• Sowmini Varadhan's avatar
    RDS: TCP: avoid bad page reference in rds_tcp_listen_data_ready · a93d01f5
    Sowmini Varadhan authored
    As the existing comments in rds_tcp_listen_data_ready() indicate,
    it is possible under some race-windows to get to this function with the
    accept() socket. If that happens, we could run into a sequence whereby
    
       thread 1				thread 2
    
    rds_tcp_accept_one() thread
    sets up new_sock via ->accept().
    The sk_user_data is now
    sock_def_readable
    					data comes in for new_sock,
    					->sk_data_ready is called, and
    					we land in rds_tcp_listen_data_ready
    rds_tcp_set_callbacks()
    takes the sk_callback_lock and
    sets up sk_user_data to be the cp
    					read_lock sk_callback_lock
    					ready = cp
    					unlock sk_callback_lock
    					page fault on ready
    
    In the above sequence, we end up with a panic on a bad page reference
    when trying to execute (*ready)(). Instead we need to call
    sock_def_readable() safely, which is what this patch achieves.
    Acked-by: default avatarSantosh Shilimkar <santosh.shilimkar@oracle.com>
    Signed-off-by: default avatarSowmini Varadhan <sowmini.varadhan@oracle.com>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    a93d01f5
tcp.c 19.4 KB