[BUG] Potential data corruption when splice data spliced from socket to another socket

From: Changli Gao
Date: Tue Feb 26 2008 - 10:42:10 EST


After reviewing the tcp splice receive code, I found that instead of
increasing the page reference counter, pipe buffer holds the socket
buffer by calling skb_get(skb). When you splice this pipe buffer to
another socket, such as a TCP socket, though the function sendpage
returns, the page buffer will be still in use, then you drop the
reference to the skb, so the buffer is free to another process. At
this time, the buffer is shared between socket and another part of
Linux kernel silently. It is possible that the data sent out is
corrupted.

The reason is splice send process knows nothing but page, so before
submitting the buffer to sendpage, we must ensure that the page is an
actual page not a fake one. A solution is adding a member function
get_page, which is used to get a actual page, to structure
pipe_buffer_operations. It the page in structure pipe_buffer isn't an
actual page, a page will be allocated, filled with the corresponding
data and returned. Before calling sendpage, get_page should be called
to get the actual page, and after calling sendpage, the page will be
freed by calling put_page.

Beside splice send process, other code paths maybe have the same problem.

--
Regards,
Changli Gao(xiaosuo@xxxxxxxxx)
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/