From: Jarek Poplawski <jarkao2@gmail.com>
To: Eric Dumazet <eric.dumazet@gmail.com>
Cc: David Miller <davem@davemloft.net>, netdev@vger.kernel.org
Subject: Re: [PATCH net-next-2.6] net: pskb_expand_head() optimization
Date: Tue, 7 Sep 2010 09:16:14 +0000 [thread overview]
Message-ID: <20100907091614.GA8245@ff.dom.local> (raw)
In-Reply-To: <1283835729.2585.499.camel@edumazet-laptop>
On 2010-09-07 07:02, Eric Dumazet wrote:
> Le lundi 06 septembre 2010 Ă 19:20 -0700, David Miller a ĂŠcrit :
>
>> Eric, this goes on top of your patch and demonstrates the idea.
>>
>> Please review if you have a chance:
>>
>> diff --git a/net/core/skbuff.c b/net/core/skbuff.c
>> index 2d1bc76..aeb56af 100644
>> --- a/net/core/skbuff.c
>> +++ b/net/core/skbuff.c
>> @@ -327,6 +327,32 @@ static void skb_clone_fraglist(struct sk_buff *skb)
>> skb_get(list);
>> }
>>
>> +static struct sk_buff *skb_copy_fraglist(struct sk_buff *parent,
>> + gfp_t gfp_mask)
>> +{
>> + struct sk_buff *first_skb = NULL;
>> + struct sk_buff *prev_skb = NULL;
>> + struct sk_buff *skb;
>> +
>> + skb_walk_frags(parent, skb) {
>> + struct sk_buff *nskb = pskb_copy(skb, gfp_mask);
>> +
>> + if (!nskb)
>> + goto fail;
>> + if (!first_skb)
>> + first_skb = skb;
>> + else
>> + prev_skb->next = skb;
>> + prev_skb = skb;
>> + }
>> +
>> + return first_skb;
>> +
>> +fail:
>> + skb_drop_list(&first_skb);
>> + return NULL;
>> +}
>> +
>> static void skb_release_data(struct sk_buff *skb)
>> {
>> if (!skb->cloned ||
>> @@ -812,17 +838,22 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
>> fastpath = atomic_read(&skb_shinfo(skb)->dataref) == delta;
>> }
>>
>> - if (fastpath) {
>> - kfree(skb->head);
>> - } else {
>> + if (!fastpath) {
>> + if (skb_has_frag_list(skb)) {
>> + struct sk_buff *new_list;
>> +
>> + new_list = skb_copy_fraglist(skb, gfp_mask);
>> + if (!new_list)
>> + goto free_data;
>> + skb_shinfo(skb)->frag_list = new_list;
>
> Here, skb_shinfo(skb) still points to old shinfo, you should not touch
> it. An other user might need it :)
Even if there were no users this is written to the area freed with
kfree(skb->head) a few lines later, isn't it?
>
>> + }
>> for (i = 0; i < skb_shinfo(skb)->nr_frags; i++)
>> get_page(skb_shinfo(skb)->frags[i].page);
>>
>> - if (skb_has_frag_list(skb))
>> - skb_clone_fraglist(skb);
>> -
>> - skb_release_data(skb);
>> }
>
> I believe you cannot remove skb_release_data() call, we really need to
> perform the atomic operation, and test the result on it, or a double
> free could happen.
>
>> +
>> + kfree(skb->head);
>> +
>> off = (data + nhead) - skb->head;
>>
>> skb->head = data;
>> @@ -848,6 +879,8 @@ int pskb_expand_head(struct sk_buff *skb, int nhead, int ntail,
>> atomic_set(&skb_shinfo(skb)->dataref, 1);
>> return 0;
>>
>> +free_data:
>> + kfree(data);
>
> is it a leftover ?
>
>> nodata:
>> return -ENOMEM;
>> }
>
> I understand what you want to do, but problem is we need to perform a
> CAS2 operation : atomically changes two values (dataref and frag_list)
Alas I can't understand why do you think these clone and atomic tests
in skb_release_data() don't protect skb_shinfo(skb)->frag_list enough.
Jarek P.
next prev parent reply other threads:[~2010-09-07 9:16 UTC|newest]
Thread overview: 33+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-03 3:43 [PATCH] net: Frag list lost on head expansion David Miller
2010-09-03 5:48 ` Eric Dumazet
2010-09-03 6:19 ` Eric Dumazet
2010-09-03 9:09 ` [PATCH net-next-2.6] net: pskb_expand_head() optimization Eric Dumazet
2010-09-03 13:46 ` David Miller
2010-09-07 2:20 ` David Miller
2010-09-07 5:02 ` Eric Dumazet
2010-09-07 5:05 ` David Miller
2010-09-07 9:16 ` Jarek Poplawski [this message]
2010-09-07 9:37 ` Eric Dumazet
2010-09-10 19:54 ` David Miller
2010-09-11 12:31 ` Jarek Poplawski
2010-09-12 3:30 ` David Miller
2010-09-12 10:45 ` Jarek Poplawski
2010-09-12 10:58 ` Jarek Poplawski
2010-09-12 15:58 ` David Miller
2010-09-12 16:13 ` David Miller
2010-09-12 20:57 ` Jarek Poplawski
2010-09-12 22:08 ` David Miller
2010-09-13 7:49 ` Jarek Poplawski
2010-09-12 19:55 ` Ben Pfaff
2010-09-12 20:24 ` David Miller
2010-09-12 20:45 ` Jarek Poplawski
2010-09-20 0:17 ` David Miller
2010-09-20 7:21 ` Jarek Poplawski
2010-09-20 9:02 ` Eric Dumazet
2010-09-20 9:14 ` Jarek Poplawski
2010-09-20 12:12 ` Jarek Poplawski
2010-09-20 12:40 ` Eric Dumazet
2010-09-20 16:59 ` David Miller
2010-09-07 1:25 ` David Miller
-- strict thread matches above, loose matches on Subject: below --
2010-07-22 19:12 [PATCH] Fix corruption of skb csum field in pskb_expand_head() of net/core/skbuff.c Andrea Shepard
2010-07-23 5:09 ` [PATCH net-next-2.6] net: pskb_expand_head() optimization Eric Dumazet
2010-07-25 4:06 ` David Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20100907091614.GA8245@ff.dom.local \
--to=jarkao2@gmail.com \
--cc=davem@davemloft.net \
--cc=eric.dumazet@gmail.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).