Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d389424e authored by Arnaldo Carvalho de Melo's avatar Arnaldo Carvalho de Melo
Browse files

[LLC]: Fix the accept path 



Borrowing the structure of TCP/IP for this. On the receive of new connections I
was bh_lock_socking the _new_ sock, not the listening one, duh, now it survives
the ssh connections storm I've been using to test this specific bug.

Also fixes send side skb sock accounting.

Signed-off-by: default avatarArnaldo Carvalho de Melo <acme@mandriva.com>
parent 2928c19e

include/net/llc_sap.h

+2 −1
Original line number Diff line number Diff line
@@ -19,7 +19,8 @@ struct sock; 
extern void llc_sap_rtn_pdu(struct llc_sap *sap, struct sk_buff *skb);

extern void llc_save_primitive(struct sock *sk, struct sk_buff* skb,

			       unsigned char prim);

extern struct sk_buff *llc_alloc_frame(struct net_device *dev);

extern struct sk_buff *llc_alloc_frame(struct sock *sk,

				       struct net_device *dev);



extern void llc_build_and_send_test_pkt(struct llc_sap *sap,

				        struct sk_buff *skb,

net/llc/llc_c_ac.c

+25 −39
Original line number Diff line number Diff line
@@ -60,24 +60,10 @@ int llc_conn_ac_clear_remote_busy(struct sock *sk, struct sk_buff *skb) 


int llc_conn_ac_conn_ind(struct sock *sk, struct sk_buff *skb)

{

	int rc = -ENOTCONN;

	u8 dsap;

	struct llc_sap *sap;



	llc_pdu_decode_dsap(skb, &dsap);

	sap = llc_sap_find(dsap);

	if (sap) {

	struct llc_conn_state_ev *ev = llc_conn_ev(skb);

		struct llc_sock *llc = llc_sk(sk);



		llc_pdu_decode_sa(skb, llc->daddr.mac);

		llc_pdu_decode_da(skb, llc->laddr.mac);

		llc->dev = skb->dev;

	ev->ind_prim = LLC_CONN_PRIM;

		rc = 0;

		llc_sap_put(sap);

	}

	return rc;

	return 0;

}



int llc_conn_ac_conn_confirm(struct sock *sk, struct sk_buff *skb)
@@ -213,7 +199,7 @@ int llc_conn_ac_send_disc_cmd_p_set_x(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -238,7 +224,7 @@ int llc_conn_ac_send_dm_rsp_f_set_p(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -264,7 +250,7 @@ int llc_conn_ac_send_dm_rsp_f_set_1(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -297,7 +283,7 @@ int llc_conn_ac_send_frmr_rsp_f_set_x(struct sock *sk, struct sk_buff *skb) 
		llc_pdu_decode_pf_bit(skb, &f_bit);

	else

		f_bit = 0;

	nskb = llc_alloc_frame(llc->dev);

	nskb = llc_alloc_frame(sk, llc->dev);

	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -321,7 +307,7 @@ int llc_conn_ac_resend_frmr_rsp_f_set_0(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -351,7 +337,7 @@ int llc_conn_ac_resend_frmr_rsp_f_set_p(struct sock *sk, struct sk_buff *skb) 
	struct llc_sock *llc = llc_sk(sk);



	llc_pdu_decode_pf_bit(skb, &f_bit);

	nskb = llc_alloc_frame(llc->dev);

	nskb = llc_alloc_frame(sk, llc->dev);

	if (nskb) {

		struct llc_sap *sap = llc->sap;

		struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);
@@ -439,7 +425,7 @@ int llc_conn_ac_resend_i_xxx_x_set_0_or_send_rr(struct sock *sk, 
	struct llc_pdu_sn *pdu = llc_pdu_sn_hdr(skb);

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -474,7 +460,7 @@ int llc_conn_ac_send_rej_cmd_p_set_1(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -498,7 +484,7 @@ int llc_conn_ac_send_rej_rsp_f_set_1(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -522,7 +508,7 @@ int llc_conn_ac_send_rej_xxx_x_set_0(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -546,7 +532,7 @@ int llc_conn_ac_send_rnr_cmd_p_set_1(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -570,7 +556,7 @@ int llc_conn_ac_send_rnr_rsp_f_set_1(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -594,7 +580,7 @@ int llc_conn_ac_send_rnr_xxx_x_set_0(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -630,7 +616,7 @@ int llc_conn_ac_opt_send_rnr_xxx_x_set_0(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -654,7 +640,7 @@ int llc_conn_ac_send_rr_cmd_p_set_1(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -678,7 +664,7 @@ int llc_conn_ac_send_rr_rsp_f_set_1(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -703,7 +689,7 @@ int llc_conn_ac_send_ack_rsp_f_set_1(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -727,7 +713,7 @@ int llc_conn_ac_send_rr_xxx_x_set_0(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -751,7 +737,7 @@ int llc_conn_ac_send_ack_xxx_x_set_0(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -785,7 +771,7 @@ int llc_conn_ac_send_sabme_cmd_p_set_x(struct sock *sk, struct sk_buff *skb) 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;
@@ -814,7 +800,7 @@ int llc_conn_ac_send_ua_rsp_f_set_p(struct sock *sk, struct sk_buff *skb) 
	u8 f_bit;

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	llc_pdu_decode_pf_bit(skb, &f_bit);

	if (nskb) {
@@ -970,7 +956,7 @@ static int llc_conn_ac_send_rr_rsp_f_set_ackpf(struct sock *sk, 
{

	int rc = -ENOBUFS;

	struct llc_sock *llc = llc_sk(sk);

	struct sk_buff *nskb = llc_alloc_frame(llc->dev);

	struct sk_buff *nskb = llc_alloc_frame(sk, llc->dev);



	if (nskb) {

		struct llc_sap *sap = llc->sap;

net/llc/llc_conn.c

+95 −47
Original line number Diff line number Diff line
@@ -58,7 +58,7 @@ int sysctl_llc2_busy_timeout = LLC2_BUSY_TIME * HZ; 
int llc_conn_state_process(struct sock *sk, struct sk_buff *skb)

{

	int rc;

	struct llc_sock *llc = llc_sk(sk);

	struct llc_sock *llc = llc_sk(skb->sk);

	struct llc_conn_state_ev *ev = llc_conn_ev(skb);



	/*
@@ -68,7 +68,10 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) 
	 */

	skb_get(skb);

	ev->ind_prim = ev->cfm_prim = 0;

	rc = llc_conn_service(sk, skb); /* sending event to state machine */

	/*

	 * Send event to state machine

	 */

	rc = llc_conn_service(skb->sk, skb);

	if (unlikely(rc != 0)) {

		printk(KERN_ERR "%s: llc_conn_service failed\n", __FUNCTION__);

		goto out_kfree_skb;
@@ -100,18 +103,14 @@ int llc_conn_state_process(struct sock *sk, struct sk_buff *skb) 
			kfree_skb(skb);

		}

		break;

	case LLC_CONN_PRIM: {

		struct sock *parent = skb->sk;



		skb_orphan(skb);

	case LLC_CONN_PRIM:

		/*

		 * Set the skb->sk to the new struct sock, so that at accept

		 * type the upper layer can get the newly created struct sock.

		 * Can't be sock_queue_rcv_skb, because we have to leave the

		 * skb->sk pointing to the newly created struct sock in

		 * llc_conn_handler. -acme

		 */

		skb->sk = sk;

		skb_queue_tail(&parent->sk_receive_queue, skb);

		sk->sk_state_change(parent);

	}

		skb_queue_tail(&sk->sk_receive_queue, skb);

		sk->sk_state_change(sk);

		break;

	case LLC_DISC_PRIM:

		sock_hold(sk);
@@ -475,7 +474,7 @@ static int llc_exec_conn_trans_actions(struct sock *sk, 
}



/**

 *	llc_lookup_established - Finds connection for the remote/local sap/mac

 *	__llc_lookup_established - Finds connection for the remote/local sap/mac

 *	@sap: SAP

 *	@daddr: address of remote LLC (MAC + SAP)

 *	@laddr: address of local LLC (MAC + SAP)
@@ -483,14 +482,16 @@ static int llc_exec_conn_trans_actions(struct sock *sk, 
 *	Search connection list of the SAP and finds connection using the remote

 *	mac, remote sap, local mac, and local sap. Returns pointer for

 *	connection found, %NULL otherwise.

 *	Caller has to make sure local_bh is disabled.

 */

struct sock *llc_lookup_established(struct llc_sap *sap, struct llc_addr *daddr,

static struct sock *__llc_lookup_established(struct llc_sap *sap,

					     struct llc_addr *daddr,

					     struct llc_addr *laddr)

{

	struct sock *rc;

	struct hlist_node *node;



	read_lock_bh(&sap->sk_list.lock);

	read_lock(&sap->sk_list.lock);

	sk_for_each(rc, node, &sap->sk_list.list) {

		struct llc_sock *llc = llc_sk(rc);
@@ -504,10 +505,22 @@ struct sock *llc_lookup_established(struct llc_sap *sap, struct llc_addr *daddr, 
	}

	rc = NULL;

found:

	read_unlock_bh(&sap->sk_list.lock);

	read_unlock(&sap->sk_list.lock);

	return rc;

}



struct sock *llc_lookup_established(struct llc_sap *sap,

				    struct llc_addr *daddr,

				    struct llc_addr *laddr)

{

	struct sock *sk;



	local_bh_disable();

	sk = __llc_lookup_established(sap, daddr, laddr);

	local_bh_enable();

	return sk;

}



/**

 *	llc_lookup_listener - Finds listener for local MAC + SAP

 *	@sap: SAP
@@ -516,6 +529,7 @@ struct sock *llc_lookup_established(struct llc_sap *sap, struct llc_addr *daddr, 
 *	Search connection list of the SAP and finds connection listening on

 *	local mac, and local sap. Returns pointer for parent socket found,

 *	%NULL otherwise.

 *	Caller has to make sure local_bh is disabled.

 */

static struct sock *llc_lookup_listener(struct llc_sap *sap,

					struct llc_addr *laddr)
@@ -523,7 +537,7 @@ static struct sock *llc_lookup_listener(struct llc_sap *sap, 
	struct sock *rc;

	struct hlist_node *node;



	read_lock_bh(&sap->sk_list.lock);

	read_lock(&sap->sk_list.lock);

	sk_for_each(rc, node, &sap->sk_list.list) {

		struct llc_sock *llc = llc_sk(rc);
@@ -537,10 +551,19 @@ static struct sock *llc_lookup_listener(struct llc_sap *sap, 
	}

	rc = NULL;

found:

	read_unlock_bh(&sap->sk_list.lock);

	read_unlock(&sap->sk_list.lock);

	return rc;

}



static struct sock *__llc_lookup(struct llc_sap *sap,

				 struct llc_addr *daddr,

				 struct llc_addr *laddr)

{

	struct sock *sk = __llc_lookup_established(sap, daddr, laddr);



	return sk ? : llc_lookup_listener(sap, laddr);

}



/**

 *	llc_data_accept_state - designates if in this state data can be sent.

 *	@state: state of connection.
@@ -666,15 +689,34 @@ void llc_sap_remove_socket(struct llc_sap *sap, struct sock *sk) 
static int llc_conn_rcv(struct sock* sk, struct sk_buff *skb)

{

	struct llc_conn_state_ev *ev = llc_conn_ev(skb);

	struct llc_sock *llc = llc_sk(sk);



	if (!llc->dev)

		llc->dev = skb->dev;

	ev->type   = LLC_CONN_EV_TYPE_PDU;

	ev->reason = 0;

	return llc_conn_state_process(sk, skb);

}



static struct sock *llc_create_incoming_sock(struct sock *sk,

					     struct net_device *dev,

					     struct llc_addr *saddr,

					     struct llc_addr *daddr)

{

	struct sock *newsk = llc_sk_alloc(sk->sk_family, GFP_ATOMIC,

					  sk->sk_prot);

	struct llc_sock *newllc, *llc = llc_sk(sk);



	if (!newsk)

		goto out;

	newllc = llc_sk(newsk);

	memcpy(&newllc->laddr, daddr, sizeof(newllc->laddr));

	memcpy(&newllc->daddr, saddr, sizeof(newllc->daddr));

	newllc->dev = dev;

	dev_hold(dev);

	llc_sap_add_socket(llc->sap, newsk);

	llc_sap_hold(llc->sap);

out:

	return newsk;

}



void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb)

{

	struct llc_addr saddr, daddr;
@@ -685,34 +727,35 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb) 
	llc_pdu_decode_da(skb, daddr.mac);

	llc_pdu_decode_dsap(skb, &daddr.lsap);



	sk = llc_lookup_established(sap, &saddr, &daddr);

	if (!sk) {

		/*

		 * Didn't find an active connection; verify if there

		 * is a listening socket for this llc addr

		 */

		struct llc_sock *llc;

		struct sock *parent = llc_lookup_listener(sap, &daddr);



		if (!parent) {

			dprintk("llc_lookup_listener failed!\n");

	sk = __llc_lookup(sap, &saddr, &daddr);

	if (!sk)

		goto drop;

		}



		sk = llc_sk_alloc(parent->sk_family, GFP_ATOMIC, parent->sk_prot);

		if (!sk) {

			sock_put(parent);

			goto drop;

		}

		llc = llc_sk(sk);

		memcpy(&llc->laddr, &daddr, sizeof(llc->laddr));

		memcpy(&llc->daddr, &saddr, sizeof(llc->daddr));

		llc_sap_add_socket(sap, sk);

		sock_hold(sk);

		skb_set_owner_r(skb, parent);

		sock_put(parent);

	}

	bh_lock_sock(sk);

	/*

	 * This has to be done here and not at the upper layer ->accept

	 * method because of the way the PROCOM state machine works:

	 * it needs to set several state variables (see, for instance,

	 * llc_adm_actions_2 in net/llc/llc_c_st.c) and send a packet to

	 * the originator of the new connection, and this state has to be

	 * in the newly created struct sock private area. -acme

	 */

	if (unlikely(sk->sk_state == TCP_LISTEN)) {

		struct sock *newsk = llc_create_incoming_sock(sk, skb->dev,

							      &saddr, &daddr);

		if (!newsk)

			goto drop_unlock;

		skb_set_owner_r(skb, newsk);

	} else {

		/*

		 * Can't be skb_set_owner_r, this will be done at the

		 * llc_conn_state_process function, later on, when we will use

		 * skb_queue_rcv_skb to send it to upper layers, this is

		 * another trick required to cope with how the PROCOM state

		 * machine works. -acme

		 */

		skb->sk = sk;

	}

	if (!sock_owned_by_user(sk))

		llc_conn_rcv(sk, skb);

	else {
@@ -720,11 +763,16 @@ void llc_conn_handler(struct llc_sap *sap, struct sk_buff *skb) 
		llc_set_backlog_type(skb, LLC_PACKET);

		sk_add_backlog(sk, skb);

	}

out:

	bh_unlock_sock(sk);

	sock_put(sk);

	return;

drop:

	kfree_skb(skb);

	return;

drop_unlock:

	kfree_skb(skb);

	goto out;

}



#undef LLC_REFCNT_DEBUG

net/llc/llc_if.c

+2 −0
Original line number Diff line number Diff line
@@ -107,6 +107,7 @@ int llc_establish_connection(struct sock *sk, u8 *lmac, u8 *dmac, u8 dsap) 
		ev->type      = LLC_CONN_EV_TYPE_PRIM;

		ev->prim      = LLC_CONN_PRIM;

		ev->prim_type = LLC_PRIM_TYPE_REQ;

		skb_set_owner_w(skb, sk);

		rc = llc_conn_state_process(sk, skb);

	}

out_put:
@@ -141,6 +142,7 @@ int llc_send_disc(struct sock *sk) 
	skb = alloc_skb(0, GFP_ATOMIC);

	if (!skb)

		goto out;

	skb_set_owner_w(skb, sk);

	sk->sk_state  = TCP_CLOSING;

	ev	      = llc_conn_ev(skb);

	ev->type      = LLC_CONN_EV_TYPE_PRIM;

net/llc/llc_s_ac.c

+2 −2
Original line number Diff line number Diff line
@@ -103,7 +103,7 @@ int llc_sap_action_send_xid_r(struct llc_sap *sap, struct sk_buff *skb) 
	llc_pdu_decode_sa(skb, mac_da);

	llc_pdu_decode_da(skb, mac_sa);

	llc_pdu_decode_ssap(skb, &dsap);

	nskb = llc_alloc_frame(skb->dev);

	nskb = llc_alloc_frame(NULL, skb->dev);

	if (!nskb)

		goto out;

	llc_pdu_header_init(nskb, LLC_PDU_TYPE_U, sap->laddr.lsap, dsap,
@@ -148,7 +148,7 @@ int llc_sap_action_send_test_r(struct llc_sap *sap, struct sk_buff *skb) 
	llc_pdu_decode_sa(skb, mac_da);

	llc_pdu_decode_da(skb, mac_sa);

	llc_pdu_decode_ssap(skb, &dsap);

	nskb = llc_alloc_frame(skb->dev);

	nskb = llc_alloc_frame(NULL, skb->dev);

	if (!nskb)

		goto out;

	llc_pdu_header_init(nskb, LLC_PDU_TYPE_U, sap->laddr.lsap, dsap,