From: Ben Hutchings <bhutchings@solarflare•com>
To: Evgeniy Polyakov <johnpol@2ka•mipt.ru>
Cc: Octavian Purdila <opurdila@ixiacom•com>, netdev@vger•kernel.org
Subject: Re: race in skb_splice_bits?
Date: Tue, 27 May 2008 12:08:41 +0100 [thread overview]
Message-ID: <20080527110840.GH28241@solarflare.com> (raw)
In-Reply-To: <20080527110144.GA15141@2ka.mipt.ru>
Evgeniy Polyakov wrote:
> On Tue, May 27, 2008 at 03:25:23AM +0300, Octavian Purdila (opurdila@ixiacom•com) wrote:
> >
> > Hi,
> >
> > The following socket lock dropping in skb_splice_bits seems to open a race
> > condition which causes an invalid kernel access:
> >
> > > if (spd.nr_pages) {
> > > int ret;
> > >
> > > /*
> > > * Drop the socket lock, otherwise we have reverse
> > > * locking dependencies between sk_lock and i_mutex
> > > * here as compared to sendfile(). We enter here
> > > * with the socket lock held, and splice_to_pipe() will
> > > * grab the pipe inode lock. For sendfile() emulation,
> > > * we call into ->sendpage() with the i_mutex lock held
> > > * and networking will grab the socket lock.
> > > */
>
> What about sock_hold() here?
> It will prevent from socket freeing and read/write to it will
> immediately return with error if socket was closed by another thread.
<snip>
We know the socket isn't going to go away because somewhere up the call
stack someone has to be holding the socket in order to lock it. However,
the skb may (and evidently sometimes does) go away during splice_to_pipe()
so we can't look up the socket through it.
However, from Octavian's later mail it seems we can't let the skb go away
at all. So some wider changes seem to be required.
Ben.
--
Ben Hutchings, Senior Software Engineer, Solarflare Communications
Not speaking for my employer; that's the marketing department's job.
next prev parent reply other threads:[~2008-05-27 11:09 UTC|newest]
Thread overview: 29+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-05-27 0:25 race in skb_splice_bits? Octavian Purdila
2008-05-27 2:08 ` Ben Hutchings
2008-05-27 10:41 ` Octavian Purdila
2008-05-27 11:01 ` Evgeniy Polyakov
2008-05-27 11:08 ` Ben Hutchings [this message]
2008-05-27 11:52 ` Evgeniy Polyakov
2008-05-27 11:56 ` Evgeniy Polyakov
2008-05-27 12:53 ` Octavian Purdila
2008-05-27 13:21 ` Evgeniy Polyakov
2008-05-27 14:03 ` Evgeniy Polyakov
2008-05-27 14:39 ` Octavian Purdila
2008-05-27 15:09 ` Evgeniy Polyakov
2008-05-27 15:12 ` Evgeniy Polyakov
2008-05-27 15:22 ` Evgeniy Polyakov
2008-05-27 15:33 ` Octavian Purdila
2008-05-27 15:47 ` Evgeniy Polyakov
2008-05-27 17:28 ` Evgeniy Polyakov
2008-05-27 23:59 ` Octavian Purdila
2008-05-28 8:52 ` Evgeniy Polyakov
2008-05-28 13:20 ` Octavian Purdila
2008-05-28 14:11 ` Evgeniy Polyakov
2008-05-28 15:20 ` Octavian Purdila
2008-05-28 15:42 ` Evgeniy Polyakov
2008-05-28 17:08 ` Octavian Purdila
2008-05-28 17:51 ` Evgeniy Polyakov
2008-05-28 18:02 ` Octavian Purdila
2008-05-28 20:01 ` Jarek Poplawski
2008-05-28 20:09 ` Octavian Purdila
2008-05-28 20:16 ` Jarek Poplawski
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20080527110840.GH28241@solarflare.com \
--to=bhutchings@solarflare$(echo .)com \
--cc=johnpol@2ka$(echo .)mipt.ru \
--cc=netdev@vger$(echo .)kernel.org \
--cc=opurdila@ixiacom$(echo .)com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox