From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Eric Dumazet <eric.dumazet@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [patch 31/37] net: Fix sock_wfree() race
Date: Fri, 09 Oct 2009 16:34:42 -0700 [thread overview]
Message-ID: <20091009233440.056033028@mini.kroah.org> (raw)
In-Reply-To: <20091009233812.GA15982@kroah.com>
[-- Attachment #1: net-fix-sock_wfree-race.patch --]
[-- Type: text/plain, Size: 1756 bytes --]
2.6.31-stable review patch. If anyone has any objections, please let us know.
------------------
From: Eric Dumazet <eric.dumazet@gmail.com>
[ Upstream commit d99927f4d93f36553699573b279e0ff98ad7dea6 ]
Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80
(net: No more expensive sock_hold()/sock_put() on each tx)
opens a window in sock_wfree() where another cpu
might free the socket we are working on.
A fix is to call sk->sk_write_space(sk) while still
holding a reference on sk.
Reported-by: Jike Song <albcamus@gmail.com>
Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/core/sock.c | 19 ++++++++++++-------
1 file changed, 12 insertions(+), 7 deletions(-)
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -1218,17 +1218,22 @@ void __init sk_init(void)
void sock_wfree(struct sk_buff *skb)
{
struct sock *sk = skb->sk;
- int res;
+ unsigned int len = skb->truesize;
- /* In case it might be waiting for more memory. */
- res = atomic_sub_return(skb->truesize, &sk->sk_wmem_alloc);
- if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE))
+ if (!sock_flag(sk, SOCK_USE_WRITE_QUEUE)) {
+ /*
+ * Keep a reference on sk_wmem_alloc, this will be released
+ * after sk_write_space() call
+ */
+ atomic_sub(len - 1, &sk->sk_wmem_alloc);
sk->sk_write_space(sk);
+ len = 1;
+ }
/*
- * if sk_wmem_alloc reached 0, we are last user and should
- * free this sock, as sk_free() call could not do it.
+ * if sk_wmem_alloc reaches 0, we must finish what sk_free()
+ * could not do because of in-flight packets
*/
- if (res == 0)
+ if (atomic_sub_and_test(len, &sk->sk_wmem_alloc))
__sk_free(sk);
}
EXPORT_SYMBOL(sock_wfree);
next prev parent reply other threads:[~2009-10-09 23:42 UTC|newest]
Thread overview: 54+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <20091009230836.316410305@mini.kroah.org>
2009-10-09 23:12 ` [patch 00/26] 2.6.31.4-stable review Greg KH
2009-10-09 23:08 ` [patch 01/26] x86: fix csum_ipv6_magic asm memory clobber Greg KH
2009-10-09 23:08 ` [patch 02/26] tty: Avoid dropping ldisc_mutex over hangup tty re-initialization Greg KH
2009-10-09 23:08 ` [patch 03/26] x86: Dont leak 64-bit kernel register values to 32-bit processes Greg KH
2009-10-09 23:08 ` [patch 04/26] ALSA: hda - Added quirk to enable sound on Toshiba NB200 Greg KH
2009-10-09 23:08 ` [patch 05/26] tracing: correct module boundaries for ftrace_release Greg KH
2009-10-09 23:08 ` [patch 06/26] ftrace: check for failure for all conversions Greg KH
2009-10-09 23:08 ` [patch 07/26] futex: fix requeue_pi key imbalance Greg KH
2009-10-09 23:08 ` [patch 08/26] futex: Move exit_pi_state() call to release_mm() Greg KH
2009-10-09 23:08 ` [patch 09/26] futex: Nullify robust lists after cleanup Greg KH
2009-10-09 23:08 ` [patch 10/26] futex: Fix locking imbalance Greg KH
2009-10-09 23:08 ` [patch 11/26] NOHZ: update idle state also when NOHZ is inactive Greg KH
2009-10-09 23:08 ` [patch 12/26] ima: ecryptfs fix imbalance message Greg KH
2009-10-09 23:08 ` [patch 13/26] libata: fix incorrect link online check during probe Greg KH
2009-10-09 23:08 ` [patch 14/26] sound: via82xx: move DXS volume controls to PCM interface Greg KH
2009-10-09 23:08 ` [patch 15/26] ASoC: WM8350 capture PGA mutes are inverted Greg KH
2009-10-09 23:08 ` [patch 16/26] KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID Greg KH
2009-10-09 23:08 ` [patch 17/26] KVM: VMX: flush TLB with INVEPT on cpu migration Greg KH
2009-10-09 23:08 ` [patch 18/26] KVM: fix LAPIC timer period overflow Greg KH
2009-10-09 23:08 ` [patch 19/26] KVM: SVM: Fix tsc offset adjustment when running nested Greg KH
2009-10-09 23:08 ` [patch 20/26] net: Fix wrong sizeof Greg KH
2009-10-09 23:08 ` [patch 21/26] mm: add_to_swap_cache() must not sleep Greg KH
2009-10-09 23:08 ` [patch 22/26] sis5513: fix PIO setup for ATAPI devices Greg KH
2009-10-09 23:08 ` [patch 23/26] PIT fixes to unbreak suspend/resume (bug #14222) Greg KH
2009-10-09 23:09 ` [patch 24/26] IMA: open new file for read Greg KH
2009-10-09 23:09 ` [patch 25/26] ACPI: Clarify resource conflict message Greg KH
2009-10-09 23:09 ` [patch 26/26] ACPI: fix Compaq Evo N800c (Pentium 4m) boot hang regression Greg KH
2009-10-09 23:38 ` [patch 00/26] 2.6.31.4-stable review Greg KH
2009-10-09 23:34 ` [patch 27/37] net: restore tx timestamping for accelerated vlans Greg KH
2009-10-09 23:34 ` [patch 28/37] net: unix: fix sending fds in multiple buffers Greg KH
2009-10-09 23:34 ` [patch 29/37] tun: Return -EINVAL if neither IFF_TUN nor IFF_TAP is set Greg KH
2009-10-13 12:36 ` [Stable-review] " Stefan Bader
2009-10-09 23:34 ` [patch 30/37] tcp: fix CONFIG_TCP_MD5SIG + CONFIG_PREEMPT timer BUG() Greg KH
2009-10-09 23:34 ` Greg KH [this message]
2009-10-09 23:34 ` [patch 32/37] smsc95xx: fix transmission where ZLP is expected Greg KH
2009-10-09 23:34 ` [patch 33/37] sky2: Set SKY2_HW_RAM_BUFFER in sky2_init Greg KH
2009-10-09 23:34 ` [patch 34/37] appletalk: Fix skb leak when ipddp interface is not loaded Greg KH
2009-10-09 23:34 ` [patch 35/37] ax25: Fix possible oops in ax25_make_new Greg KH
2009-10-09 23:34 ` [patch 36/37] ax25: Fix SIOCAX25GETINFO ioctl Greg KH
2009-10-09 23:34 ` [patch 37/37] sit: fix off-by-one in ipip6_tunnel_get_prl Greg KH
2009-10-10 0:34 ` Templin, Fred L
2009-10-10 3:42 ` David Miller
2009-10-11 1:29 ` Wolfgang Walter
2009-10-12 23:58 ` Templin, Fred L
2009-10-12 22:04 ` [stable] " Greg KH
2009-10-12 23:29 ` [stable] [patch 37/37] sit: fix off-by-one inipip6_tunnel_get_prl Templin, Fred L
2009-10-12 23:58 ` Greg KH
2009-10-13 0:12 ` David Miller
2009-10-12 23:12 ` [patch 37/37] sit: fix off-by-one in ipip6_tunnel_get_prl Templin, Fred L
2009-10-10 7:17 ` [Stable-review] [patch 00/26] 2.6.31.4-stable review Willy Tarreau
2009-10-10 7:22 ` [stable] " Greg KH
2009-10-10 7:46 ` Willy Tarreau
2009-10-12 11:09 ` Thomas Voegtle
2009-10-12 12:34 ` [Stable-review] " Chuck Ebbert
[not found] <20091009233411.852013234@mini.kroah.org>
[not found] ` <20091009233440.7866800 01@mini.kroah.org>
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20091009233440.056033028@mini.kroah.org \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.