[PATCH 1/1] af_packet: Raw socket destruction warning fix
From: Maninder Singh
Date: Wed Feb 10 2016 - 07:06:34 EST
This Patch fixes below warning:-
WARNING: at net/packet/af_packet.c:xxx packet_sock_destruct
There is following race between packet_rcv and packet_close
which keeps unfree packet in receive queue.
CPU 1 CPU2
packet_rcv
packet_close
skb_set_owner_r(skb, sk);
skb_queue_purge(&sk->sk_receive_queue);
spin_lock(&sk->sk_receive_queue.lock);
__skb_queue_tail(&sk->sk_receive_queue, skb);
spin_unlock(&sk->sk_receive_queue.lock);
Signed-off-by: Vaneet Narang <v.narang@xxxxxxxxxxx>
Signed-off-by: Amit Nagal <amit.nagal@xxxxxxxxxxx>
Signed-off-by: Maninder Singh <maninder1.s@xxxxxxxxxxx>
---
net/packet/af_packet.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 992396a..e6047e6 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1310,7 +1310,10 @@ static int packet_rcv_has_room(struct packet_sock *po, struct sk_buff *skb)
static void packet_sock_destruct(struct sock *sk)
{
+ /* Purge queues */
+
skb_queue_purge(&sk->sk_error_queue);
+ skb_queue_purge(&sk->sk_receive_queue);
WARN_ON(atomic_read(&sk->sk_rmem_alloc));
WARN_ON(atomic_read(&sk->sk_wmem_alloc));
@@ -1991,6 +1994,9 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
if (!net_eq(dev_net(dev), sock_net(sk)))
goto drop;
+ if (sock_flag(sk, SOCK_DEAD))
+ goto drop;
+
skb->dev = dev;
if (dev->header_ops) {
@@ -2053,7 +2059,6 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
if (pskb_trim(skb, snaplen))
goto drop_n_acct;
- skb_set_owner_r(skb, sk);
skb->dev = NULL;
skb_dst_drop(skb);
@@ -2061,6 +2066,7 @@ static int packet_rcv(struct sk_buff *skb, struct net_device *dev,
nf_reset(skb);
spin_lock(&sk->sk_receive_queue.lock);
+ skb_set_owner_r(skb, sk);
po->stats.stats1.tp_packets++;
sock_skb_set_dropcount(sk, skb);
__skb_queue_tail(&sk->sk_receive_queue, skb);
@@ -2899,9 +2905,6 @@ static int packet_release(struct socket *sock)
sock_orphan(sk);
sock->sk = NULL;
- /* Purge queues */
-
- skb_queue_purge(&sk->sk_receive_queue);
packet_free_pending(po);
sk_refcnt_debug_release(sk);
--
1.7.9.5