[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20090107044232.GA22218@gondor.apana.org.au>
Date: Wed, 7 Jan 2009 15:42:32 +1100
From: Herbert Xu <herbert@...dor.apana.org.au>
To: Jens Axboe <jens.axboe@...cle.com>
Cc: Evgeniy Polyakov <zbr@...emap.net>, Willy Tarreau <w@....eu>,
linux-kernel@...r.kernel.org, netdev@...r.kernel.org
Subject: Re: Data corruption issue with splice() on 2.6.27.10
On Tue, Jan 06, 2009 at 06:37:05PM +0000, Jens Axboe wrote:
>
> I'll give this a spin tomorrow as well. A hunch tells me that this is
> likely a page reuse issue, that splice is getting the reference to the
> buffer dropped before the data has really been transmitted. IOW, the
> page is likely fine reaching the ->sendpage() bit, but will be reused
> before the data has actually been transmitted. So once you get that far,
> other random data from that page is going out.
I see the problem.
The socket pipes in net/core/skbuff.c use references on the skb
to hold down the memory in skb->head as well as the pages in the
skb.
Unfortunately, once the pipe is fed into sendpage we only use
page reference counting to pin down the memory. So as soon as
sendpage returns we drop the ref count on the skb, thus freeing
the memory in skb->head, which is yet to be transmitted.
Moral: Using page reference counts on skb->head is wrong.
Cheers,
--
Visit Openswan at http://www.openswan.org/
Email: Herbert Xu ~{PmV>HI~} <herbert@...dor.apana.org.au>
Home Page: http://gondor.apana.org.au/~herbert/
PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists