From: Greg KH <gregkh@suse.de>
To: linux-kernel@vger.kernel.org, stable@kernel.org
Cc: stable-review@kernel.org, torvalds@linux-foundation.org,
akpm@linux-foundation.org, alan@lxorguk.ukuu.org.uk,
Nagendra Singh Tomar <tomer_iisc@yahoo.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [37/66] net: Fix the condition passed to sk_wait_event()
Date: Fri, 22 Oct 2010 11:35:04 -0700 [thread overview]
Message-ID: <20101022183559.504498040@clark.site> (raw)
In-Reply-To: <20101022183711.GA23214@kroah.com>
2.6.32-stable review patch. If anyone has any objections, please let us know.
------------------
From: Nagendra Tomar <tomer_iisc@yahoo.com>
[ Upstream commit 482964e56e1320cb7952faa1932d8ecf59c4bf75 ]
This patch fixes the condition (3rd arg) passed to sk_wait_event() in
sk_stream_wait_memory(). The incorrect check in sk_stream_wait_memory()
causes the following soft lockup in tcp_sendmsg() when the global tcp
memory pool has exhausted.
>>> snip <<<
localhost kernel: BUG: soft lockup - CPU#3 stuck for 11s! [sshd:6429]
localhost kernel: CPU 3:
localhost kernel: RIP: 0010:[sk_stream_wait_memory+0xcd/0x200] [sk_stream_wait_memory+0xcd/0x200] sk_stream_wait_memory+0xcd/0x200
localhost kernel:
localhost kernel: Call Trace:
localhost kernel: [sk_stream_wait_memory+0x1b1/0x200] sk_stream_wait_memory+0x1b1/0x200
localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel: [ipv6:tcp_sendmsg+0x6e6/0xe90] tcp_sendmsg+0x6e6/0xce0
localhost kernel: [sock_aio_write+0x126/0x140] sock_aio_write+0x126/0x140
localhost kernel: [xfs:do_sync_write+0xf1/0x130] do_sync_write+0xf1/0x130
localhost kernel: [<ffffffff802557c0>] autoremove_wake_function+0x0/0x40
localhost kernel: [hrtimer_start+0xe3/0x170] hrtimer_start+0xe3/0x170
localhost kernel: [vfs_write+0x185/0x190] vfs_write+0x185/0x190
localhost kernel: [sys_write+0x50/0x90] sys_write+0x50/0x90
localhost kernel: [system_call+0x7e/0x83] system_call+0x7e/0x83
>>> snip <<<
What is happening is, that the sk_wait_event() condition passed from
sk_stream_wait_memory() evaluates to true for the case of tcp global memory
exhaustion. This is because both sk_stream_memory_free() and vm_wait are true
which causes sk_wait_event() to *not* call schedule_timeout().
Hence sk_stream_wait_memory() returns immediately to the caller w/o sleeping.
This causes the caller to again try allocation, which again fails and again
calls sk_stream_wait_memory(), and so on.
[ Bug introduced by commit c1cbe4b7ad0bc4b1d98ea708a3fecb7362aa4088
("[NET]: Avoid atomic xchg() for non-error case") -DaveM ]
Signed-off-by: Nagendra Singh Tomar <tomer_iisc@yahoo.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
---
net/core/stream.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -140,10 +140,10 @@ int sk_stream_wait_memory(struct sock *s
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
sk->sk_write_pending++;
- sk_wait_event(sk, ¤t_timeo, !sk->sk_err &&
- !(sk->sk_shutdown & SEND_SHUTDOWN) &&
- sk_stream_memory_free(sk) &&
- vm_wait);
+ sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
+ (sk->sk_shutdown & SEND_SHUTDOWN) ||
+ (sk_stream_memory_free(sk) &&
+ !vm_wait));
sk->sk_write_pending--;
if (vm_wait) {
next prev parent reply other threads:[~2010-10-22 18:38 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-10-22 18:37 [00/66] 2.6.32.25-stable review Greg KH
2010-10-22 18:34 ` [01/66] x86, cpu: After uncapping CPUID, re-run CPU feature detection Greg KH
2010-10-22 18:34 ` [02/66] ALSA: sound/pci/rme9652: prevent reading uninitialized stack memory Greg KH
2010-10-22 18:34 ` [03/66] ALSA: oxygen: fix analog capture on Claro halo cards Greg KH
2010-10-22 18:34 ` [04/66] ALSA: hda - Add Dell Latitude E6400 model quirk Greg KH
2010-10-22 18:34 ` [05/66] ALSA: prevent heap corruption in snd_ctl_new() Greg KH
2010-10-22 18:34 ` [06/66] ALSA: rawmidi: fix oops (use after free) when unloading a driver module Greg KH
2010-10-22 18:34 ` [07/66] USB: fix bug in initialization of interface minor numbers Greg KH
2010-10-22 18:34 ` [08/66] usb: musb: gadget: fix kernel panic if using out ep with FIFO_TXRX style Greg KH
2010-10-22 18:34 ` [09/66] usb: musb: gadget: restart request on clearing endpoint halt Greg KH
2010-10-22 18:34 ` [10/66] oprofile: Add Support for Intel CPU Family 6 / Model 29 Greg KH
2010-10-22 18:34 ` [11/66] RDMA/cxgb3: Turn off RX coalescing for iWARP connections Greg KH
2010-10-22 18:34 ` [12/66] mmc: sdhci-s3c: fix NULL ptr access in sdhci_s3c_remove Greg KH
2010-10-22 18:34 ` [13/66] x86/amd-iommu: Set iommu configuration flags in enable-loop Greg KH
2010-10-22 18:34 ` [14/66] x86/amd-iommu: Fix rounding-bug in __unmap_single Greg KH
2010-10-22 18:34 ` [15/66] x86/amd-iommu: Work around S3 BIOS bug Greg KH
2010-10-22 18:34 ` [16/66] tracing/x86: Dont use mcount in pvclock.c Greg KH
2010-10-22 18:34 ` [17/66] tracing/x86: Dont use mcount in kvmclock.c Greg KH
2010-10-22 18:34 ` [18/66] v4l1: fix 32-bit compat microcode loading translation Greg KH
2010-10-22 18:34 ` [19/66] V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) Greg KH
2010-10-22 18:34 ` [20/66] V4L/DVB (13966): DVB-T regression fix for saa7134 cards Greg KH
2010-10-22 18:34 ` [21/66] Input: joydev - fix JSIOCSAXMAP ioctl Greg KH
2010-10-22 18:34 ` [22/66] x86, hpet: Fix bogus error check in hpet_assign_irq() Greg KH
2010-10-22 18:34 ` [23/66] x86, irq: Plug memory leak in sparse irq Greg KH
2010-10-22 18:34 ` [24/66] ubd: fix incorrect sector handling during request restart Greg KH
2010-10-22 18:34 ` [25/66] ring-buffer: Fix typo of time extends per page Greg KH
2010-10-22 18:34 ` [26/66] dmaengine: fix interrupt clearing for mv_xor Greg KH
2010-10-22 18:34 ` [27/66] hrtimer: Preserve timer state in remove_hrtimer() Greg KH
2010-10-22 18:34 ` [28/66] i2c-pca: Fix waitforcompletion() return value Greg KH
2010-10-22 18:34 ` [29/66] ocfs2: Dont walk off the end of fast symlinks Greg KH
2010-10-22 18:34 ` [30/66] wext: fix potential private ioctl memory content leak Greg KH
2010-10-22 18:34 ` [31/66] atl1: fix resume Greg KH
2010-10-22 18:34 ` [32/66] x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order Greg KH
2010-10-22 18:35 ` [33/66] De-pessimize rds_page_copy_user Greg KH
2010-10-22 18:35 ` [34/66] drm/radeon: fix PCI ID 5657 to be an RV410 Greg KH
2010-10-22 18:35 ` [35/66] xfrm4: strip ECN and IP Precedence bits in policy lookup Greg KH
2010-10-22 18:35 ` [36/66] tcp: Fix >4GB writes on 64-bit Greg KH
2010-10-22 18:35 ` Greg KH [this message]
2010-10-22 18:35 ` [38/66] Phonet: Correct header retrieval after pskb_may_pull Greg KH
2010-10-22 18:35 ` [39/66] net: Fix IPv6 PMTU disc. w/ asymmetric routes Greg KH
2010-10-22 18:35 ` [40/66] ip: fix truesize mismatch in ip fragmentation Greg KH
2010-10-22 18:35 ` [41/66] net: clear heap allocations for privileged ethtool actions Greg KH
2010-10-22 18:35 ` [42/66] tcp: Fix race in tcp_poll Greg KH
2010-10-22 18:35 ` [43/66] netxen: dont set skb->truesize Greg KH
2010-10-22 18:35 ` [44/66] rose: Fix signedness issues wrt. digi count Greg KH
2010-10-22 18:35 ` [45/66] net: blackhole route should always be recalculated Greg KH
2010-10-22 18:35 ` [46/66] skge: add quirk to limit DMA Greg KH
2010-10-22 18:35 ` [47/66] r8169: allocate with GFP_KERNEL flag when able to sleep Greg KH
2010-10-22 18:35 ` [48/66] [SCSI] bsg: fix incorrect device_status value Greg KH
2010-10-22 18:35 ` [49/66] r6040: fix r6040_multicast_list Greg KH
2010-10-22 18:35 ` [50/66] r6040: Fix multicast list iteration when hash filter is used Greg KH
2010-10-22 18:35 ` [51/66] powerpc: Initialise paca->kstack before early_setup_secondary Greg KH
2010-10-22 18:35 ` [52/66] powerpc: Dont use kernel stack with translation off Greg KH
2010-10-22 18:35 ` [53/66] b44: fix carrier detection on bind Greg KH
2010-10-22 18:35 ` [54/66] ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume Greg KH
2010-10-22 18:35 ` [55/66] intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang Greg KH
2010-10-22 18:35 ` [56/66] ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355 Greg KH
2010-10-22 18:35 ` [57/66] ACPI: delete ZEPTO idle=nomwait DMI quirk Greg KH
2010-10-22 18:35 ` [58/66] ACPI: Disable Windows Vista compatibility for Toshiba P305D Greg KH
2010-10-22 18:35 ` [59/66] x86: detect scattered cpuid features earlier Greg KH
2010-10-22 18:35 ` [60/66] fix 2.6.32.23 suspend regression caused by commit 6f6198a Greg KH
2010-10-22 18:35 ` [61/66] setup_arg_pages: diagnose excessive argument size Greg KH
2010-10-22 18:35 ` [62/66] execve: improve interactivity with large arguments Greg KH
2010-10-22 18:35 ` [63/66] execve: make responsive to SIGKILL " Greg KH
2010-10-22 18:35 ` [64/66] Phonet: disable network namespace support Greg KH
2010-10-22 21:22 ` Ben Hutchings
2010-10-25 7:43 ` Rémi Denis-Courmont
2010-10-22 18:35 ` [65/66] mm: Move vma_stack_continue into mm.h Greg KH
2010-10-22 18:35 ` [66/66] drivers/hwmon/coretemp.c: detect the thermal sensors by CPUID Greg KH
2010-10-23 9:27 ` Jean Delvare
2010-10-23 16:06 ` Greg KH
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20101022183559.504498040@clark.site \
--to=gregkh@suse.de \
--cc=akpm@linux-foundation.org \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=stable-review@kernel.org \
--cc=stable@kernel.org \
--cc=tomer_iisc@yahoo.com \
--cc=torvalds@linux-foundation.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).