aboutsummaryrefslogtreecommitdiffstats
path: root/net/ipv4
diff options
context:
space:
mode:
authorHerbert Xu <herbert@gondor.apana.org.au>2005-05-19 01:52:33 -0400
committerDavid S. Miller <davem@davemloft.net>2005-05-19 01:52:33 -0400
commit2fdba6b085eb7068e9594cfa55ffe40466184b4d (patch)
tree2f7325f9f62cc643caf6d6c8dd7a24b1cb94ebd0 /net/ipv4
parentd48102007d068df7ba3055cdc1723e12db1ba30f (diff)
[IPV4/IPV6] Ensure all frag_list members have NULL sk
Having frag_list members which holds wmem of an sk leads to nightmares with partially cloned frag skb's. The reason is that once you unleash a skb with a frag_list that has individual sk ownerships into the stack you can never undo those ownerships safely as they may have been cloned by things like netfilter. Since we have to undo them in order to make skb_linearize happy this approach leads to a dead-end. So let's go the other way and make this an invariant: For any skb on a frag_list, skb->sk must be NULL. That is, the socket ownership always belongs to the head skb. It turns out that the implementation is actually pretty simple. The above invariant is actually violated in the following patch for a short duration inside ip_fragment. This is OK because the offending frag_list member is either destroyed at the end of the slow path without being sent anywhere, or it is detached from the frag_list before being sent. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/ipv4')
-rw-r--r--net/ipv4/ip_output.c8
1 files changed, 8 insertions, 0 deletions
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index daebd93fd8a0..760dc8238d65 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -490,6 +490,14 @@ int ip_fragment(struct sk_buff *skb, int (*output)(struct sk_buff*))
490 /* Partially cloned skb? */ 490 /* Partially cloned skb? */
491 if (skb_shared(frag)) 491 if (skb_shared(frag))
492 goto slow_path; 492 goto slow_path;
493
494 BUG_ON(frag->sk);
495 if (skb->sk) {
496 sock_hold(skb->sk);
497 frag->sk = skb->sk;
498 frag->destructor = sock_wfree;
499 skb->truesize -= frag->truesize;
500 }
493 } 501 }
494 502
495 /* Everything is OK. Generate! */ 503 /* Everything is OK. Generate! */