From: Parthasarathy Bhuvaragan <[email protected]>
Date: Tue, 1 Mar 2016 11:07:09 +0100
> reverts commit 94153e36e709e ("tipc: use existing sk_write_queue for
> outgoing packet chain")
>
> In Commit 94153e36e709e, we assume that we fill & empty the socket's
> sk_write_queue within the same lock_sock() session.
>
> This is not true if the link is congested. During congestion, the
> socket lock is released while we wait for the congestion to cease.
> This implementation causes a nullptr exception, if the user space
> program has several threads accessing the same socket descriptor.
>
> Consider two threads of the same program performing the following:
> Thread1 Thread2
> -------------------- ----------------------
> Enter tipc_sendmsg() Enter tipc_sendmsg()
> lock_sock() lock_sock()
> Enter tipc_link_xmit(), ret=ELINKCONG spin on socket lock..
> sk_wait_event() :
> release_sock() grab socket lock
> : Enter tipc_link_xmit(), ret=0
> : release_sock()
> Wakeup after congestion
> lock_sock()
> skb = skb_peek(pktchain);
> !! TIPC_SKB_CB(skb)->wakeup_pending = tsk->link_cong;
>
> In this case, the second thread transmits the buffers belonging to
> both thread1 and thread2 successfully. When the first thread wakeup
> after the congestion it assumes that the pktchain is intact and
> operates on the skb's in it, which leads to the following exception:
...
> In this commit, we maintain the skb list always in the stack.
>
> Signed-off-by: Parthasarathy Bhuvaragan
> <[email protected]>
> Acked-by: Ying Xue <[email protected]>
> Acked-by: Jon Maloy <[email protected]>
Applied and queued up for -stable, thanks.
