Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit b905ef9a authored by Cong Wang's avatar Cong Wang Committed by David S. Miller
Browse files

llc: delete timers synchronously in llc_sk_free() 



The connection timers of an llc sock could be still flying
after we delete them in llc_sk_free(), and even possibly
after we free the sock. We could just wait synchronously
here in case of troubles.

Note, I leave other call paths as they are, since they may
not have to wait, at least we can change them to synchronously
when needed.

Also, move the code to net/llc/llc_conn.c, which is apparently
a better place.

Reported-by: default avatar <syzbot+f922284c18ea23a8e457@syzkaller.appspotmail.com>
Signed-off-by: default avatarCong Wang <xiyou.wangcong@gmail.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5411b618

include/net/llc_conn.h

+1 −0
Original line number Diff line number Diff line
@@ -97,6 +97,7 @@ static __inline__ char llc_backlog_type(struct sk_buff *skb) 


struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority,

			  struct proto *prot, int kern);

void llc_sk_stop_all_timers(struct sock *sk, bool sync);

void llc_sk_free(struct sock *sk);



void llc_sk_reset(struct sock *sk);

net/llc/llc_c_ac.c

+1 −8
Original line number Diff line number Diff line
@@ -1099,14 +1099,7 @@ int llc_conn_ac_inc_tx_win_size(struct sock *sk, struct sk_buff *skb) 


int llc_conn_ac_stop_all_timers(struct sock *sk, struct sk_buff *skb)

{

	struct llc_sock *llc = llc_sk(sk);



	del_timer(&llc->pf_cycle_timer.timer);

	del_timer(&llc->ack_timer.timer);

	del_timer(&llc->rej_sent_timer.timer);

	del_timer(&llc->busy_state_timer.timer);

	llc->ack_must_be_send = 0;

	llc->ack_pf = 0;

	llc_sk_stop_all_timers(sk, false);

	return 0;

}

net/llc/llc_conn.c

+21 −1
Original line number Diff line number Diff line
@@ -961,6 +961,26 @@ struct sock *llc_sk_alloc(struct net *net, int family, gfp_t priority, struct pr 
	return sk;

}



void llc_sk_stop_all_timers(struct sock *sk, bool sync)

{

	struct llc_sock *llc = llc_sk(sk);



	if (sync) {

		del_timer_sync(&llc->pf_cycle_timer.timer);

		del_timer_sync(&llc->ack_timer.timer);

		del_timer_sync(&llc->rej_sent_timer.timer);

		del_timer_sync(&llc->busy_state_timer.timer);

	} else {

		del_timer(&llc->pf_cycle_timer.timer);

		del_timer(&llc->ack_timer.timer);

		del_timer(&llc->rej_sent_timer.timer);

		del_timer(&llc->busy_state_timer.timer);

	}



	llc->ack_must_be_send = 0;

	llc->ack_pf = 0;

}



/**

 *	llc_sk_free - Frees a LLC socket

 *	@sk - socket to free
@@ -973,7 +993,7 @@ void llc_sk_free(struct sock *sk) 


	llc->state = LLC_CONN_OUT_OF_SVC;

	/* Stop all (possibly) running timers */

	llc_conn_ac_stop_all_timers(sk, NULL);

	llc_sk_stop_all_timers(sk, true);

#ifdef DEBUG_LLC_CONN_ALLOC

	printk(KERN_INFO "%s: unackq=%d, txq=%d\n", __func__,

		skb_queue_len(&llc->pdu_unack_q),