On Fri, May 22, 2015, at 18:24, Mark Salyzyn wrote: > On 05/22/2015 08:35 AM, Hannes Frederic Sowa wrote: > > I still wonder if we need to actually recheck the condition and not > > simply break out of unix_stream_data_wait: > > > > We return to the unix_stream_recvmsg loop and recheck the > > sk_receive_queue. At this point sk_receive_queue is not really protected > > with unix_state_lock against concurrent modification with unix_release, > > as such we could end up concurrently dequeueing packets if socket is > > DEAD. > sock destroy(sic) is called before sock_orphan which sets SOCK_DEAD, so > the receive queue has already been drained.
I am still afraid that there is a race: When we break out in unix_stream_data_wait we most of the time hit the continue statement in unix_stream_recvmsg. Albeit we acquired state lock again, we could end up in a situation where the sk_receive_queue is not completely drained. We would miss the recheck of the sk_shutdown mask, because it is possible we dequeue a non-null skb from the receive queue. This is because unix_release_sock acquires state lock, sets appropriate flags but the draining of the receive queue does happen without locks, state lock is unlocked before that. So theoretically both, release_sock and recvmsg could dequeue skbs concurrently in nondeterministic behavior. The fix would be to recheck SOCK_DEAD or even better, sk_shutdown right after we reacquired state_lock and break out of the loop altogether, maybe with -ECONNRESET. Thanks, Hannes -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
