Commit 7514bab04e567c9408fe0facbde4277f09d5eb74
Committed by
David S. Miller
David S. Miller
1 parent
56a73de388
Exists in
master
and in
39 other branches
af_iucv: do not call iucv_sock_kill() twice
For non-accepted sockets on the accept queue, iucv_sock_kill()
is called twice (in iucv_sock_close() and iucv_sock_cleanup_listen()).
This typically results in a kernel oops as shown below.
Remove the duplicate call to iucv_sock_kill() and set the SOCK_ZAPPED
flag in iucv_sock_close() only.
The iucv_sock_kill() function frees a socket only if the socket is zapped
and orphaned (sk->sk_socket == NULL):
- Non-accepted sockets are always orphaned and, thus, iucv_sock_kill()
frees the socket twice.
- For accepted sockets or sockets created with iucv_sock_create(),
sk->sk_socket is initialized. This caused the first call to
iucv_sock_kill() to return immediately. To free these sockets,
iucv_sock_release() uses sock_orphan() before calling iucv_sock_kill().
<1>Unable to handle kernel pointer dereference at virtual kernel address 000000003edd3000
<4>Oops: 0011 [#1] PREEMPT SMP DEBUG_PAGEALLOC
<4>Modules linked in: af_iucv sunrpc qeth_l3 dm_multipath dm_mod qeth vmur ccwgroup
<4>CPU: 0 Not tainted 2.6.30 #4
<4>Process iucv_sock_close (pid: 2486, task: 000000003aea4340, ksp: 000000003b75bc68)
<4>Krnl PSW : 0704200180000000 000003e00168e23a (iucv_sock_kill+0x2e/0xcc [af_iucv])
<4> R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:2 PM:0 EA:3
<4>Krnl GPRS: 0000000000000000 000000003b75c000 000000003edd37f0 0000000000000001
<4> 000003e00168ec62 000000003988d960 0000000000000000 000003e0016b0608
<4> 000000003fe81b20 000000003839bb58 00000000399977f0 000000003edd37f0
<4> 000003e00168b000 000003e00168f138 000000003b75bcd0 000000003b75bc98
<4>Krnl Code: 000003e00168e22a: c0c0ffffe6eb larl %r12,3e00168b000
<4> 000003e00168e230: b90400b2 lgr %r11,%r2
<4> 000003e00168e234: e3e0f0980024 stg %r14,152(%r15)
<4> >000003e00168e23a: e310225e0090 llgc %r1,606(%r2)
<4> 000003e00168e240: a7110001 tmll %r1,1
<4> 000003e00168e244: a7840007 brc 8,3e00168e252
<4> 000003e00168e248: d507d00023c8 clc 0(8,%r13),968(%r2)
<4> 000003e00168e24e: a7840009 brc 8,3e00168e260
<4>Call Trace:
<4>([<000003e0016b0608>] afiucv_dbf+0x0/0xfffffffffffdea20 [af_iucv])
<4> [<000003e00168ec6c>] iucv_sock_close+0x130/0x368 [af_iucv]
<4> [<000003e00168ef02>] iucv_sock_release+0x5e/0xe4 [af_iucv]
<4> [<0000000000438e6c>] sock_release+0x44/0x104
<4> [<0000000000438f5e>] sock_close+0x32/0x50
<4> [<0000000000207898>] __fput+0xf4/0x250
<4> [<00000000002038aa>] filp_close+0x7a/0xa8
<4> [<00000000002039ba>] SyS_close+0xe2/0x148
<4> [<0000000000117c8e>] sysc_noemu+0x10/0x16
<4> [<00000042ff8deeac>] 0x42ff8deeac
Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com>
Signed-off-by: Ursula Braun <ursula.braun@de.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Showing 1 changed file with 5 additions and 5 deletions Side-by-side Diff
net/iucv/af_iucv.c
| ... | ... | @@ -361,10 +361,9 @@ |
| 361 | 361 | } |
| 362 | 362 | |
| 363 | 363 | parent->sk_state = IUCV_CLOSED; |
| 364 | - sock_set_flag(parent, SOCK_ZAPPED); | |
| 365 | 364 | } |
| 366 | 365 | |
| 367 | -/* Kill socket */ | |
| 366 | +/* Kill socket (only if zapped and orphaned) */ | |
| 368 | 367 | static void iucv_sock_kill(struct sock *sk) |
| 369 | 368 | { |
| 370 | 369 | if (!sock_flag(sk, SOCK_ZAPPED) || sk->sk_socket) |
| 371 | 370 | |
| 372 | 371 | |
| 373 | 372 | |
| ... | ... | @@ -426,17 +425,18 @@ |
| 426 | 425 | |
| 427 | 426 | skb_queue_purge(&iucv->send_skb_q); |
| 428 | 427 | skb_queue_purge(&iucv->backlog_skb_q); |
| 429 | - | |
| 430 | - sock_set_flag(sk, SOCK_ZAPPED); | |
| 431 | 428 | break; |
| 432 | 429 | |
| 433 | 430 | default: |
| 434 | 431 | sock_set_flag(sk, SOCK_ZAPPED); |
| 432 | + /* nothing to do here */ | |
| 435 | 433 | break; |
| 436 | 434 | } |
| 437 | 435 | |
| 436 | + /* mark socket for deletion by iucv_sock_kill() */ | |
| 437 | + sock_set_flag(sk, SOCK_ZAPPED); | |
| 438 | + | |
| 438 | 439 | release_sock(sk); |
| 439 | - iucv_sock_kill(sk); | |
| 440 | 440 | } |
| 441 | 441 | |
| 442 | 442 | static void iucv_sock_init(struct sock *sk, struct sock *parent) |