[PATCH 3/4] sctp: implement memory accounting on tx path

Tyler Hicks tyhicks at canonical.com
Thu Apr 18 07:50:21 UTC 2019 

From: Xin Long <lucien.xin at gmail.com>

Now when sending packets, sk_mem_charge() and sk_mem_uncharge() have been
used to set sk_forward_alloc. We just need to call sk_wmem_schedule() to
check if the allocated should be raised, and call sk_mem_reclaim() to
check if the allocated should be reduced when it's under memory pressure.

If sk_wmem_schedule() returns false, which means no memory is allowed to
allocate, it will block and wait for memory to become available.

Note different from tcp, sctp wait_for_buf happens before allocating any
skb, so memory accounting check is done with the whole msg_len before it
too.

Reported-by: Matteo Croce <mcroce at redhat.com>
Tested-by: Matteo Croce <mcroce at redhat.com>
Acked-by: Neil Horman <nhorman at tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner at gmail.com>
Signed-off-by: Xin Long <lucien.xin at gmail.com>
Signed-off-by: David S. Miller <davem at davemloft.net>

CVE-2019-3874

(backported from commit 1033990ac5b2ab6cee93734cb6d301aa3a35bcaa linux-next)
[tyhicks: Backport to 4.4:
 - sctp_sendmsg_to_asoc() does not yet exist and its code is still in
   sctp_sendmsg()
 - sctp_sendmsg() has slight context differences due to timeo being
   unconditionally assigned
 - sctp_sendmsg() doesn't call sctp_prsctp_prune() due to missing commit
   8dbdf1f5b09c ("sctp: implement prsctp PRIO policy")]
Signed-off-by: Tyler Hicks <tyhicks at canonical.com>
---
 net/sctp/socket.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index abe9ca2b0684..0d816d3810c3 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -1937,7 +1937,10 @@ static int sctp_sendmsg(struct sock *sk, struct msghdr *msg, size_t msg_len)
 	}
 
 	timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT);
-	if (sctp_wspace(asoc) <= 0) {
+	if (sk_under_memory_pressure(sk))
+		sk_mem_reclaim(sk);
+
+	if (sctp_wspace(asoc) <= 0 || !sk_wmem_schedule(sk, msg_len)) {
 		/* sk can be changed by peel off when waiting for buf. */
 		err = sctp_wait_for_sndbuf(asoc, &timeo, msg_len);
 		if (err) {
@@ -6990,7 +6993,10 @@ static int sctp_wait_for_sndbuf(struct sctp_association *asoc, long *timeo_p,
 			goto do_error;
 		if (signal_pending(current))
 			goto do_interrupted;
-		if ((int)msg_len <= sctp_wspace(asoc))
+		if (sk_under_memory_pressure(sk))
+			sk_mem_reclaim(sk);
+		if ((int)msg_len <= sctp_wspace(asoc) &&
+		    sk_wmem_schedule(sk, msg_len))
 			break;
 
 		/* Let another process have a go.  Since we are going
-- 
2.7.4

More information about the kernel-team mailing list