mirror of
				git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
				synced 2025-09-04 20:19:47 +08:00 
			
		
		
		
	 ce402f044e
			
		
	
	
		ce402f044e
		
	
	
	
	
		
			
			When auth is enabled for cookie-ack chunk, in sctp_inq_pop, sctp
processes auth chunk first, then continues to the next chunk in
this packet if chunk_end + chunk_hdr size < skb_tail_pointer().
Otherwise, it will go to the next packet or discard this chunk.
However, it missed the fact that cookie-ack chunk's size is equal
to chunk_hdr size, which couldn't match that check, and thus this
chunk would not get processed.
This patch fixes it by changing the check to chunk_end + chunk_hdr
size <= skb_tail_pointer().
Fixes: 26b87c7881 ("net: sctp: fix remote memory pressure from excessive queueing")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
		
	
			
		
			
				
	
	
		
			253 lines
		
	
	
		
			7.0 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
			
		
		
	
	
			253 lines
		
	
	
		
			7.0 KiB
		
	
	
	
		
			C
		
	
	
	
	
	
| /* SCTP kernel implementation
 | |
|  * Copyright (c) 1999-2000 Cisco, Inc.
 | |
|  * Copyright (c) 1999-2001 Motorola, Inc.
 | |
|  * Copyright (c) 2002 International Business Machines, Corp.
 | |
|  *
 | |
|  * This file is part of the SCTP kernel implementation
 | |
|  *
 | |
|  * These functions are the methods for accessing the SCTP inqueue.
 | |
|  *
 | |
|  * An SCTP inqueue is a queue into which you push SCTP packets
 | |
|  * (which might be bundles or fragments of chunks) and out of which you
 | |
|  * pop SCTP whole chunks.
 | |
|  *
 | |
|  * This SCTP implementation is free software;
 | |
|  * you can redistribute it and/or modify it under the terms of
 | |
|  * the GNU General Public License as published by
 | |
|  * the Free Software Foundation; either version 2, or (at your option)
 | |
|  * any later version.
 | |
|  *
 | |
|  * This SCTP implementation is distributed in the hope that it
 | |
|  * will be useful, but WITHOUT ANY WARRANTY; without even the implied
 | |
|  *                 ************************
 | |
|  * warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
 | |
|  * See the GNU General Public License for more details.
 | |
|  *
 | |
|  * You should have received a copy of the GNU General Public License
 | |
|  * along with GNU CC; see the file COPYING.  If not, see
 | |
|  * <http://www.gnu.org/licenses/>.
 | |
|  *
 | |
|  * Please send any bug reports or fixes you make to the
 | |
|  * email address(es):
 | |
|  *    lksctp developers <linux-sctp@vger.kernel.org>
 | |
|  *
 | |
|  * Written or modified by:
 | |
|  *    La Monte H.P. Yarroll <piggy@acm.org>
 | |
|  *    Karl Knutson <karl@athena.chicago.il.us>
 | |
|  */
 | |
| 
 | |
| #define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
 | |
| 
 | |
| #include <net/sctp/sctp.h>
 | |
| #include <net/sctp/sm.h>
 | |
| #include <linux/interrupt.h>
 | |
| #include <linux/slab.h>
 | |
| 
 | |
| /* Initialize an SCTP inqueue.  */
 | |
| void sctp_inq_init(struct sctp_inq *queue)
 | |
| {
 | |
| 	INIT_LIST_HEAD(&queue->in_chunk_list);
 | |
| 	queue->in_progress = NULL;
 | |
| 
 | |
| 	/* Create a task for delivering data.  */
 | |
| 	INIT_WORK(&queue->immediate, NULL);
 | |
| }
 | |
| 
 | |
| /* Release the memory associated with an SCTP inqueue.  */
 | |
| void sctp_inq_free(struct sctp_inq *queue)
 | |
| {
 | |
| 	struct sctp_chunk *chunk, *tmp;
 | |
| 
 | |
| 	/* Empty the queue.  */
 | |
| 	list_for_each_entry_safe(chunk, tmp, &queue->in_chunk_list, list) {
 | |
| 		list_del_init(&chunk->list);
 | |
| 		sctp_chunk_free(chunk);
 | |
| 	}
 | |
| 
 | |
| 	/* If there is a packet which is currently being worked on,
 | |
| 	 * free it as well.
 | |
| 	 */
 | |
| 	if (queue->in_progress) {
 | |
| 		sctp_chunk_free(queue->in_progress);
 | |
| 		queue->in_progress = NULL;
 | |
| 	}
 | |
| }
 | |
| 
 | |
| /* Put a new packet in an SCTP inqueue.
 | |
|  * We assume that packet->sctp_hdr is set and in host byte order.
 | |
|  */
 | |
| void sctp_inq_push(struct sctp_inq *q, struct sctp_chunk *chunk)
 | |
| {
 | |
| 	/* Directly call the packet handling routine. */
 | |
| 	if (chunk->rcvr->dead) {
 | |
| 		sctp_chunk_free(chunk);
 | |
| 		return;
 | |
| 	}
 | |
| 
 | |
| 	/* We are now calling this either from the soft interrupt
 | |
| 	 * or from the backlog processing.
 | |
| 	 * Eventually, we should clean up inqueue to not rely
 | |
| 	 * on the BH related data structures.
 | |
| 	 */
 | |
| 	list_add_tail(&chunk->list, &q->in_chunk_list);
 | |
| 	if (chunk->asoc)
 | |
| 		chunk->asoc->stats.ipackets++;
 | |
| 	q->immediate.func(&q->immediate);
 | |
| }
 | |
| 
 | |
| /* Peek at the next chunk on the inqeue. */
 | |
| struct sctp_chunkhdr *sctp_inq_peek(struct sctp_inq *queue)
 | |
| {
 | |
| 	struct sctp_chunk *chunk;
 | |
| 	struct sctp_chunkhdr *ch = NULL;
 | |
| 
 | |
| 	chunk = queue->in_progress;
 | |
| 	/* If there is no more chunks in this packet, say so */
 | |
| 	if (chunk->singleton ||
 | |
| 	    chunk->end_of_packet ||
 | |
| 	    chunk->pdiscard)
 | |
| 		    return NULL;
 | |
| 
 | |
| 	ch = (struct sctp_chunkhdr *)chunk->chunk_end;
 | |
| 
 | |
| 	return ch;
 | |
| }
 | |
| 
 | |
| 
 | |
| /* Extract a chunk from an SCTP inqueue.
 | |
|  *
 | |
|  * WARNING:  If you need to put the chunk on another queue, you need to
 | |
|  * make a shallow copy (clone) of it.
 | |
|  */
 | |
| struct sctp_chunk *sctp_inq_pop(struct sctp_inq *queue)
 | |
| {
 | |
| 	struct sctp_chunk *chunk;
 | |
| 	struct sctp_chunkhdr *ch = NULL;
 | |
| 
 | |
| 	/* The assumption is that we are safe to process the chunks
 | |
| 	 * at this time.
 | |
| 	 */
 | |
| 
 | |
| 	chunk = queue->in_progress;
 | |
| 	if (chunk) {
 | |
| 		/* There is a packet that we have been working on.
 | |
| 		 * Any post processing work to do before we move on?
 | |
| 		 */
 | |
| 		if (chunk->singleton ||
 | |
| 		    chunk->end_of_packet ||
 | |
| 		    chunk->pdiscard) {
 | |
| 			if (chunk->head_skb == chunk->skb) {
 | |
| 				chunk->skb = skb_shinfo(chunk->skb)->frag_list;
 | |
| 				goto new_skb;
 | |
| 			}
 | |
| 			if (chunk->skb->next) {
 | |
| 				chunk->skb = chunk->skb->next;
 | |
| 				goto new_skb;
 | |
| 			}
 | |
| 
 | |
| 			if (chunk->head_skb)
 | |
| 				chunk->skb = chunk->head_skb;
 | |
| 			sctp_chunk_free(chunk);
 | |
| 			chunk = queue->in_progress = NULL;
 | |
| 		} else {
 | |
| 			/* Nothing to do. Next chunk in the packet, please. */
 | |
| 			ch = (struct sctp_chunkhdr *)chunk->chunk_end;
 | |
| 			/* Force chunk->skb->data to chunk->chunk_end.  */
 | |
| 			skb_pull(chunk->skb, chunk->chunk_end - chunk->skb->data);
 | |
| 			/* We are guaranteed to pull a SCTP header. */
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	/* Do we need to take the next packet out of the queue to process? */
 | |
| 	if (!chunk) {
 | |
| 		struct list_head *entry;
 | |
| 
 | |
| next_chunk:
 | |
| 		/* Is the queue empty?  */
 | |
| 		entry = sctp_list_dequeue(&queue->in_chunk_list);
 | |
| 		if (!entry)
 | |
| 			return NULL;
 | |
| 
 | |
| 		chunk = list_entry(entry, struct sctp_chunk, list);
 | |
| 
 | |
| 		if (skb_is_gso(chunk->skb) && skb_is_gso_sctp(chunk->skb)) {
 | |
| 			/* GSO-marked skbs but without frags, handle
 | |
| 			 * them normally
 | |
| 			 */
 | |
| 			if (skb_shinfo(chunk->skb)->frag_list)
 | |
| 				chunk->head_skb = chunk->skb;
 | |
| 
 | |
| 			/* skbs with "cover letter" */
 | |
| 			if (chunk->head_skb && chunk->skb->data_len == chunk->skb->len)
 | |
| 				chunk->skb = skb_shinfo(chunk->skb)->frag_list;
 | |
| 
 | |
| 			if (WARN_ON(!chunk->skb)) {
 | |
| 				__SCTP_INC_STATS(dev_net(chunk->skb->dev), SCTP_MIB_IN_PKT_DISCARDS);
 | |
| 				sctp_chunk_free(chunk);
 | |
| 				goto next_chunk;
 | |
| 			}
 | |
| 		}
 | |
| 
 | |
| 		if (chunk->asoc)
 | |
| 			sock_rps_save_rxhash(chunk->asoc->base.sk, chunk->skb);
 | |
| 
 | |
| 		queue->in_progress = chunk;
 | |
| 
 | |
| new_skb:
 | |
| 		/* This is the first chunk in the packet.  */
 | |
| 		ch = (struct sctp_chunkhdr *)chunk->skb->data;
 | |
| 		chunk->singleton = 1;
 | |
| 		chunk->data_accepted = 0;
 | |
| 		chunk->pdiscard = 0;
 | |
| 		chunk->auth = 0;
 | |
| 		chunk->has_asconf = 0;
 | |
| 		chunk->end_of_packet = 0;
 | |
| 		if (chunk->head_skb) {
 | |
| 			struct sctp_input_cb
 | |
| 				*cb = SCTP_INPUT_CB(chunk->skb),
 | |
| 				*head_cb = SCTP_INPUT_CB(chunk->head_skb);
 | |
| 
 | |
| 			cb->chunk = head_cb->chunk;
 | |
| 			cb->af = head_cb->af;
 | |
| 		}
 | |
| 	}
 | |
| 
 | |
| 	chunk->chunk_hdr = ch;
 | |
| 	chunk->chunk_end = ((__u8 *)ch) + SCTP_PAD4(ntohs(ch->length));
 | |
| 	skb_pull(chunk->skb, sizeof(*ch));
 | |
| 	chunk->subh.v = NULL; /* Subheader is no longer valid.  */
 | |
| 
 | |
| 	if (chunk->chunk_end + sizeof(*ch) <= skb_tail_pointer(chunk->skb)) {
 | |
| 		/* This is not a singleton */
 | |
| 		chunk->singleton = 0;
 | |
| 	} else if (chunk->chunk_end > skb_tail_pointer(chunk->skb)) {
 | |
| 		/* Discard inside state machine. */
 | |
| 		chunk->pdiscard = 1;
 | |
| 		chunk->chunk_end = skb_tail_pointer(chunk->skb);
 | |
| 	} else {
 | |
| 		/* We are at the end of the packet, so mark the chunk
 | |
| 		 * in case we need to send a SACK.
 | |
| 		 */
 | |
| 		chunk->end_of_packet = 1;
 | |
| 	}
 | |
| 
 | |
| 	pr_debug("+++sctp_inq_pop+++ chunk:%p[%s], length:%d, skb->len:%d\n",
 | |
| 		 chunk, sctp_cname(SCTP_ST_CHUNK(chunk->chunk_hdr->type)),
 | |
| 		 ntohs(chunk->chunk_hdr->length), chunk->skb->len);
 | |
| 
 | |
| 	return chunk;
 | |
| }
 | |
| 
 | |
| /* Set a top-half handler.
 | |
|  *
 | |
|  * Originally, we the top-half handler was scheduled as a BH.  We now
 | |
|  * call the handler directly in sctp_inq_push() at a time that
 | |
|  * we know we are lock safe.
 | |
|  * The intent is that this routine will pull stuff out of the
 | |
|  * inqueue and process it.
 | |
|  */
 | |
| void sctp_inq_set_th_handler(struct sctp_inq *q, work_func_t callback)
 | |
| {
 | |
| 	INIT_WORK(&q->immediate, callback);
 | |
| }
 |