Merge tag 'v3.4.110' into mm-6.0
Change-Id: I0afc69bce474139d1b70e062d72c0b8054529833
Signed-off-by: José Adolfo Galdámez <josegalre@pac-rom.com>
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 0c0bd2f..bc7b5de 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1539,8 +1539,10 @@
/* Supposedly, no process has access to the socket, but
* the net layers still may.
+ * Also, sctp_destroy_sock() needs to be called with addr_wq_lock
+ * held and that should be grabbed before socket lock.
*/
- sctp_local_bh_disable();
+ spin_lock_bh(&sctp_globals.addr_wq_lock);
sctp_bh_lock_sock(sk);
/* Hold the sock, since sk_common_release() will put sock_put()
@@ -1550,7 +1552,7 @@
sk_common_release(sk);
sctp_bh_unlock_sock(sk);
- sctp_local_bh_enable();
+ spin_unlock_bh(&sctp_globals.addr_wq_lock);
sock_put(sk);
@@ -3492,6 +3494,7 @@
if ((val && sp->do_auto_asconf) || (!val && !sp->do_auto_asconf))
return 0;
+ spin_lock_bh(&sctp_globals.addr_wq_lock);
if (val == 0 && sp->do_auto_asconf) {
list_del(&sp->auto_asconf_list);
sp->do_auto_asconf = 0;
@@ -3500,6 +3503,7 @@
&sctp_auto_asconf_splist);
sp->do_auto_asconf = 1;
}
+ spin_unlock_bh(&sctp_globals.addr_wq_lock);
return 0;
}
@@ -3935,18 +3939,28 @@
local_bh_disable();
percpu_counter_inc(&sctp_sockets_allocated);
sock_prot_inuse_add(sock_net(sk), sk->sk_prot, 1);
+
+ /* Nothing can fail after this block, otherwise
+ * sctp_destroy_sock() will be called without addr_wq_lock held
+ */
if (sctp_default_auto_asconf) {
+ spin_lock(&sctp_globals.addr_wq_lock);
list_add_tail(&sp->auto_asconf_list,
&sctp_auto_asconf_splist);
sp->do_auto_asconf = 1;
- } else
+ spin_unlock(&sctp_globals.addr_wq_lock);
+ } else {
sp->do_auto_asconf = 0;
+ }
+
local_bh_enable();
return 0;
}
-/* Cleanup any SCTP per socket resources. */
+/* Cleanup any SCTP per socket resources. Must be called with
+ * sctp_globals.addr_wq_lock held if sp->do_auto_asconf is true
+ */
SCTP_STATIC void sctp_destroy_sock(struct sock *sk)
{
struct sctp_sock *sp;
@@ -6746,6 +6760,19 @@
newinet->mc_list = NULL;
}
+static inline void sctp_copy_descendant(struct sock *sk_to,
+ const struct sock *sk_from)
+{
+ int ancestor_size = sizeof(struct inet_sock) +
+ sizeof(struct sctp_sock) -
+ offsetof(struct sctp_sock, auto_asconf_list);
+
+ if (sk_from->sk_family == PF_INET6)
+ ancestor_size += sizeof(struct ipv6_pinfo);
+
+ __inet_sk_copy_descendant(sk_to, sk_from, ancestor_size);
+}
+
/* Populate the fields of the newsk from the oldsk and migrate the assoc
* and its messages to the newsk.
*/
@@ -6760,7 +6787,6 @@
struct sk_buff *skb, *tmp;
struct sctp_ulpevent *event;
struct sctp_bind_hashbucket *head;
- struct list_head tmplist;
/* Migrate socket buffer sizes and all the socket level options to the
* new socket.
@@ -6768,12 +6794,7 @@
newsk->sk_sndbuf = oldsk->sk_sndbuf;
newsk->sk_rcvbuf = oldsk->sk_rcvbuf;
/* Brute force copy old sctp opt. */
- if (oldsp->do_auto_asconf) {
- memcpy(&tmplist, &newsp->auto_asconf_list, sizeof(tmplist));
- inet_sk_copy_descendant(newsk, oldsk);
- memcpy(&newsp->auto_asconf_list, &tmplist, sizeof(tmplist));
- } else
- inet_sk_copy_descendant(newsk, oldsk);
+ sctp_copy_descendant(newsk, oldsk);
/* Restore the ep value that was overwritten with the above structure
* copy.