Re: [PATCH 2.6.26-rc4] fix double call of kfree_skb in net/llc/llc_sap.c

netdev.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Arnaldo Carvalho de Melo <acme@redhat.com>
To: Dmitry Petukhov <dmgenp@gmail.com>
Cc: Wei Yongjun <yjwei@cn.fujitsu.com>,
	davem@davemloft.net, netdev@vger.kernel.org
Subject: Re: [PATCH 2.6.26-rc4] fix double call of kfree_skb in net/llc/llc_sap.c
Date: Wed, 28 May 2008 17:16:33 -0300	[thread overview]
Message-ID: <20080528201633.GK30251@ghostprotocols.net> (raw)
In-Reply-To: <84ee89da0805280359mcbc43f0q33f29960af20fba1@mail.gmail.com>

Em Wed, May 28, 2008 at 04:59:45PM +0600, Dmitry Petukhov escreveu:
> 2008/5/27 Dmitry Petukhov <dmgenp@gmail.com>:
> > 2008/5/27 Wei Yongjun <yjwei@cn.fujitsu.com>:
> >
> >> Normally,
> >>
> >> skb_get()         (**return )
> >> kfree_skb()
> >>
> >> will do nothing. If you return with no kfree_skb(), it will let that skb can
> >> not be free.
> >>
> >> skb_get()
> >> kfree_skb()
> >> kfree_skb()
> >>
> >> do the real free.
> >
> > Yeah, you're right. Looks like we mislocated the root of our problem
> > (llc socket hangs on receive). Will debug further .
> > Thanks for explanation.
> >
> 
> Looks like we found the real root of our problem.
> file net/llc/llc_sap.c:
> 
> skb_set_owner_r is called before llc_sap_rcv in two places (lines 363, 384)
> skb_set_owner_r do this:
> atomic_add(skb->truesize, &sk->sk_rmem_alloc);
> 
> and in llc_sap_state_process, on line 223 sock_queue_rcv_skb is
> called, which also calls set_owner_r,
> which in turn adds skb->truesize to sk->sk_rmem_alloc once more.
> This double-addition results in sk_mem_alloc growth to exceed sk_rcvbuf.
> We can observe this in  /proc/net/llc/socket, rx_queue field.
> after this value exceeds sk_rcvbuf, sock_queue_rcv_skb always return
> -ENOMEM, and
> socket stops receiving.
> 
> //note: please CC me on reply, i'm not subscribed to the list.

Good catch, that code needs some revisiting after all these years...
Anyway, can you please try this patch and report results? Compile tested
only:

diff --git a/net/llc/llc_sap.c b/net/llc/llc_sap.c
index e2ddde7..008de1f 100644
--- a/net/llc/llc_sap.c
+++ b/net/llc/llc_sap.c
@@ -286,12 +286,14 @@ void llc_build_and_send_xid_pkt(struct llc_sap *sap, struct sk_buff *skb,
  *
  *	Sends received pdus to the sap state machine.
  */
-static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb)
+static void llc_sap_rcv(struct llc_sap *sap, struct sk_buff *skb,
+			struct sock *sk)
 {
 	struct llc_sap_state_ev *ev = llc_sap_ev(skb);
 
 	ev->type   = LLC_SAP_EV_TYPE_PDU;
 	ev->reason = 0;
+	skb->sk = sk;
 	llc_sap_state_process(sap, skb);
 }
 
@@ -360,8 +362,7 @@ static void llc_sap_mcast(struct llc_sap *sap,
 			break;
 
 		sock_hold(sk);
-		skb_set_owner_r(skb1, sk);
-		llc_sap_rcv(sap, skb1);
+		llc_sap_rcv(sap, skb1, sk);
 		sock_put(sk);
 	}
 	read_unlock_bh(&sap->sk_list.lock);
@@ -381,8 +382,7 @@ void llc_sap_handler(struct llc_sap *sap, struct sk_buff *skb)
 	} else {
 		struct sock *sk = llc_lookup_dgram(sap, &laddr);
 		if (sk) {
-			skb_set_owner_r(skb, sk);
-			llc_sap_rcv(sap, skb);
+			llc_sap_rcv(sap, skb, sk);
 			sock_put(sk);
 		} else
 			kfree_skb(skb);

next prev parent reply	other threads:[~2008-05-28 20:16 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2008-05-27  7:09 [PATCH 2.6.26-rc4] fix double call of kfree_skb in net/llc/llc_sap.c Dmitry Petukhov
2008-05-27  7:31 ` Wei Yongjun
2008-05-27  8:00   ` Dmitry Petukhov
     [not found]   ` <84ee89da0805270047v1c76b4f3k5768fe853f2cea1d@mail.gmail.com>
     [not found]     ` <483BC1B0.2090600@cn.fujitsu.com>
     [not found]       ` <84ee89da0805270235t7ae75356la2ffbb5244de2f74@mail.gmail.com>
2008-05-28 10:59         ` Dmitry Petukhov
2008-05-28 20:16           ` Arnaldo Carvalho de Melo [this message]
2008-05-29  8:51             ` Dmitry Petukhov
2008-05-29 10:45               ` David Miller
2008-05-29 13:44                 ` [PATCH][LLC]: Fix double accounting of received packets Arnaldo Carvalho de Melo
2008-05-30  9:57                   ` David Miller

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:e2ddde7 dfblob:008de1f )
 OR (
bs:"Re: [PATCH 2.6.26-rc4] fix double call of kfree_skb in net/llc/llc_sap.c" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20080528201633.GK30251@ghostprotocols.net \
    --to=acme@redhat.com \
    --cc=davem@davemloft.net \
    --cc=dmgenp@gmail.com \
    --cc=netdev@vger.kernel.org \
    --cc=yjwei@cn.fujitsu.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).