Bug 214339
| Summary: | sendmsg return value may be positive while send errors | ||
|---|---|---|---|
| Product: | Networking | Reporter: | liuxf (1031265646) |
| Component: | IPV4 | Assignee: | Stephen Hemminger (stephen) |
| Status: | NEW --- | ||
| Severity: | normal | CC: | 1031265646 |
| Priority: | P1 | ||
| Hardware: | x86-64 | ||
| OS: | Linux | ||
| Kernel Version: | 5.14.7 | Subsystem: | |
| Regression: | No | Bisected commit-id: | |
what's more, when packet processed by tc module, pfifo_fast_enqueue is likely failed, then NET_XMIT_DROP(0x01) was returned, which is also result to a failed send operation was regard as a success one by sendmsg do_append_data: up->len += ulen; err = ip_append_data(sk, fl4, getfrag, msg, ulen, sizeof(struct udphdr), &ipc, &rt, corkreq ? msg->msg_flags|MSG_MORE : msg->msg_flags); if (err) udp_flush_pending_frames(sk); else if (!corkreq) err = udp_push_pending_frames(sk); //err may be zero here too else if (unlikely(skb_queue_empty(&sk->sk_write_queue))) up->pending = 0; release_sock(sk); out: ip_rt_put(rt); out_free: if (free) kfree(ipc.opt); if (!err) return len; |
in file udp.c, a function named udp_sendmsg has a code like this: /* Lockless fast path for the non-corking case. */ if (!corkreq) { skb = ip_make_skb(sk, fl4, getfrag, msg, ulen, sizeof(struct udphdr), &ipc, &rt, msg->msg_flags); err = PTR_ERR(skb); if (!IS_ERR_OR_NULL(skb)) err = udp_send_skb(skb, fl4); goto out; } but function ip_make_skb may return a null, then err will be set to 0;and out like this: out: ip_rt_put(rt); if (free) kfree(ipc.opt); if (!err) return len; // return a positive value actually, because lock of kernel memory or socket_buffer,the ip_make_skb failed means the send operation failed. but a positive value is returnd here. finnally, users regard the operation was success, but actually it failed in kernel.