tipc: fix deadlock during socket release

A deadlock might occur if name table is withdrawn in socket release
routine, and while packets are still being received from bearer.

       CPU0                       CPU1
T0:   recv_msg()               release()
T1:   tipc_recv_msg()          tipc_withdraw()
T2:   [grab node lock]         [grab port lock]
T3:   tipc_link_wakeup_ports() tipc_nametbl_withdraw()
T4:   [grab port lock]*        named_cluster_distribute()
T5:   wakeupdispatch()         tipc_link_send()
T6:                            [grab node lock]*

The opposite order of holding port lock and node lock on above two
different paths may result in a deadlock. If socket lock instead of
port lock is used to protect port instance in tipc_withdraw(), the
reverse order of holding port lock and node lock will be eliminated,
as a result, the deadlock is killed as well.

Reported-by: Lars Everbrand <lars.everbrand@ericsson.com>
Reviewed-by: Erik Hugne <erik.hugne@ericsson.com>
Signed-off-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

1 files changed, 31 insertions, 15 deletions

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 3b61851bb927..e741416d1d24 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -354,7 +354,7 @@ static int release(struct socket *sock)
          * Delete TIPC port; this ensures no more messages are queued
          * (also disconnects an active connection & sends a 'FIN-' to peer)
          */
-        res = tipc_deleteport(tport->ref);
+        res = tipc_deleteport(tport);
 
         /* Discard any remaining (connection-based) messages in receive queue */
         __skb_queue_purge(&sk->sk_receive_queue);
@@ -386,30 +386,46 @@ static int release(struct socket *sock)
  */
 static int bind(struct socket *sock, struct sockaddr *uaddr, int uaddr_len)
 {
+        struct sock *sk = sock->sk;
         struct sockaddr_tipc *addr = (struct sockaddr_tipc *)uaddr;
-        u32 portref = tipc_sk_port(sock->sk)->ref;
+        struct tipc_port *tport = tipc_sk_port(sock->sk);
+        int res = -EINVAL;
 
-        if (unlikely(!uaddr_len))
-                return tipc_withdraw(portref, 0, NULL);
+        lock_sock(sk);
+        if (unlikely(!uaddr_len)) {
+                res = tipc_withdraw(tport, 0, NULL);
+                goto exit;
+        }
 
-        if (uaddr_len < sizeof(struct sockaddr_tipc))
-                return -EINVAL;
-        if (addr->family != AF_TIPC)
-                return -EAFNOSUPPORT;
+        if (uaddr_len < sizeof(struct sockaddr_tipc)) {
+                res = -EINVAL;
+                goto exit;
+        }
+        if (addr->family != AF_TIPC) {
+                res = -EAFNOSUPPORT;
+                goto exit;
+        }
 
         if (addr->addrtype == TIPC_ADDR_NAME)
                 addr->addr.nameseq.upper = addr->addr.nameseq.lower;
-        else if (addr->addrtype != TIPC_ADDR_NAMESEQ)
-                return -EAFNOSUPPORT;
+        else if (addr->addrtype != TIPC_ADDR_NAMESEQ) {
+                res = -EAFNOSUPPORT;
+                goto exit;
+        }
 
         if ((addr->addr.nameseq.type < TIPC_RESERVED_TYPES) &&
             (addr->addr.nameseq.type != TIPC_TOP_SRV) &&
-            (addr->addr.nameseq.type != TIPC_CFG_SRV))
-                return -EACCES;
+            (addr->addr.nameseq.type != TIPC_CFG_SRV)) {
+                res = -EACCES;
+                goto exit;
+        }
 
-        return (addr->scope > 0) ?
-                tipc_publish(portref, addr->scope, &addr->addr.nameseq) :
-                tipc_withdraw(portref, -addr->scope, &addr->addr.nameseq);
+        res = (addr->scope > 0) ?
+                tipc_publish(tport, addr->scope, &addr->addr.nameseq) :
+                tipc_withdraw(tport, -addr->scope, &addr->addr.nameseq);
+exit:
+        release_sock(sk);
+        return res;
 }
 
 /**