rxrpc: Reduce the rxrpc_local::services list to a pointer
authorDavid Howells <dhowells@redhat.com>
Thu, 29 Sep 2016 21:37:15 +0000 (22:37 +0100)
committerDavid Howells <dhowells@redhat.com>
Thu, 29 Sep 2016 21:57:47 +0000 (22:57 +0100)
Reduce the rxrpc_local::services list to just a pointer as we don't permit
multiple service endpoints to bind to a single transport endpoints (this is
excluded by rxrpc_lookup_local()).

The reason we don't allow this is that if you send a request to an AFS
filesystem service, it will try to talk back to your cache manager on the
port you sent from (this is how file change notifications are handled).  To
prevent someone from stealing your CM callbacks, we don't let AF_RXRPC
sockets share a UDP socket if at least one of them has a service bound.

Signed-off-by: David Howells <dhowells@redhat.com>
net/rxrpc/af_rxrpc.c
net/rxrpc/ar-internal.h
net/rxrpc/call_accept.c
net/rxrpc/local_object.c
net/rxrpc/security.c

index 8dbf7bed2cc453f2b00cf058af081af3966d4bcb..44c9c2b0b190dedde7c22b08284f8748ed29e5cb 100644 (file)
@@ -136,7 +136,8 @@ static int rxrpc_bind(struct socket *sock, struct sockaddr *saddr, int len)
        struct sockaddr_rxrpc *srx = (struct sockaddr_rxrpc *)saddr;
        struct sock *sk = sock->sk;
        struct rxrpc_local *local;
-       struct rxrpc_sock *rx = rxrpc_sk(sk), *prx;
+       struct rxrpc_sock *rx = rxrpc_sk(sk);
+       u16 service_id = srx->srx_service;
        int ret;
 
        _enter("%p,%p,%d", rx, saddr, len);
@@ -160,15 +161,12 @@ static int rxrpc_bind(struct socket *sock, struct sockaddr *saddr, int len)
                goto error_unlock;
        }
 
-       if (rx->srx.srx_service) {
+       if (service_id) {
                write_lock(&local->services_lock);
-               hlist_for_each_entry(prx, &local->services, listen_link) {
-                       if (prx->srx.srx_service == rx->srx.srx_service)
-                               goto service_in_use;
-               }
-
+               if (rcu_access_pointer(local->service))
+                       goto service_in_use;
                rx->local = local;
-               hlist_add_head_rcu(&rx->listen_link, &local->services);
+               rcu_assign_pointer(local->service, rx);
                write_unlock(&local->services_lock);
 
                rx->sk.sk_state = RXRPC_SERVER_BOUND;
@@ -599,7 +597,6 @@ static int rxrpc_create(struct net *net, struct socket *sock, int protocol,
        rx->family = protocol;
        rx->calls = RB_ROOT;
 
-       INIT_HLIST_NODE(&rx->listen_link);
        spin_lock_init(&rx->incoming_lock);
        INIT_LIST_HEAD(&rx->sock_calls);
        INIT_LIST_HEAD(&rx->to_be_accepted);
@@ -681,11 +678,9 @@ static int rxrpc_release_sock(struct sock *sk)
        sk->sk_state = RXRPC_CLOSE;
        spin_unlock_bh(&sk->sk_receive_queue.lock);
 
-       ASSERTCMP(rx->listen_link.next, !=, LIST_POISON1);
-
-       if (!hlist_unhashed(&rx->listen_link)) {
+       if (rx->local && rx->local->service == rx) {
                write_lock(&rx->local->services_lock);
-               hlist_del_rcu(&rx->listen_link);
+               rx->local->service = NULL;
                write_unlock(&rx->local->services_lock);
        }
 
index 6aadaa7d8b4374f7850812ece742d58a4183cc52..539db54697f9fe08071d6c8c08ce414df20c8eb6 100644 (file)
@@ -93,7 +93,6 @@ struct rxrpc_sock {
        rxrpc_notify_new_call_t notify_new_call; /* Func to notify of new call */
        rxrpc_discard_new_call_t discard_new_call; /* Func to discard a new call */
        struct rxrpc_local      *local;         /* local endpoint */
-       struct hlist_node       listen_link;    /* link in the local endpoint's listen list */
        struct rxrpc_backlog    *backlog;       /* Preallocation for services */
        spinlock_t              incoming_lock;  /* Incoming call vs service shutdown lock */
        struct list_head        sock_calls;     /* List of calls owned by this socket */
@@ -216,7 +215,7 @@ struct rxrpc_local {
        struct list_head        link;
        struct socket           *socket;        /* my UDP socket */
        struct work_struct      processor;
-       struct hlist_head       services;       /* services listening on this endpoint */
+       struct rxrpc_sock __rcu *service;       /* Service(s) listening on this endpoint */
        struct rw_semaphore     defrag_sem;     /* control re-enablement of IP DF bit */
        struct sk_buff_head     reject_queue;   /* packets awaiting rejection */
        struct sk_buff_head     event_queue;    /* endpoint event packets awaiting processing */
index a8d39d7cf42ca2011b45d82a6cebe736fc2f58c2..3cac231d8405ea8c5fd1327f09db11ae449c4464 100644 (file)
@@ -331,14 +331,14 @@ struct rxrpc_call *rxrpc_new_incoming_call(struct rxrpc_local *local,
        struct rxrpc_skb_priv *sp = rxrpc_skb(skb);
        struct rxrpc_sock *rx;
        struct rxrpc_call *call;
+       u16 service_id = sp->hdr.serviceId;
 
        _enter("");
 
        /* Get the socket providing the service */
-       hlist_for_each_entry_rcu_bh(rx, &local->services, listen_link) {
-               if (rx->srx.srx_service == sp->hdr.serviceId)
-                       goto found_service;
-       }
+       rx = rcu_dereference(local->service);
+       if (service_id == rx->srx.srx_service)
+               goto found_service;
 
        trace_rxrpc_abort("INV", sp->hdr.cid, sp->hdr.callNumber, sp->hdr.seq,
                          RX_INVALID_OPERATION, EOPNOTSUPP);
index e3fad80b079557c6c1e5cb79106ae0ab96842b60..ff4864d550b8153bcb8a222c8537a85c79c7c7ca 100644 (file)
@@ -86,7 +86,6 @@ static struct rxrpc_local *rxrpc_alloc_local(const struct sockaddr_rxrpc *srx)
                atomic_set(&local->usage, 1);
                INIT_LIST_HEAD(&local->link);
                INIT_WORK(&local->processor, rxrpc_local_processor);
-               INIT_HLIST_HEAD(&local->services);
                init_rwsem(&local->defrag_sem);
                skb_queue_head_init(&local->reject_queue);
                skb_queue_head_init(&local->event_queue);
@@ -292,7 +291,7 @@ static void rxrpc_local_destroyer(struct rxrpc_local *local)
        mutex_unlock(&rxrpc_local_mutex);
 
        ASSERT(RB_EMPTY_ROOT(&local->client_conns));
-       ASSERT(hlist_empty(&local->services));
+       ASSERT(!local->service);
 
        if (socket) {
                local->socket = NULL;
index 82d8134e9287d438ae0ed2f39d534b4c9f773f1d..7d921e56e71544ee2886f93b00d30776992bcfe8 100644 (file)
@@ -131,10 +131,10 @@ int rxrpc_init_server_conn_security(struct rxrpc_connection *conn)
 
        /* find the service */
        read_lock(&local->services_lock);
-       hlist_for_each_entry(rx, &local->services, listen_link) {
-               if (rx->srx.srx_service == conn->params.service_id)
-                       goto found_service;
-       }
+       rx = rcu_dereference_protected(local->service,
+                                      lockdep_is_held(&local->services_lock));
+       if (rx && rx->srx.srx_service == conn->params.service_id)
+               goto found_service;
 
        /* the service appears to have died */
        read_unlock(&local->services_lock);