* refcounting on dgram Unix sockets for poll(POLLOUT)
@ 2010-12-08 21:01 Alban Crequy
2010-12-09 2:47 ` Eric Dumazet
0 siblings, 1 reply; 2+ messages in thread
From: Alban Crequy @ 2010-12-08 21:01 UTC (permalink / raw)
To: netdev
Hi,
When a connected datagram Unix socket is polled for POLLOUT events, the
poller is added in the wait_queue_head_t of the "server" socket:
net/unix/af_unix.c::unix_dgram_poll()
other = unix_peer_get(sk);
if (other) {
if (unix_peer(other) != sk) {
sock_poll_wait(file, &unix_sk(other)->peer_wait,
wait);
...
I wonder what prevent the "server" socket ("other") to be released
while the poller is still waiting for POLLOUT events.
There is a reference taken on the "server" socket when the client
connects:
net/unix/af_unix.c::unix_dgram_connect()
other = unix_find_other(net, sunaddr, alen, sock->type,
hash, &err);
But that reference could be released when the client socket
disconnects from another thread in one of the 3 possible locations:
1. unix_dgram_connect() when connecting to a different socket
if (other != old_peer)
unix_dgram_disconnected(sk, old_peer);
sock_put(old_peer);
2. unix_dgram_sendmsg() when the server socket is SOCK_DEAD:
unix_dgram_disconnected(sk, other);
sock_put(other);
3. unix_release_sock() when the client socket is released:
skpair = unix_peer(sk);
if (skpair != NULL) {
sock_put(skpair); /* It may now die */
I tried to release all the references to server_sockfd with
close(server_sockfd) on the server thread and with
connect(client_sockfd) to a different socket while client_sockfd is
being polled for POLLOUT events in a different thread, hoping to crash
the poller with the stack:
free_poll_entry()->remove_wait_queue()->spin_lock_irqsave()
But I didn't manage to crash the kernel.
Am I missing something? Is there another reference taken on
server_sockfd to protect the kernel from this scenario?
And btw, what is the test (unix_peer(other) != sk) in unix_dgram_poll()?
Alban
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: refcounting on dgram Unix sockets for poll(POLLOUT)
2010-12-08 21:01 refcounting on dgram Unix sockets for poll(POLLOUT) Alban Crequy
@ 2010-12-09 2:47 ` Eric Dumazet
0 siblings, 0 replies; 2+ messages in thread
From: Eric Dumazet @ 2010-12-09 2:47 UTC (permalink / raw)
To: Alban Crequy; +Cc: netdev
Le mercredi 08 décembre 2010 à 21:01 +0000, Alban Crequy a écrit :
> Hi,
>
> When a connected datagram Unix socket is polled for POLLOUT events, the
> poller is added in the wait_queue_head_t of the "server" socket:
>
> net/unix/af_unix.c::unix_dgram_poll()
> other = unix_peer_get(sk);
> if (other) {
> if (unix_peer(other) != sk) {
> sock_poll_wait(file, &unix_sk(other)->peer_wait,
> wait);
> ...
>
> I wonder what prevent the "server" socket ("other") to be released
> while the poller is still waiting for POLLOUT events.
>
> There is a reference taken on the "server" socket when the client
> connects:
> net/unix/af_unix.c::unix_dgram_connect()
> other = unix_find_other(net, sunaddr, alen, sock->type,
> hash, &err);
>
> But that reference could be released when the client socket
> disconnects from another thread in one of the 3 possible locations:
>
> 1. unix_dgram_connect() when connecting to a different socket
> if (other != old_peer)
> unix_dgram_disconnected(sk, old_peer);
> sock_put(old_peer);
>
> 2. unix_dgram_sendmsg() when the server socket is SOCK_DEAD:
> unix_dgram_disconnected(sk, other);
> sock_put(other);
>
> 3. unix_release_sock() when the client socket is released:
> skpair = unix_peer(sk);
> if (skpair != NULL) {
> sock_put(skpair); /* It may now die */
>
> I tried to release all the references to server_sockfd with
> close(server_sockfd) on the server thread and with
> connect(client_sockfd) to a different socket while client_sockfd is
> being polled for POLLOUT events in a different thread, hoping to crash
> the poller with the stack:
> free_poll_entry()->remove_wait_queue()->spin_lock_irqsave()
> But I didn't manage to crash the kernel.
>
Maybe you need to add some options to detect/trigger this ?
CONFIG_DEBUG_LOCK_ALLOC
and
slub_debug=FZP
cf Documentation/vm/slub.txt
to force slub to overwrite data when freeing master socket.
> Am I missing something? Is there another reference taken on
> server_sockfd to protect the kernel from this scenario?
>
> And btw, what is the test (unix_peer(other) != sk) in unix_dgram_poll()?
>
> Alban
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2010-12-09 2:47 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2010-12-08 21:01 refcounting on dgram Unix sockets for poll(POLLOUT) Alban Crequy
2010-12-09 2:47 ` Eric Dumazet
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.