netlink: Do not schedule work from sk_destruct

It is wrong to schedule a work from sk_destruct using the socket as the memory reserve because the socket will be freed immediately after the return from sk_destruct. Instead we should do the deferral prior to sk_free. This patch does just that. Fixes: 707693c8a498 ("netlink: Call cb->done from a worker thread") Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Tested-by: Andrey Konovalov <andreyknvl@google.com> Signed-off-by: David S. Miller <davem@davemloft.net>
author: Herbert Xu <herbert@gondor.apana.org.au> 2016-12-05 02:28:21 -0500
committer: David S. Miller <davem@davemloft.net> 2016-12-05 19:43:42 -0500
commit: ed5d7788a934a4b6d6d025e948ed4da496b4f12e (patch)
tree: 9f10caf66c776a0ea3d55504e647897408105996 /net
parent: ffe3bb85c19e1dbf96cc13aad823ae0a8855d066 (diff)
1 files changed, 15 insertions, 17 deletions
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index 602e5ebe9db3..246f29d365c0 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -322,11 +322,13 @@ static void netlink_skb_set_owner_r(struct sk_buff *skb, struct sock *sk)
        sk_mem_charge(sk, skb->truesize);
 }
-static void __netlink_sock_destruct(struct sock *sk)
+static void netlink_sock_destruct(struct sock *sk)
 {
        struct netlink_sock *nlk = nlk_sk(sk);
        if (nlk->cb_running) {
+                if (nlk->cb.done)
+                        nlk->cb.done(&nlk->cb);
                module_put(nlk->cb.module);
                kfree_skb(nlk->cb.skb);
        }
@@ -348,21 +350,7 @@ static void netlink_sock_destruct_work(struct work_struct *work)
        struct netlink_sock *nlk = container_of(work, struct netlink_sock,
                                                work);
-        nlk->cb.done(&nlk->cb);
+        sk_free(&nlk->sk);
-        __netlink_sock_destruct(&nlk->sk);
-}
-static void netlink_sock_destruct(struct sock *sk)
-{
-        struct netlink_sock *nlk = nlk_sk(sk);
-        if (nlk->cb_running && nlk->cb.done) {
-                INIT_WORK(&nlk->work, netlink_sock_destruct_work);
-                schedule_work(&nlk->work);
-                return;
-        }
-        __netlink_sock_destruct(sk);
 }
 /* This lock without WQ_FLAG_EXCLUSIVE is good on UP and it is _very_ bad on
@@ -667,8 +655,18 @@ out_module:
 static void deferred_put_nlk_sk(struct rcu_head *head)
 {
        struct netlink_sock *nlk = container_of(head, struct netlink_sock, rcu);
+        struct sock *sk = &nlk->sk;
+        if (!atomic_dec_and_test(&sk->sk_refcnt))
+                return;
+        if (nlk->cb_running && nlk->cb.done) {
+                INIT_WORK(&nlk->work, netlink_sock_destruct_work);
+                schedule_work(&nlk->work);
+                return;
+        }
-        sock_put(&nlk->sk);
+        sk_free(sk);
 }
 static int netlink_release(struct socket *sock)
author	Herbert Xu <herbert@gondor.apana.org.au>	2016-12-05 02:28:21 -0500
committer	David S. Miller <davem@davemloft.net>	2016-12-05 19:43:42 -0500
commit	ed5d7788a934a4b6d6d025e948ed4da496b4f12e (patch)
tree	9f10caf66c776a0ea3d55504e647897408105996 /net
parent	ffe3bb85c19e1dbf96cc13aad823ae0a8855d066 (diff)