Re: IPv4 BUG: held lock freed!

From: Julian Anastasov
Date: Sun Aug 19 2012 - 12:56:06 EST

Next message: Bruno PrÃmont: "Re: [PATCH 6/7 v2] HID: picoLCD: drop version check during probe"
Previous message: Oleg Nesterov: "[PATCH 3/3] uprobes: teach find_active_uprobe() to clearMMF_HAS_UPROBES"
In reply to: Eric Dumazet: "Re: IPv4 BUG: held lock freed!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello,

On Sun, 19 Aug 2012, Eric Dumazet wrote:

> Hmm, this looks like sk_reset_timer() is called on a socket, and timer
> triggers _before_ the sock_hold()
>
> So the timer handler decrements sk_refcnt to 0 and calls sk_free()
>
> Its probably a bug introduced (or uncovered) by commit 6f458dfb40 (tcp:
> improve latencies of timer triggered events)
>
> I always found sk_reset_timer() a bit racy...
>
> void sk_reset_timer(struct sock *sk, struct timer_list* timer,
> unsigned long expires)
> {
> if (!mod_timer(timer, expires))
> sock_hold(sk); // MIGHT BE TOO LATE
> }
>
> Following should be safer...

Above code is fine as long as caller holds reference.

Your change for tcp_release_cb looks correct.

Also, may be tcp_v4_mtu_reduced is missing a check
for TCP_CLOSE state? tcp_v6_mtu_reduced already has such
check.

> void sk_reset_timer(struct sock *sk, struct timer_list* timer,
> unsigned long expires)
> {

This should not be needed:

> sock_hold(sk);
> if (mod_timer(timer, expires))
> sock_put(sk);
> }

Regards

--
Julian Anastasov <ja@xxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bruno PrÃmont: "Re: [PATCH 6/7 v2] HID: picoLCD: drop version check during probe"
Previous message: Oleg Nesterov: "[PATCH 3/3] uprobes: teach find_active_uprobe() to clearMMF_HAS_UPROBES"
In reply to: Eric Dumazet: "Re: IPv4 BUG: held lock freed!"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]