[063/146] net: add skb_dst_force() in sock_queue_err_skb()

From: Greg KH
Date: Wed Jun 01 2011 - 05:20:32 EST

Next message: Greg KH: "[062/146] igmp: call ip_mc_clear_src() only when we have no users of ip_mc_list"
Previous message: Greg KH: "[065/146] sctp: fix memory leak of the ASCONF queue when free asoc"
In reply to: Greg KH: "[065/146] sctp: fix memory leak of the ASCONF queue when free asoc"
Next in thread: Greg KH: "[062/146] igmp: call ip_mc_clear_src() only when we have no users of ip_mc_list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

2.6.38-stable review patch. If anyone has any objections, please let us know.

------------------

From: Eric Dumazet <eric.dumazet@xxxxxxxxx>

[ Upstream commit abb57ea48fd9431fa320a5c55f73e6b5a44c2efb ]

Commit 7fee226ad239 (add a noref bit on skb dst) forgot to use
skb_dst_force() on packets queued in sk_error_queue

This triggers following warning, for applications using IP_CMSG_PKTINFO
receiving one error status

------------[ cut here ]------------
WARNING: at include/linux/skbuff.h:457 ip_cmsg_recv_pktinfo+0xa6/0xb0()
Hardware name: 2669UYD
Modules linked in: isofs vboxnetadp vboxnetflt nfsd ebtable_nat ebtables
lib80211_crypt_ccmp uinput xcbc hdaps tp_smapi thinkpad_ec radeonfb fb_ddc
radeon ttm drm_kms_helper drm ipw2200 intel_agp intel_gtt libipw i2c_algo_bit
i2c_i801 agpgart rng_core cfbfillrect cfbcopyarea cfbimgblt video raid10 raid1
raid0 linear md_mod vboxdrv
Pid: 4697, comm: miredo Not tainted 2.6.39-rc6-00569-g5895198-dirty #22
Call Trace:
[<c17746b6>] ? printk+0x1d/0x1f
[<c1058302>] warn_slowpath_common+0x72/0xa0
[<c15bbca6>] ? ip_cmsg_recv_pktinfo+0xa6/0xb0
[<c15bbca6>] ? ip_cmsg_recv_pktinfo+0xa6/0xb0
[<c1058350>] warn_slowpath_null+0x20/0x30
[<c15bbca6>] ip_cmsg_recv_pktinfo+0xa6/0xb0
[<c15bbdd7>] ip_cmsg_recv+0x127/0x260
[<c154f82d>] ? skb_dequeue+0x4d/0x70
[<c1555523>] ? skb_copy_datagram_iovec+0x53/0x300
[<c178e834>] ? sub_preempt_count+0x24/0x50
[<c15bdd2d>] ip_recv_error+0x23d/0x270
[<c15de554>] udp_recvmsg+0x264/0x2b0
[<c15ea659>] inet_recvmsg+0xd9/0x130
[<c1547752>] sock_recvmsg+0xf2/0x120
[<c11179cb>] ? might_fault+0x4b/0xa0
[<c15546bc>] ? verify_iovec+0x4c/0xc0
[<c1547660>] ? sock_recvmsg_nosec+0x100/0x100
[<c1548294>] __sys_recvmsg+0x114/0x1e0
[<c1093895>] ? __lock_acquire+0x365/0x780
[<c1148b66>] ? fget_light+0xa6/0x3e0
[<c1148b7f>] ? fget_light+0xbf/0x3e0
[<c1148aee>] ? fget_light+0x2e/0x3e0
[<c1549f29>] sys_recvmsg+0x39/0x60

Close bug https://bugzilla.kernel.org/show_bug.cgi?id=34622

Reported-by: Witold Baryluk <baryluk@xxxxxxxxxxxxxxxx>
Signed-off-by: Eric Dumazet <eric.dumazet@xxxxxxxxx>
CC: Stephen Hemminger <shemminger@xxxxxxxxxx>
Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxx>
---
net/core/skbuff.c | 3 +++
1 file changed, 3 insertions(+)

--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -2997,6 +2997,9 @@ int sock_queue_err_skb(struct sock *sk,
skb->destructor = sock_rmem_free;
atomic_add(skb->truesize, &sk->sk_rmem_alloc);

+ /* before exiting rcu section, make sure dst is refcounted */
+ skb_dst_force(skb);
+
skb_queue_tail(&sk->sk_error_queue, skb);
if (!sock_flag(sk, SOCK_DEAD))
sk->sk_data_ready(sk, skb->len);

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Greg KH: "[062/146] igmp: call ip_mc_clear_src() only when we have no users of ip_mc_list"
Previous message: Greg KH: "[065/146] sctp: fix memory leak of the ASCONF queue when free asoc"
In reply to: Greg KH: "[065/146] sctp: fix memory leak of the ASCONF queue when free asoc"
Next in thread: Greg KH: "[062/146] igmp: call ip_mc_clear_src() only when we have no users of ip_mc_list"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]