On Mon, Aug 7, 2017 at 6:10 PM, Gao Feng <gfree.w...@vip.163.com> wrote:
> Sorry, I don't get you clearly. Why the sock_hold() isn't helpful?

I already told you, the dereference happends before sock_hold().

        sock = rcu_dereference(callid_sock[call_id]);
        if (sock) {
                opt = &sock->proto.pptp;
                if (opt->dst_addr.sin_addr.s_addr != s_addr) <=== HERE
                        sock = NULL;

If we don't wait for readers properly, sock could be freed at the
same time when deference it.

> The pptp_release invokes synchronize_rcu after del_chan, it could make sure 
> the others has increased the sock refcnt if necessary
> and the lookup is over.
> There is no one could get the sock after synchronize_rcu in pptp_release.

If this were true, then this code in pptp_sock_destruct()
would be unneeded:

        if (!(sk->sk_state & PPPOX_DEAD)) {

> But I think about another problem.
> It seems the pptp_sock_destruct should not invoke del_chan and 
> pppox_unbind_sock.
> Because when the sock refcnt is 0, the pptp_release must have be invoked 
> already.

I don't know. Looks like sock_orphan() is only called
in pptp_release(), but I am not sure if there is a case
we call sock destructor before release.

Also note, this socket is very special, it doesn't support
poll(), sendmsg() or recvmsg()..

Reply via email to