On Tue, 2021-03-30 at 16:40 +0200, Eric Dumazet wrote:
> On Tue, Mar 30, 2021 at 4:39 PM Eric Dumazet <eduma...@google.com> wrote:
> > On Tue, Mar 30, 2021 at 4:25 PM Paolo Abeni <pab...@redhat.com> wrote:
> > > Currently the mentioned helper can end-up freeing the socket wmem
> > > without waking-up any processes waiting for more write memory.
> > >
> > > If the partially orphaned skb is attached to an UDP (or raw) socket,
> > > the lack of wake-up can hang the user-space.
> > >
> > > Address the issue invoking the write_space callback after
> > > releasing the memory, if the old skb destructor requires that.
> > >
> > > Fixes: f6ba8d33cfbb ("netem: fix skb_orphan_partial()")
> > > Signed-off-by: Paolo Abeni <pab...@redhat.com>
> > > ---
> > > net/core/sock.c | 2 ++
> > > 1 file changed, 2 insertions(+)
> > >
> > > diff --git a/net/core/sock.c b/net/core/sock.c
> > > index 0ed98f20448a2..7a38332d748e7 100644
> > > --- a/net/core/sock.c
> > > +++ b/net/core/sock.c
> > > @@ -2137,6 +2137,8 @@ void skb_orphan_partial(struct sk_buff *skb)
> > >
> > > if (refcount_inc_not_zero(&sk->sk_refcnt)) {
> > > WARN_ON(refcount_sub_and_test(skb->truesize,
> > > &sk->sk_wmem_alloc));
> > > + if (skb->destructor == sock_wfree)
> > > + sk->sk_write_space(sk);
> >
> > Interesting.
> >
> > Why TCP is not a problem here ?
AFAICS, tcp_wfree() does not call sk->sk_write_space(). Processes
waiting for wmem are woken by ack processing.
> > I would rather replace WARN_ON(refcount_sub_and_test(skb->truesize,
> > &sk->sk_wmem_alloc)) by :
> > skb_orphan(skb);
>
> And of course re-add
> skb->sk = sk;
Double checking to be sure. The patched slice of skb_orphan_partial()
will then look like:
if (can_skb_orphan_partial(skb)) {
struct sock *sk = skb->sk;
if (refcount_inc_not_zero(&sk->sk_refcnt)) {
skb_orphan(skb);
skb->sk = sk;
skb->destructor = sock_efree;
}
} // ...
Am I correct?
Thanks!
Paolo
