Re: BUG: IPv4: Attempt to release TCP socket in state 1

From: Eric Dumazet
Date: Sat Mar 16 2013 - 13:44:54 EST


On Sat, 2013-03-16 at 10:36 -0700, Eric Dumazet wrote:
> On Fri, 2013-03-15 at 00:19 +0100, Eric Dumazet wrote:
>
> > Thanks thats really useful, we might miss to increment socket refcount
> > in a timer setup.
> >
>
> Hmm, please add following debugging patch as well
>
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 14f6e9d..fe7c8a6 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -530,7 +530,9 @@ static inline void sock_hold(struct sock *sk)
> */
> static inline void __sock_put(struct sock *sk)
> {
> - atomic_dec(&sk->sk_refcnt);
> + int newref = atomic_dec_return(&sk->sk_refcnt);
> +
> + BUG_ON(newref <= 0);
> }
>
> static inline bool sk_del_node_init(struct sock *sk)
> diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
> index 786d97a..a445e15 100644
> --- a/net/ipv4/inet_connection_sock.c
> +++ b/net/ipv4/inet_connection_sock.c
> @@ -739,7 +739,7 @@ void inet_csk_prepare_forced_close(struct sock *sk)
> {
> /* sk_clone_lock locked the socket and set refcnt to 2 */
> bh_unlock_sock(sk);
> - sock_put(sk);
> + __sock_put(sk);
>
> /* The below has to be done to allow calling inet_csk_destroy_sock */
> sock_set_flag(sk, SOCK_DEAD);
> @@ -835,13 +835,13 @@ void inet_csk_listen_stop(struct sock *sk)
> * tcp_v4_destroy_sock().
> */
> tcp_sk(child)->fastopen_rsk = NULL;
> - sock_put(sk);
> + __sock_put(sk);
> }
> inet_csk_destroy_sock(child);
>
> bh_unlock_sock(child);
> local_bh_enable();
> - sock_put(child);
> + __sock_put(child);
>

Please don't include the last line : this should stay as

sock_put(child);



--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/