From: Ben Hutchings <bhutchings@solarflare.com>
To: Octavian Purdila <opurdila@ixiacom.com>
Cc: netdev@vger.kernel.org
Subject: Re: race in skb_splice_bits?
Date: Tue, 27 May 2008 03:08:51 +0100 [thread overview]
Message-ID: <20080527020849.GG28241@solarflare.com> (raw)
In-Reply-To: <200805270325.24323.opurdila@ixiacom.com>
Octavian Purdila wrote:
>
> Hi,
>
> The following socket lock dropping in skb_splice_bits seems to open a race
> condition which causes an invalid kernel access:
>
> > if (spd.nr_pages) {
> > int ret;
> >
> > /*
> > * Drop the socket lock, otherwise we have reverse
> > * locking dependencies between sk_lock and i_mutex
> > * here as compared to sendfile(). We enter here
> > * with the socket lock held, and splice_to_pipe() will
> > * grab the pipe inode lock. For sendfile() emulation,
> > * we call into ->sendpage() with the i_mutex lock held
> > * and networking will grab the socket lock.
> > */
> > release_sock(__skb->sk);
> > ret = splice_to_pipe(pipe, &spd);
> > lock_sock(__skb->sk);
> > return ret;
> > }
Given the previous comment, that certainly looks wrong.
<snip>
> Commenting out the sequence that drops the socket lock seems to fix the
> problem on my setup.
But this could apparently cause deadlock. Surely the correct fix is
to copy __skb->sk to a local variable before calling splice_to_pipe()
so we can re-lock it?
Ben.
--
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
next prev parent reply other threads:[~2008-05-27 2:08 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-27 0:25 race in skb_splice_bits? Octavian Purdila
2008-05-27 2:08 ` Ben Hutchings [this message]
2008-05-27 10:41 ` Octavian Purdila
2008-05-27 11:01 ` Evgeniy Polyakov
2008-05-27 11:08 ` Ben Hutchings
2008-05-27 11:52 ` Evgeniy Polyakov
2008-05-27 11:56 ` Evgeniy Polyakov
2008-05-27 12:53 ` Octavian Purdila
2008-05-27 13:21 ` Evgeniy Polyakov
2008-05-27 14:03 ` Evgeniy Polyakov
2008-05-27 14:39 ` Octavian Purdila
2008-05-27 15:09 ` Evgeniy Polyakov
2008-05-27 15:12 ` Evgeniy Polyakov
2008-05-27 15:22 ` Evgeniy Polyakov
2008-05-27 15:33 ` Octavian Purdila
2008-05-27 15:47 ` Evgeniy Polyakov
2008-05-27 17:28 ` Evgeniy Polyakov
2008-05-27 23:59 ` Octavian Purdila
2008-05-28 8:52 ` Evgeniy Polyakov
2008-05-28 13:20 ` Octavian Purdila
2008-05-28 14:11 ` Evgeniy Polyakov
2008-05-28 15:20 ` Octavian Purdila
2008-05-28 15:42 ` Evgeniy Polyakov
2008-05-28 17:08 ` Octavian Purdila
2008-05-28 17:51 ` Evgeniy Polyakov
2008-05-28 18:02 ` Octavian Purdila
2008-05-28 20:01 ` Jarek Poplawski
2008-05-28 20:09 ` Octavian Purdila
2008-05-28 20:16 ` Jarek Poplawski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080527020849.GG28241@solarflare.com \
--to=bhutchings@solarflare.com \
--cc=netdev@vger.kernel.org \
--cc=opurdila@ixiacom.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.