diff options
| author | Octavian Purdila <opurdila@ixiacom.com> | 2008-06-04 18:45:58 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2008-06-04 18:45:58 -0400 |
| commit | 293ad60401da621b8b329abbe8c388edb25f658a (patch) | |
| tree | fb2fdaf7721c8efa36b0b47f7b63d4e600217dbb | |
| parent | 26af65cbeb2467a486ae4fc7242c94e470c67c50 (diff) | |
tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits.
skb_splice_bits temporary drops the socket lock while iterating over
the socket queue in order to break a reverse locking condition which
happens with sendfile. This, however, opens a window of opportunity
for tcp_collapse() to aggregate skbs and thus potentially free the
current skb used in skb_splice_bits and tcp_read_sock.
This patch fixes the problem by (re-)getting the same "logical skb"
after the lock has been temporary dropped.
Based on idea and initial patch from Evgeniy Polyakov.
Signed-off-by: Octavian Purdila <opurdila@ixiacom.com>
Acked-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
| -rw-r--r-- | net/core/skbuff.c | 5 | ||||
| -rw-r--r-- | net/ipv4/tcp.c | 9 |
2 files changed, 11 insertions, 3 deletions
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 5c459f2b7985..1e556d312117 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c | |||
| @@ -1445,6 +1445,7 @@ done: | |||
| 1445 | 1445 | ||
| 1446 | if (spd.nr_pages) { | 1446 | if (spd.nr_pages) { |
| 1447 | int ret; | 1447 | int ret; |
| 1448 | struct sock *sk = __skb->sk; | ||
| 1448 | 1449 | ||
| 1449 | /* | 1450 | /* |
| 1450 | * Drop the socket lock, otherwise we have reverse | 1451 | * Drop the socket lock, otherwise we have reverse |
| @@ -1455,9 +1456,9 @@ done: | |||
| 1455 | * we call into ->sendpage() with the i_mutex lock held | 1456 | * we call into ->sendpage() with the i_mutex lock held |
| 1456 | * and networking will grab the socket lock. | 1457 | * and networking will grab the socket lock. |
| 1457 | */ | 1458 | */ |
| 1458 | release_sock(__skb->sk); | 1459 | release_sock(sk); |
| 1459 | ret = splice_to_pipe(pipe, &spd); | 1460 | ret = splice_to_pipe(pipe, &spd); |
| 1460 | lock_sock(__skb->sk); | 1461 | lock_sock(sk); |
| 1461 | return ret; | 1462 | return ret; |
| 1462 | } | 1463 | } |
| 1463 | 1464 | ||
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c index f88653138621..ab66683b8043 100644 --- a/net/ipv4/tcp.c +++ b/net/ipv4/tcp.c | |||
| @@ -1227,7 +1227,14 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc, | |||
| 1227 | copied += used; | 1227 | copied += used; |
| 1228 | offset += used; | 1228 | offset += used; |
| 1229 | } | 1229 | } |
| 1230 | if (offset != skb->len) | 1230 | /* |
| 1231 | * If recv_actor drops the lock (e.g. TCP splice | ||
| 1232 | * receive) the skb pointer might be invalid when | ||
| 1233 | * getting here: tcp_collapse might have deleted it | ||
| 1234 | * while aggregating skbs from the socket queue. | ||
| 1235 | */ | ||
| 1236 | skb = tcp_recv_skb(sk, seq-1, &offset); | ||
| 1237 | if (!skb || (offset+1 != skb->len)) | ||
| 1231 | break; | 1238 | break; |
| 1232 | } | 1239 | } |
| 1233 | if (tcp_hdr(skb)->fin) { | 1240 | if (tcp_hdr(skb)->fin) { |