tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

tcp: fix possible deadlock in tcp_send_fin()

Using sk_stream_alloc_skb() in tcp_send_fin() is dangerous in
case a huge process is killed by OOM, and tcp_mem[2] is hit.

To be able to free memory we need to make progress, so this
patch allows FIN packets to not care about tcp_mem[2], if
skb allocation succeeded.

In a follow-up patch, we might abort tcp_send_fin() infinite loop
in case TIF_MEMDIE is set on this thread, as memory allocator
did its best getting extra memory already.

This patch reverts d22e15371811 ("tcp: fix tcp fin memory accounting")

Fixes: d22e15371811 ("tcp: fix tcp fin memory accounting")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Eric Dumazet and committed by
David S. Miller d83769a5 5e6c94a9

+19 -1
+19 -1
net/ipv4/tcp_output.c
··· 2812 2812 } 2813 2813 } 2814 2814 2815 + /* We allow to exceed memory limits for FIN packets to expedite 2816 + * connection tear down and (memory) recovery. 2817 + * Otherwise tcp_send_fin() could loop forever. 2818 + */ 2819 + static void sk_forced_wmem_schedule(struct sock *sk, int size) 2820 + { 2821 + int amt, status; 2822 + 2823 + if (size <= sk->sk_forward_alloc) 2824 + return; 2825 + amt = sk_mem_pages(size); 2826 + sk->sk_forward_alloc += amt * SK_MEM_QUANTUM; 2827 + sk_memory_allocated_add(sk, amt, &status); 2828 + } 2829 + 2815 2830 /* Send a fin. The caller locks the socket for us. This cannot be 2816 2831 * allowed to fail queueing a FIN frame under any circumstances. 2817 2832 */ ··· 2849 2834 } else { 2850 2835 /* Socket is locked, keep trying until memory is available. */ 2851 2836 for (;;) { 2852 - skb = sk_stream_alloc_skb(sk, 0, sk->sk_allocation); 2837 + skb = alloc_skb_fclone(MAX_TCP_HEADER, 2838 + sk->sk_allocation); 2853 2839 if (skb) 2854 2840 break; 2855 2841 yield(); 2856 2842 } 2843 + skb_reserve(skb, MAX_TCP_HEADER); 2844 + sk_forced_wmem_schedule(sk, skb->truesize); 2857 2845 /* FIN eats a sequence byte, write_seq advanced by tcp_queue_skb(). */ 2858 2846 tcp_init_nondata_skb(skb, tp->write_seq, 2859 2847 TCPHDR_ACK | TCPHDR_FIN);