On Wed, Nov 11, 2015, at 21:09, Eric Dumazet wrote: > On Wed, 2015-11-11 at 20:58 +0100, Hannes Frederic Sowa wrote: > > > > On Wed, Nov 11, 2015, at 20:42, Eric Dumazet wrote: > > > On Wed, 2015-11-11 at 20:35 +0100, Hannes Frederic Sowa wrote: > > > > > > > > On Wed, Nov 11, 2015, at 20:28, Eric Dumazet wrote: > > > > > On Wed, 2015-11-11 at 20:14 +0100, Hannes Frederic Sowa wrote: > > > > > > On Wed, Nov 11, 2015, at 19:58, Eric Dumazet wrote: > > > > > > > > > > > Can you elaborate? > > > > > > > > > > > > I use tail as a cookie and check if we already tried to append to > > > > > > the > > > > > > same tail skb with skb_append_pagefrags. If during allocation, > > > > > > which we > > > > > > do outside of the locks, a new skb arrives, we take that and try to > > > > > > append again (and free the old skb), to correctly not create any > > > > > > reordering in the data stream. > > > > > > > > > > > > You think that tail could be reused in the meanwhile? > > > > > > > > > > Hmmm, there is some funky stuff at least. > > > > > > > > > > Are you sure the __skb_queue_tail(&other->sk_receive_queue, newskb) > > > > > is appropriate ? > > > > > > > > > > (Why not locking sk_receive_queue is safe ?) > > > > > > > > We hold the other's state lock at that time. > > > > > > Well, this is not safe enough :( > > > > > > Look at unix_stream_sendmsg() : It uses skb_queue_tail(), not > > > __skb_queue_tail() > > > > > > Think of concurrent splice() (or sendfile()) and sendmsg() on the same > > > af_unix socket. > > > > Well, > > > > unix_stream_sendmsg: > > > > unix_state_lock(other); > > skb_queue_tail(&other->sk_receive_queue); > > unix_state_unlock(other); > > > > unix_stream_sendpage: > > > > unix_state_lock(other); > > __skb_queue_tail(&other->sk_receive_queue, skb); > > unix_state_unlock(other); > > > > unix_stream_read_generic: > > > > I only see the skb_unlink as a dangerous operation because outside of > > other lock and solely taking the sk_receivie_queue lock. Actually I > > think skb_queue_tail can be converted to __skb_queue_tail. > > Nope. See unix_inq_len() you definitely need to take the list lock, > or make a full audit.
Found it right after sending the last mail. :) I do a full audit of all sk_receive_queue accesses. Bye, Hannes -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
