Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit ef015786 authored by Herbert Xu's avatar Herbert Xu Committed by David S. Miller
Browse files

[TCP]: Fix sk_forward_alloc underflow in tcp_sendmsg 



I've finally found a potential cause of the sk_forward_alloc underflows
that people have been reporting sporadically.

When tcp_sendmsg tacks on extra bits to an existing TCP_PAGE we don't
check sk_forward_alloc even though a large amount of time may have
elapsed since we allocated the page.  In the mean time someone could've
come along and liberated packets and reclaimed sk_forward_alloc memory.

This patch makes tcp_sendmsg check sk_forward_alloc every time as we
do in do_tcp_sendpages.
 
Signed-off-by: default avatarHerbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
parent d80d99d6

include/net/sock.h

+2 −3
Original line number Diff line number Diff line
@@ -1232,9 +1232,8 @@ static inline struct page *sk_stream_alloc_page(struct sock *sk) 
{

	struct page *page = NULL;



	if (sk_stream_wmem_schedule(sk, PAGE_SIZE))

	page = alloc_pages(sk->sk_allocation, 0);

	else {

	if (!page) {

		sk->sk_prot->enter_memory_pressure();

		sk_stream_moderate_sndbuf(sk);

	}

net/ipv4/tcp.c

+9 −5
Original line number Diff line number Diff line
@@ -769,19 +769,23 @@ int tcp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, 
					if (off == PAGE_SIZE) {

						put_page(page);

						TCP_PAGE(sk) = page = NULL;

						TCP_OFF(sk) = off = 0;

					}

				}

				} else

					BUG_ON(off);



				if (copy > PAGE_SIZE - off)

					copy = PAGE_SIZE - off;



				if (!sk_stream_wmem_schedule(sk, copy))

					goto wait_for_memory;



				if (!page) {

					/* Allocate new cache page. */

					if (!(page = sk_stream_alloc_page(sk)))

						goto wait_for_memory;

					off = 0;

				}



				if (copy > PAGE_SIZE - off)

					copy = PAGE_SIZE - off;



				/* Time to copy data. We are close to

				 * the end! */

				err = skb_copy_to_page(sk, from, skb, page,