Re: [PATCH v3] tcp: splice as many packets as possible at once
From: Herbert Xu <herbert@gondor.apana.org.au>
Date: 2009-01-27 11:48:53
Also in:
lkml
On Tue, Jan 27, 2009 at 10:35:11AM +0000, Jarek Poplawski wrote:
quoted
quoted
Yes, but ip_append_data() (and skb_append_datato_frags() for NETIF_F_UFO only, so currently not a problem), uses this differently, and these pages in sk->sk_sndmsg_page could leak or be used after kfree. (I didn't track locking in these other places).It'll be freed when the socket is freed so that should be fine.I don't think so: these places can overwrite sk->sk_sndmsg_page left after tcp_sendmsg(), or skb_splice_bits() now, with NULL or a new pointer without put_page() (they only reference copied chunks and expect auto freeing). On the other hand, if tcp_sendmsg() reads after them it could use a pointer after the page is freed, I guess.
I wasn't referring to the first part of your sentence. That can't happen because they're only used for UDP sockets, this is a TCP socket. Cheers, -- Visit Openswan at http://www.openswan.org/ Email: Herbert Xu ~{PmV>HI~} [off-list ref] Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt