On 09/11/14 09:06, Johannes Berg wrote:
On Wed, 2014-09-10 at 18:05 -0400, Alexander Duyck wrote:
There is a possible issue with the use, or lack thereof of sk_refcnt and
sk_wmem_alloc in the wifi ack status functionality.
Specifically if a socket were to request acknowledgements, and the socket
were to have sk_refcnt drop to 0 resulting in it waiting on sk_wmem_alloc
to reach 0 it would be possible to have sock_queue_err_skb orphan the last
buffer, resulting in __sk_free being called on the socket. After this the
buffer is enqueued on sk_error_queue, however the queue has already been
flushed resulting in at least a memory leak, if not a data corruption.
Oh. Thanks :-)
Hi Alexander,
So why is this only an issue in wifi ack path. The sock_queue_err_skb()
does not mention the caller should hold a sock reference. This seems
entirely an issue of the sock_queue_err_skb() function itself so why not
do sk_hold/sk_put within that function. Does it impose too much overhead?
Regards,
Arend
--
To unsubscribe from this list: send the line "unsubscribe linux-wireless" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
