sctp_stream *stream, __u16 sid, gfp_t gfp)
|
|
{
|
|
struct sctp_sched_ops *sched = sctp_sched_ops_from_stream(stream);
|
|
struct sctp_stream_out_ext *ext = SCTP_SO(stream, sid)->ext;
|
|
|
|
INIT_LIST_HEAD(&ext->outq);
|
|
return sched->init_sid(stream, sid, gfp);
|
|
}
|
|
|
|
struct sctp_sched_ops *sctp_sched_ops_from_stream(struct sctp_stream *stream)
|
|
{
|
|
struct sctp_association *asoc;
|
|
|
|
asoc = container_of(stream, struct sctp_association, stream);
|
|
|
|
return asoc->outqueue.sched;
|
|
}
|