From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Nagendra Singh Tomar <tomer_iisc@yahoo.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [37/66] net: Fix the condition passed to sk_wait_event()
Date: Fri, 22 Oct 2010 11:35:04 -0700 [thread overview]
Message-ID: <20101022183559.504498040@clark.site> (raw)
In-Reply-To: <20101022183711.GA23214@kroah.com>
2.6.32-stable review patch. If anyone has any objections, please let us know.
------------------
From: Nagendra Tomar <tomer_iisc@yahoo.com>
[ Upstream commit 482964e56e1320cb7952faa1932d8ecf59c4bf75 ]
This patch fixes the condition (3rd arg) passed to sk_wait_event() in
sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
causes the following soft lockup in tcp_sendmsg() when the global tcp
memory pool has exhausted.
>>> snip <<<
localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
localhost kernel: CPU 3:
localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200] [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
localhost kernel:
localhost kernel: Call Trace:
localhost kernel: [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel: [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
localhost kernel: [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
localhost kernel: [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel: [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
localhost kernel: [vfs_write+0x185/0x190] vfs_write+0x185/0x190
localhost kernel: [sys_write+0x50/0x90] sys_write+0x50/0x90
localhost kernel: [system_call+0x7e/0x83] system_call+0x7e/0x83
>>> snip <<<
What is happening is, that the sk_wait_event() condition passed from
sk_stream_wait_memory() evaluates to true for the case of tcp global memory
exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
which causes sk_wait_event() to *not* call schedule_timeout().
Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
This causes the caller to again try allocation, which again fails and again
calls sk_stream_wait_memory(), and so on.
[ Bug introduced by commit c1cbe4b7ad0bc4b1d98ea708a3fecb7362aa4088
("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
Signed-off-by: Nagendra Singh Tomar <tomer_iisc@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/core/stream.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -140,10 +140,10 @@ int sk_stream_wait_memory(struct sock *s
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
sk->sk_write_pending++;
- sk_wait_event(sk, ¤t_timeo, !sk->sk_err &&
- !(sk->sk_shutdown & SEND_SHUTDOWN) &&
- sk_stream_memory_free(sk) &&
- vm_wait);
+ sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
+ (sk->sk_shutdown & SEND_SHUTDOWN) ||
+ (sk_stream_memory_free(sk) &&
+ !vm_wait));
sk->sk_write_pending--;
if (vm_wait) {
next prev parent reply other threads:[~2010-10-22 18:38 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-22 18:37 [00/66] 2.6.32.25-stable review Greg KH
2010-10-22 18:34 ` [01/66] x86, cpu: After uncapping CPUID, re-run CPU feature detection Greg KH
2010-10-22 18:34 ` [02/66] ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory Greg KH
2010-10-22 18:34 ` [03/66] ALSA: oxygen: fix analog capture on Claro halo cards Greg KH
2010-10-22 18:34 ` [04/66] ALSA: hda - Add Dell Latitude E6400 model quirk Greg KH
2010-10-22 18:34 ` [05/66] ALSA: prevent heap corruption in snd_ctl_new() Greg KH
2010-10-22 18:34 ` [06/66] ALSA: rawmidi: fix oops (use after free) when unloading a driver module Greg KH
2010-10-22 18:34 ` [07/66] USB: fix bug in initialization of interface minor numbers Greg KH
2010-10-22 18:34 ` [08/66] usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style Greg KH
2010-10-22 18:34 ` [09/66] usb: musb: gadget: restart request on clearing endpoint halt Greg KH
2010-10-22 18:34 ` [10/66] oprofile: Add Support for Intel CPU Family 6 / Model 29 Greg KH
2010-10-22 18:34 ` [11/66] RDMA/cxgb3: Turn off RX coalescing for iWARP connections Greg KH
2010-10-22 18:34 ` [12/66] mmc: sdhci-s3c: fix NULL ptr access in sdhci_s3c_remove Greg KH
2010-10-22 18:34 ` [13/66] x86/amd-iommu: Set iommu configuration flags in enable-loop Greg KH
2010-10-22 18:34 ` [14/66] x86/amd-iommu: Fix rounding-bug in __unmap_single Greg KH
2010-10-22 18:34 ` [15/66] x86/amd-iommu: Work around S3 BIOS bug Greg KH
2010-10-22 18:34 ` [16/66] tracing/x86: Dont use mcount in pvclock.c Greg KH
2010-10-22 18:34 ` [17/66] tracing/x86: Dont use mcount in kvmclock.c Greg KH
2010-10-22 18:34 ` [18/66] v4l1: fix 32-bit compat microcode loading translation Greg KH
2010-10-22 18:34 ` [19/66] V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) Greg KH
2010-10-22 18:34 ` [20/66] V4L/DVB (13966): DVB-T regression fix for saa7134 cards Greg KH
2010-10-22 18:34 ` [21/66] Input: joydev - fix JSIOCSAXMAP ioctl Greg KH
2010-10-22 18:34 ` [22/66] x86, hpet: Fix bogus error check in hpet_assign_irq() Greg KH
2010-10-22 18:34 ` [23/66] x86, irq: Plug memory leak in sparse irq Greg KH
2010-10-22 18:34 ` [24/66] ubd: fix incorrect sector handling during request restart Greg KH
2010-10-22 18:34 ` [25/66] ring-buffer: Fix typo of time extends per page Greg KH
2010-10-22 18:34 ` [26/66] dmaengine: fix interrupt clearing for mv_xor Greg KH
2010-10-22 18:34 ` [27/66] hrtimer: Preserve timer state in remove_hrtimer() Greg KH
2010-10-22 18:34 ` [28/66] i2c-pca: Fix waitforcompletion() return value Greg KH
2010-10-22 18:34 ` [29/66] ocfs2: Dont walk off the end of fast symlinks Greg KH
2010-10-22 18:34 ` [30/66] wext: fix potential private ioctl memory content leak Greg KH
2010-10-22 18:34 ` [31/66] atl1: fix resume Greg KH
2010-10-22 18:34 ` [32/66] x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order Greg KH
2010-10-22 18:35 ` [33/66] De-pessimize rds_page_copy_user Greg KH
2010-10-22 18:35 ` [34/66] drm/radeon: fix PCI ID 5657 to be an RV410 Greg KH
2010-10-22 18:35 ` [35/66] xfrm4: strip ECN and IP Precedence bits in policy lookup Greg KH
2010-10-22 18:35 ` [36/66] tcp: Fix >4GB writes on 64-bit Greg KH
2010-10-22 18:35 ` Greg KH [this message]
2010-10-22 18:35 ` [38/66] Phonet: Correct header retrieval after pskb_may_pull Greg KH
2010-10-22 18:35 ` [39/66] net: Fix IPv6 PMTU disc. w/ asymmetric routes Greg KH
2010-10-22 18:35 ` [40/66] ip: fix truesize mismatch in ip fragmentation Greg KH
2010-10-22 18:35 ` [41/66] net: clear heap allocations for privileged ethtool actions Greg KH
2010-10-22 18:35 ` [42/66] tcp: Fix race in tcp_poll Greg KH
2010-10-22 18:35 ` [43/66] netxen: dont set skb->truesize Greg KH
2010-10-22 18:35 ` [44/66] rose: Fix signedness issues wrt. digi count Greg KH
2010-10-22 18:35 ` [45/66] net: blackhole route should always be recalculated Greg KH
2010-10-22 18:35 ` [46/66] skge: add quirk to limit DMA Greg KH
2010-10-22 18:35 ` [47/66] r8169: allocate with GFP_KERNEL flag when able to sleep Greg KH
2010-10-22 18:35 ` [48/66] [SCSI] bsg: fix incorrect device_status value Greg KH
2010-10-22 18:35 ` [49/66] r6040: fix r6040_multicast_list Greg KH
2010-10-22 18:35 ` [50/66] r6040: Fix multicast list iteration when hash filter is used Greg KH
2010-10-22 18:35 ` [51/66] powerpc: Initialise paca->kstack before early_setup_secondary Greg KH
2010-10-22 18:35 ` [52/66] powerpc: Dont use kernel stack with translation off Greg KH
2010-10-22 18:35 ` [53/66] b44: fix carrier detection on bind Greg KH
2010-10-22 18:35 ` [54/66] ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume Greg KH
2010-10-22 18:35 ` [55/66] intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang Greg KH
2010-10-22 18:35 ` [56/66] ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355 Greg KH
2010-10-22 18:35 ` [57/66] ACPI: delete ZEPTO idle=nomwait DMI quirk Greg KH
2010-10-22 18:35 ` [58/66] ACPI: Disable Windows Vista compatibility for Toshiba P305D Greg KH
2010-10-22 18:35 ` [59/66] x86: detect scattered cpuid features earlier Greg KH
2010-10-22 18:35 ` [60/66] fix 2.6.32.23 suspend regression caused by commit 6f6198a Greg KH
2010-10-22 18:35 ` [61/66] setup_arg_pages: diagnose excessive argument size Greg KH
2010-10-22 18:35 ` [62/66] execve: improve interactivity with large arguments Greg KH
2010-10-22 18:35 ` [63/66] execve: make responsive to SIGKILL " Greg KH
2010-10-22 18:35 ` [64/66] Phonet: disable network namespace support Greg KH
2010-10-22 21:22 ` Ben Hutchings
2010-10-25 7:43 ` Rémi Denis-Courmont
2010-10-22 18:35 ` [65/66] mm: Move vma_stack_continue into mm.h Greg KH
2010-10-22 18:35 ` [66/66] drivers/hwmon/coretemp.c: detect the thermal sensors by CPUID Greg KH
2010-10-23 9:27 ` Jean Delvare
2010-10-23 16:06 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101022183559.504498040@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=tomer_iisc@yahoo.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.