diff options
author | Pavel Emelyanov <xemul@openvz.org> | 2007-11-11 01:08:30 -0500 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2007-11-11 01:08:30 -0500 |
commit | 284b327be2f86cf751316ff344b6945e580e654f (patch) | |
tree | 61a5e5b353be80e092795e357863509861a6a774 | |
parent | 5c80f1ae9842a8b7985acd0f02efb9828effb05f (diff) |
[UNIX]: The unix_nr_socks limit can be exceeded
The unix_nr_socks value is limited with the 2 * get_max_files() value,
as seen from the unix_create1(). However, the check and the actual
increment are separated with the GFP_KERNEL allocation, so this limit
can be exceeded under a memory pressure - task may go to sleep freeing
the pages and some other task will be allowed to allocate a new sock
and so on and so forth.
So make the increment before the check (similar thing is done in the
sock_kmalloc) and go to kmalloc after this.
Signed-off-by: Pavel Emelyanov <xemul@openvz.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/unix/af_unix.c | 7 |
1 files changed, 4 insertions, 3 deletions
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index ab9048ac197..e835da8fc09 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c | |||
@@ -599,15 +599,14 @@ static struct sock * unix_create1(struct net *net, struct socket *sock) | |||
599 | struct sock *sk = NULL; | 599 | struct sock *sk = NULL; |
600 | struct unix_sock *u; | 600 | struct unix_sock *u; |
601 | 601 | ||
602 | if (atomic_read(&unix_nr_socks) >= 2*get_max_files()) | 602 | atomic_inc(&unix_nr_socks); |
603 | if (atomic_read(&unix_nr_socks) > 2 * get_max_files()) | ||
603 | goto out; | 604 | goto out; |
604 | 605 | ||
605 | sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto); | 606 | sk = sk_alloc(net, PF_UNIX, GFP_KERNEL, &unix_proto); |
606 | if (!sk) | 607 | if (!sk) |
607 | goto out; | 608 | goto out; |
608 | 609 | ||
609 | atomic_inc(&unix_nr_socks); | ||
610 | |||
611 | sock_init_data(sock,sk); | 610 | sock_init_data(sock,sk); |
612 | lockdep_set_class(&sk->sk_receive_queue.lock, | 611 | lockdep_set_class(&sk->sk_receive_queue.lock, |
613 | &af_unix_sk_receive_queue_lock_key); | 612 | &af_unix_sk_receive_queue_lock_key); |
@@ -625,6 +624,8 @@ static struct sock * unix_create1(struct net *net, struct socket *sock) | |||
625 | init_waitqueue_head(&u->peer_wait); | 624 | init_waitqueue_head(&u->peer_wait); |
626 | unix_insert_socket(unix_sockets_unbound, sk); | 625 | unix_insert_socket(unix_sockets_unbound, sk); |
627 | out: | 626 | out: |
627 | if (sk == NULL) | ||
628 | atomic_dec(&unix_nr_socks); | ||
628 | return sk; | 629 | return sk; |
629 | } | 630 | } |
630 | 631 | ||