You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The crash is in line 5927, where upcall_socket is null. Inspecting in a debugger also reveals that stcb->sctp_socket is not null, but stcb->sctp_socket->so_head is null.
This implies that the value of stcb->sctp_socket->so_head was set to null between lines 5922 and 5923.
In another thread in the core dump, I see that another thread is waiting for a lock on the same socket, with the stack
#3 ___pthread_mutex_lock (mutex=0xffff5473c228) at ./nptl/pthread_mutex_lock.c:93
#4 0x0000ffff2c163730 in sctp_accept (so=0xffff6c3818f0, addr=0xfffe44f9df38) at netinet/sctp_usrreq.c:8540
#5 0x0000ffff2c0c6964 in soaccept (so=0xffff6c3818f0, nam=0xfffe44f9df38) at user_socket.c:1580
#6 0x0000ffff2c0c7230 in user_accept (head=0xfffecc0b8660, name=0x0, namelen=0x0, ptr_accept_ret_sock=0xfffe44f9dfe0)
at user_socket.c:1662
#7 0x0000ffff2c0c73f4 in accept1 (so=0xfffecc0b8660, aname=0x0, anamelen=0x0, ptr_accept_ret_sock=0xfffe44f9dfe0) at user_socket.c:1740
#8 0x0000ffff2c0c755c in usrsctp_accept (so=0xfffecc0b8660, aname=0x0, anamelen=0x0) at user_socket.c:1777
I see in user_accept, shortly before this call to soaccept, the following code:
Notice the clearing of so->so_head at line 1652. The value of so in this thread is the same as the value of stcb->sctp_socket in the sctp_common_input_processing thread.
My conclusion is that because sctp_common_input_processing did not lock stcb->sctp_socket before checking the value of stcb->sctp_socket->so_head, user_accept was able to change its value asynchronously.
The solution is presumably to lock stcb->sctp_socket in sctp_common_input_processing. I can try preparing a patch.
The text was updated successfully, but these errors were encountered:
A correction -- so_head is protected by ACCEPT_LOCK(), so sctp_common_input_processing needs to hold ACCEPT_LOCK() (not the socket lock) while checking stcb->sctp_socket->so_head.
I have a crash in
sctp_common_input_processing
, where it is attempting to callSOCK_LOCK
on a NULL pointer.TLDR:
sctp_common_input_processing
needs to lock the accept lock before retrieving the value ofstcb->sctp_socket->so_head
from it.The crash occurs in revision c1d6cb3 of usrsctp, but the same problem appears to be present in the latest code.
The crashing code is in
netinet/sctp_input.c
, with stackThis code is:
The crash is in line 5927, where
upcall_socket
is null. Inspecting in a debugger also reveals thatstcb->sctp_socket
is not null, butstcb->sctp_socket->so_head
is null.This implies that the value of
stcb->sctp_socket->so_head
was set to null between lines 5922 and 5923.In another thread in the core dump, I see that another thread is waiting for a lock on the same socket, with the stack
I see in
user_accept
, shortly before this call tosoaccept
, the following code:Notice the clearing of
so->so_head
at line 1652. The value ofso
in this thread is the same as the value ofstcb->sctp_socket
in thesctp_common_input_processing
thread.My conclusion is that because
sctp_common_input_processing
did not lockstcb->sctp_socket
before checking the value ofstcb->sctp_socket->so_head
,user_accept
was able to change its value asynchronously.The solution is presumably to lock
stcb->sctp_socket
insctp_common_input_processing
. I can try preparing a patch.The text was updated successfully, but these errors were encountered: