LKML Archive on
help / color / mirror / Atom feed
* [BUG] Potential data corruption when splice data spliced from socket to another socket
@ 2008-02-26 15:41 Changli Gao
  0 siblings, 0 replies; only message in thread
From: Changli Gao @ 2008-02-26 15:41 UTC (permalink / raw)
  To: Linux Kernel Mailing List; +Cc: Changli Gao, jens.axboe, davem

After reviewing the tcp splice receive code, I found that instead of
increasing the page reference counter, pipe buffer holds the socket
buffer by calling skb_get(skb). When you splice this pipe buffer to
another socket, such as a TCP socket, though the function sendpage
returns, the page buffer will be still in use, then you drop the
reference to the skb, so the buffer is free to another process. At
this time, the buffer is shared between socket and another part of
Linux kernel silently. It is possible that the data sent out is

The reason is splice send process knows nothing but page, so before
submitting the buffer to sendpage, we must ensure that the page is an
actual page not a fake one. A solution is adding a member function
get_page, which is used to get a actual page, to structure
pipe_buffer_operations. It the page in structure pipe_buffer isn't an
actual page, a page will be allocated, filled with the corresponding
data and returned. Before calling sendpage, get_page should be called
to get the actual page, and after calling sendpage, the page will be
freed by calling put_page.

Beside splice send process, other code paths maybe have the same problem.

Changli Gao(

^ permalink raw reply	[flat|nested] only message in thread

only message in thread, other threads:[~2008-02-26 15:42 UTC | newest]

Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2008-02-26 15:41 [BUG] Potential data corruption when splice data spliced from socket to another socket Changli Gao

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).