wangyufen wrote: > > 在 2022/2/28 3:21, Cong Wang 写道: > > On Fri, Feb 25, 2022 at 09:49:26AM +0800, Wang Yufen wrote: > >> If tcp_bpf_sendmsg is running during a tear down operation we may enqueue > >> data on the ingress msg queue while tear down is trying to free it. > >> > >> sk1 (redirect sk2) sk2 > >> ------------------- --------------- > >> tcp_bpf_sendmsg() > >> tcp_bpf_send_verdict() > >> tcp_bpf_sendmsg_redir() > >> bpf_tcp_ingress() > >> sock_map_close() > >> lock_sock() > >> lock_sock() ... blocking > >> sk_psock_stop > >> sk_psock_clear_state(psock, SK_PSOCK_TX_ENABLED); > >> release_sock(sk); > >> lock_sock() > >> sk_mem_charge() > >> get_page() > >> sk_psock_queue_msg() > >> sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED); > >> drop_sk_msg() > >> release_sock() > >> > >> While drop_sk_msg(), the msg has charged memory form sk by sk_mem_charge > >> and has sg pages need to put. To fix we use sk_msg_free() and then kfee() > >> msg. > >> > > What about the other code path? That is, sk_psock_skb_ingress_enqueue(). > > I don't see skmsg is charged there. > > sk_psock_skb_ingress_self() | sk_psock_skb_ingress() > skb_set_owner_r() > sk_mem_charge() > sk_psock_skb_ingress_enqueue() > > The other code path skmsg is charged by skb_set_owner_r()->sk_mem_charge() > > > > > Thanks. > > . I walked that code and fix LGTM as well. Acked-by: John Fastabend <john.fastabend@xxxxxxxxx>
