From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754519AbaHGGzt (ORCPT ); Thu, 7 Aug 2014 02:55:49 -0400 Received: from mail-we0-f173.google.com ([74.125.82.173]:47328 "EHLO mail-we0-f173.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753100AbaHGGzr (ORCPT ); Thu, 7 Aug 2014 02:55:47 -0400 Message-ID: <1407394542.11943.21.camel@edumazet-glaptop2.roam.corp.google.com> Subject: Re: [RFC] net: Replace del_timer() with del_timer_sync() From: Eric Dumazet To: Deepak Cc: davem@davemloft.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Date: Thu, 07 Aug 2014 08:55:42 +0200 In-Reply-To: <53E31A47.9000407@mentor.com> References: <53E31A47.9000407@mentor.com> Content-Type: text/plain; charset="UTF-8" X-Mailer: Evolution 3.2.3-0ubuntu6 Content-Transfer-Encoding: 7bit Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, 2014-08-07 at 11:48 +0530, Deepak wrote: > on SMP system, del_timer() might return even if the timer function > is running on other cpu so sk_stop_timer() will execute __sock_put() > while timer is accessing the socket on other cpu causing > "use-after-free". > > This commit replaces del_timer() with del_timer_sync() in > sk_stop_timer(). > del_timer_sync() will wait untill the timer function is not running in > any other cpu hence making sk_stop_timer() SMP safe. > > Signed-off-by: Deepak Das > > diff --git a/net/core/sock.c b/net/core/sock.c > index 026e01f..491a84d 100644 > --- a/net/core/sock.c > +++ b/net/core/sock.c > @@ -2304,7 +2304,7 @@ EXPORT_SYMBOL(sk_reset_timer); > > void sk_stop_timer(struct sock *sk, struct timer_list* timer) > { > - if (del_timer(timer)) > + if (del_timer_sync(timer)) > __sock_put(sk); > } > EXPORT_SYMBOL(sk_stop_timer); There is a reason del_timer() and del_timer_sync() both exist, and both are SMP safe. Here, caller might block timer handler from making progress, you are adding a deadlock condition. In this case, there is no reason to use del_timer_sync(), you didn't explain why you want this to happen in the first place. If you hit a bug somewhere, please share it so that we can root cause it. Thanks