tipc: fix broadcast wakeup contention after congestion
authorRichard Alpe <richard.alpe@ericsson.com>
Wed, 10 Dec 2014 08:46:54 +0000 (09:46 +0100)
committerDavid S. Miller <davem@davemloft.net>
Wed, 10 Dec 2014 19:45:33 +0000 (14:45 -0500)
commit 908344cdda80 ("tipc: fix bug in multicast congestion handling")
introduced a race in the broadcast link wakeup functionality.

This patch eliminates this broadcast link wakeup race caused by
operation on the wakeup list without proper locking. If this race
hit and corrupted the list all subsequent wakeup messages would be
lost, resulting in a considerable memory leak.

Signed-off-by: Richard Alpe <richard.alpe@ericsson.com>
Signed-off-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/tipc/link.c
net/tipc/node.c

index 34bf15c90c78e38f562d2288883174002258cfa7..23bcc1132365128de97ee2de41c9465b1b5d03ff 100644 (file)
@@ -293,7 +293,7 @@ struct tipc_link *tipc_link_create(struct tipc_node *n_ptr,
        l_ptr->next_out_no = 1;
        __skb_queue_head_init(&l_ptr->outqueue);
        __skb_queue_head_init(&l_ptr->deferred_queue);
-       __skb_queue_head_init(&l_ptr->waiting_sks);
+       skb_queue_head_init(&l_ptr->waiting_sks);
 
        link_reset_statistics(l_ptr);
 
@@ -358,7 +358,7 @@ static bool link_schedule_user(struct tipc_link *link, u32 oport,
                return false;
        TIPC_SKB_CB(buf)->chain_sz = chain_sz;
        TIPC_SKB_CB(buf)->chain_imp = imp;
-       __skb_queue_tail(&link->waiting_sks, buf);
+       skb_queue_tail(&link->waiting_sks, buf);
        link->stats.link_congs++;
        return true;
 }
@@ -378,8 +378,8 @@ static void link_prepare_wakeup(struct tipc_link *link)
                if (pend_qsz >= link->queue_limit[TIPC_SKB_CB(skb)->chain_imp])
                        break;
                pend_qsz += TIPC_SKB_CB(skb)->chain_sz;
-               __skb_unlink(skb, &link->waiting_sks);
-               __skb_queue_tail(&link->owner->waiting_sks, skb);
+               skb_unlink(skb, &link->waiting_sks);
+               skb_queue_tail(&link->owner->waiting_sks, skb);
        }
 }
 
index 69b96be09a86f057a3761d89266252741a2107a6..8d353ec77a6661820066e4cbee0d74cfe534ea08 100644 (file)
@@ -115,7 +115,7 @@ struct tipc_node *tipc_node_create(u32 addr)
        INIT_LIST_HEAD(&n_ptr->list);
        INIT_LIST_HEAD(&n_ptr->publ_list);
        INIT_LIST_HEAD(&n_ptr->conn_sks);
-       __skb_queue_head_init(&n_ptr->waiting_sks);
+       skb_queue_head_init(&n_ptr->waiting_sks);
        __skb_queue_head_init(&n_ptr->bclink.deferred_queue);
 
        hlist_add_head_rcu(&n_ptr->hash, &node_htable[tipc_hashfn(addr)]);