git: a5c2009dd8ab - main - sctp: improve handling of sctp inpcb flags
Date: Sat, 04 Jun 2022 09:56:52 UTC
The branch main has been updated by tuexen:
URL: https://cgit.FreeBSD.org/src/commit/?id=a5c2009dd8ab562435fb7cc2ac0922668f9511a8
commit a5c2009dd8ab562435fb7cc2ac0922668f9511a8
Author: Michael Tuexen <tuexen@FreeBSD.org>
AuthorDate: 2022-06-04 05:35:54 +0000
Commit: Michael Tuexen <tuexen@FreeBSD.org>
CommitDate: 2022-06-04 05:38:19 +0000
sctp: improve handling of sctp inpcb flags
Use an atomic operation when the inp is not write locked.
Reported by: syzbot+bf27083e9a3f8fde8b4d@syzkaller.appspotmail.com
MFC after: 3 days
---
sys/netinet/sctp_constants.h | 8 ++++----
sys/netinet/sctp_input.c | 9 ++++-----
sys/netinet/sctp_pcb.c | 15 +++++++++++++++
sys/netinet/sctp_pcb.h | 3 +++
sys/netinet/sctputil.c | 2 +-
5 files changed, 27 insertions(+), 10 deletions(-)
diff --git a/sys/netinet/sctp_constants.h b/sys/netinet/sctp_constants.h
index 66f2cca5ab6d..3df6ad6db2aa 100644
--- a/sys/netinet/sctp_constants.h
+++ b/sys/netinet/sctp_constants.h
@@ -968,7 +968,7 @@ __FBSDID("$FreeBSD$");
#define sctp_sowwakeup(inp, so) \
do { \
if (inp->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE) { \
- inp->sctp_flags |= SCTP_PCB_FLAGS_WAKEOUTPUT; \
+ sctp_pcb_add_flags(inp, SCTP_PCB_FLAGS_WAKEOUTPUT); \
} else { \
sowwakeup(so); \
} \
@@ -977,8 +977,8 @@ do { \
#define sctp_sowwakeup_locked(inp, so) \
do { \
if (inp->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE) { \
+ sctp_pcb_add_flags(inp, SCTP_PCB_FLAGS_WAKEOUTPUT); \
SOCKBUF_UNLOCK(&((so)->so_snd)); \
- inp->sctp_flags |= SCTP_PCB_FLAGS_WAKEOUTPUT; \
} else { \
sowwakeup_locked(so); \
} \
@@ -987,7 +987,7 @@ do { \
#define sctp_sorwakeup(inp, so) \
do { \
if (inp->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE) { \
- inp->sctp_flags |= SCTP_PCB_FLAGS_WAKEINPUT; \
+ sctp_pcb_add_flags(inp, SCTP_PCB_FLAGS_WAKEINPUT); \
} else { \
sorwakeup(so); \
} \
@@ -996,7 +996,7 @@ do { \
#define sctp_sorwakeup_locked(inp, so) \
do { \
if (inp->sctp_flags & SCTP_PCB_FLAGS_DONT_WAKE) { \
- inp->sctp_flags |= SCTP_PCB_FLAGS_WAKEINPUT; \
+ sctp_pcb_add_flags(inp, SCTP_PCB_FLAGS_WAKEINPUT); \
SOCKBUF_UNLOCK(&((so)->so_rcv)); \
} else { \
sorwakeup_locked(so); \
diff --git a/sys/netinet/sctp_input.c b/sys/netinet/sctp_input.c
index ff16654968d5..46b818c9983e 100644
--- a/sys/netinet/sctp_input.c
+++ b/sys/netinet/sctp_input.c
@@ -1491,8 +1491,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
* init/init-ack/cookie done before the
* init-ack came back..
*/
- stcb->sctp_ep->sctp_flags |=
- SCTP_PCB_FLAGS_CONNECTED;
+ sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
soisconnected(stcb->sctp_socket);
}
/* notify upper layer */
@@ -1689,7 +1688,7 @@ sctp_process_cookie_existing(struct mbuf *m, int iphlen, int offset,
if (((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) &&
(!SCTP_IS_LISTENING(inp))) {
- stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
+ sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
soisconnected(stcb->sctp_socket);
}
if (SCTP_GET_STATE(stcb) == SCTP_STATE_COOKIE_ECHOED)
@@ -2182,7 +2181,7 @@ sctp_process_cookie_new(struct mbuf *m, int iphlen, int offset,
*
* XXXMJ unlocked
*/
- stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
+ sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
soisconnected(stcb->sctp_socket);
} else if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
(SCTP_IS_LISTENING(inp))) {
@@ -2793,7 +2792,7 @@ sctp_handle_cookie_ack(struct sctp_cookie_ack_chunk *cp SCTP_UNUSED,
sctp_ulp_notify(SCTP_NOTIFY_ASSOC_UP, stcb, 0, NULL, SCTP_SO_NOT_LOCKED);
if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) ||
(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL)) {
- stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_CONNECTED;
+ sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_CONNECTED);
if ((stcb->asoc.state & SCTP_STATE_CLOSED_SOCKET) == 0) {
soisconnected(stcb->sctp_socket);
}
diff --git a/sys/netinet/sctp_pcb.c b/sys/netinet/sctp_pcb.c
index 38c88d8ae8e4..bbbec5385c3c 100644
--- a/sys/netinet/sctp_pcb.c
+++ b/sys/netinet/sctp_pcb.c
@@ -7067,3 +7067,18 @@ sctp_initiate_iterator(inp_func inpf,
/* sa_ignore MEMLEAK {memory is put on the tailq for the iterator} */
return (0);
}
+
+/*
+ * Atomically add flags to the sctp_flags of an inp.
+ * To be used when the write lock of the inp is not held.
+ */
+void
+sctp_pcb_add_flags(struct sctp_inpcb *inp, uint32_t flags)
+{
+ uint32_t old_flags, new_flags;
+
+ do {
+ old_flags = inp->sctp_flags;
+ new_flags = old_flags | flags;
+ } while (atomic_cmpset_int(&inp->sctp_flags, old_flags, new_flags) == 0);
+}
diff --git a/sys/netinet/sctp_pcb.h b/sys/netinet/sctp_pcb.h
index 736b0f9d54e9..687ccf6a1c50 100644
--- a/sys/netinet/sctp_pcb.h
+++ b/sys/netinet/sctp_pcb.h
@@ -619,6 +619,9 @@ int sctp_swap_inpcb_for_listen(struct sctp_inpcb *inp);
void sctp_clean_up_stream(struct sctp_tcb *stcb, struct sctp_readhead *rh);
+void
+ sctp_pcb_add_flags(struct sctp_inpcb *, uint32_t);
+
/*-
* Null in last arg inpcb indicate run on ALL ep's. Specific inp in last arg
* indicates run on ONLY assoc's of the specified endpoint.
diff --git a/sys/netinet/sctputil.c b/sys/netinet/sctputil.c
index 23f95353323f..bdb35b988ae6 100644
--- a/sys/netinet/sctputil.c
+++ b/sys/netinet/sctputil.c
@@ -4340,7 +4340,7 @@ sctp_abort_notification(struct sctp_tcb *stcb, bool from_peer, bool timeout,
if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_IN_TCPPOOL) ||
((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_TCPTYPE) &&
(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_CONNECTED))) {
- stcb->sctp_ep->sctp_flags |= SCTP_PCB_FLAGS_WAS_ABORTED;
+ sctp_pcb_add_flags(stcb->sctp_ep, SCTP_PCB_FLAGS_WAS_ABORTED);
}
if ((stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_GONE) ||
(stcb->sctp_ep->sctp_flags & SCTP_PCB_FLAGS_SOCKET_ALLGONE) ||