tcp: Fix for race due to temporary drop of the socket lock in skb_splice_bits.
authorOctavian Purdila <opurdila@ixiacom.com>
Wed, 4 Jun 2008 22:45:58 +0000 (15:45 -0700)
committerDavid S. Miller <davem@davemloft.net>
Wed, 4 Jun 2008 22:45:58 +0000 (15:45 -0700)
skb_splice_bits temporary drops the socket lock while iterating over
the socket queue in order to break a reverse locking condition which
happens with sendfile. This, however, opens a window of opportunity
for tcp_collapse() to aggregate skbs and thus potentially free the
current skb used in skb_splice_bits and tcp_read_sock.

This patch fixes the problem by (re-)getting the same "logical skb"
after the lock has been temporary dropped.

Based on idea and initial patch from Evgeniy Polyakov.

Signed-off-by: Octavian Purdila <opurdila@ixiacom.com>
Acked-by: Evgeniy Polyakov <johnpol@2ka.mipt.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
net/core/skbuff.c
net/ipv4/tcp.c

index 5c459f2b7985211e0dd8d067e925c20f2e35b958..1e556d31211742d41acb39cbc2c1cd8460e2d3b0 100644 (file)
@@ -1445,6 +1445,7 @@ done:
 
        if (spd.nr_pages) {
                int ret;
+               struct sock *sk = __skb->sk;
 
                /*
                 * Drop the socket lock, otherwise we have reverse
@@ -1455,9 +1456,9 @@ done:
                 * we call into ->sendpage() with the i_mutex lock held
                 * and networking will grab the socket lock.
                 */
-               release_sock(__skb->sk);
+               release_sock(sk);
                ret = splice_to_pipe(pipe, &spd);
-               lock_sock(__skb->sk);
+               lock_sock(sk);
                return ret;
        }
 
index f88653138621a414ec94b517eb84f9a8267e2dda..ab66683b804343fc852b93220d41e83d80275512 100644 (file)
@@ -1227,7 +1227,14 @@ int tcp_read_sock(struct sock *sk, read_descriptor_t *desc,
                                copied += used;
                                offset += used;
                        }
-                       if (offset != skb->len)
+                       /*
+                        * If recv_actor drops the lock (e.g. TCP splice
+                        * receive) the skb pointer might be invalid when
+                        * getting here: tcp_collapse might have deleted it
+                        * while aggregating skbs from the socket queue.
+                        */
+                       skb = tcp_recv_skb(sk, seq-1, &offset);
+                       if (!skb || (offset+1 != skb->len))
                                break;
                }
                if (tcp_hdr(skb)->fin) {