Commit 8ff0b1f0 authored by Xin Long's avatar Xin Long Committed by David S. Miller
Browse files

sctp: move sk_route_caps check and set into sctp_outq_flush_transports 

The sk's sk_route_caps is set in sctp_packet_config, and later it
only needs to change when traversing the transport_list in a loop,
as the dst might be changed in the tx path.

So move sk_route_caps check and set into sctp_outq_flush_transports
from sctp_packet_transmit. This also fixes a dst leak reported by
Chen Yi:

  https://bugzilla.kernel.org/show_bug.cgi?id=212227



As calling sk_setup_caps() in sctp_packet_transmit may also set the
sk_route_caps for the ctrl sock in a netns. When the netns is being
deleted, the ctrl sock's releasing is later than dst dev's deleting,
which will cause this dev's deleting to hang and dmesg error occurs:

  unregister_netdevice: waiting for xxx to become free. Usage count = 1

Reported-by: default avatarChen Yi <yiche@redhat.com>
Fixes: bcd623d8 ("sctp: call sk_setup_caps in sctp_packet_transmit instead")
Signed-off-by: default avatarXin Long <lucien.xin@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent c79a7070

net/sctp/output.c

+0 −7
Original line number Diff line number Diff line
@@ -584,13 +584,6 @@ int sctp_packet_transmit(struct sctp_packet *packet, gfp_t gfp) 
		goto out;

	}



	rcu_read_lock();

	if (__sk_dst_get(sk) != tp->dst) {

		dst_hold(tp->dst);

		sk_setup_caps(sk, tp->dst);

	}

	rcu_read_unlock();



	/* pack up chunks */

	pkt_count = sctp_packet_pack(packet, head, gso, gfp);

	if (!pkt_count) {

net/sctp/outqueue.c

+7 −0
Original line number Diff line number Diff line
@@ -1135,6 +1135,7 @@ static void sctp_outq_flush_data(struct sctp_flush_ctx *ctx, 


static void sctp_outq_flush_transports(struct sctp_flush_ctx *ctx)

{

	struct sock *sk = ctx->asoc->base.sk;

	struct list_head *ltransport;

	struct sctp_packet *packet;

	struct sctp_transport *t;
@@ -1144,6 +1145,12 @@ static void sctp_outq_flush_transports(struct sctp_flush_ctx *ctx) 
		t = list_entry(ltransport, struct sctp_transport, send_ready);

		packet = &t->packet;

		if (!sctp_packet_empty(packet)) {

			rcu_read_lock();

			if (t->dst && __sk_dst_get(sk) != t->dst) {

				dst_hold(t->dst);

				sk_setup_caps(sk, t->dst);

			}

			rcu_read_unlock();

			error = sctp_packet_transmit(packet, ctx->gfp);

			if (error < 0)

				ctx->q->asoc->base.sk->sk_err = -error;