Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit d83769a5 authored by Eric Dumazet's avatar Eric Dumazet Committed by David S. Miller
Browse files

tcp: fix possible deadlock in tcp_send_fin() 



Using sk_stream_alloc_skb() in tcp_send_fin() is dangerous in
case a huge process is killed by OOM, and tcp_mem[2] is hit.

To be able to free memory we need to make progress, so this
patch allows FIN packets to not care about tcp_mem[2], if
skb allocation succeeded.

In a follow-up patch, we might abort tcp_send_fin() infinite loop
in case TIF_MEMDIE is set on this thread, as memory allocator
did its best getting extra memory already.

This patch reverts d22e1537 ("tcp: fix tcp fin memory accounting")

Fixes: d22e1537 ("tcp: fix tcp fin memory accounting")
Signed-off-by: default avatarEric Dumazet <edumazet@google.com>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent 5e6c94a9

net/ipv4/tcp_output.c

+19 −1
Original line number Diff line number Diff line
@@ -2812,6 +2812,21 @@ void tcp_xmit_retransmit_queue(struct sock *sk) 
	}

}



/* We allow to exceed memory limits for FIN packets to expedite

 * connection tear down and (memory) recovery.

 * Otherwise tcp_send_fin() could loop forever.

 */

static void sk_forced_wmem_schedule(struct sock *sk, int size)

{

	int amt, status;



	if (size <= sk->sk_forward_alloc)

		return;

	amt = sk_mem_pages(size);

	sk->sk_forward_alloc += amt * SK_MEM_QUANTUM;

	sk_memory_allocated_add(sk, amt, &status);

}



/* Send a fin.  The caller locks the socket for us.  This cannot be

 * allowed to fail queueing a FIN frame under any circumstances.

 */
@@ -2834,11 +2849,14 @@ void tcp_send_fin(struct sock *sk) 
	} else {

		/* Socket is locked, keep trying until memory is available. */

		for (;;) {

			skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation);

			skb = alloc_skb_fclone(MAX_TCP_HEADER,

					       sk->sk_allocation);

			if (skb)

				break;

			yield();

		}

		skb_reserve(skb, MAX_TCP_HEADER);

		sk_forced_wmem_schedule(sk, skb->truesize);

		/* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */

		tcp_init_nondata_skb(skb, tp->write_seq,

				     TCPHDR_ACK | TCPHDR_FIN);