Demonstration code on how to trigger tcp6_sock leak

Demonstration code on how to trigger tcp6_sock leak

[Erik Hensema]

[-- Attachment #1: Type: text/plain, Size: 370 bytes --]

Hi,

I wrote some quick&dirty code showing the tcp6_sock leak in Linux 2.6.x.
The server part listens for incoming connections and accept()'s them. The
client will simply connect() to the server and close the connection.

Do a 'grep tcp6_sock /proc/slabinfo' before and after running the programs,
and you will clearly see the leak.

-- 
Erik Hensema (erik@hensema.net)

[-- Attachment #2: server.c --]
[-- Type: text/plain, Size: 752 bytes --]

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <strings.h>
#include <stdio.h>

#define port 4000

int
main(
		int argc,
		char **argv
    )
{
	int fd;
	struct sockaddr_in6 myaddr;
	struct sockaddr addr;
	socklen_t len;
	int i;

	if((fd = socket(PF_INET6, SOCK_STREAM, 0)) < 0) {
		perror("socket");
	}

	bzero(&myaddr, sizeof(myaddr));
	myaddr.sin6_family = AF_INET6;
	myaddr.sin6_port = htons(port);
	myaddr.sin6_addr = in6addr_any;

	if(bind(fd, (struct sockaddr *)&myaddr, sizeof(myaddr)) < 0) {
		perror("bind");
	}

	if(listen(fd, 32) < 0) {
		perror("listen");
	}

	for(i = 0; i < 1000; i++) {
		if(accept(fd, &addr, &len) < 0) {
			perror("accept");
		} else {
			printf("Accept: %d\n", i);
		}
	}

	return 0;
}

[-- Attachment #3: client.c --]
[-- Type: text/plain, Size: 692 bytes --]

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <string.h>
#include <unistd.h>
#include <stdlib.h>
#include <stdio.h>

#define port 4000

int
main(
		int argc,
		char **argv
    )
{
	int fd;
	struct sockaddr_in6 srvaddr;
	int i;


	bzero(&srvaddr, sizeof(srvaddr));

	srvaddr.sin6_family = AF_INET6;
	srvaddr.sin6_port = htons(port);
	srvaddr.sin6_addr = in6addr_loopback;

	for(i = 0; 1; i++) {
		if((fd = socket(PF_INET6, SOCK_STREAM, 0)) < 0) {
			perror("socket");
			exit(0);
		}

		if(connect(fd, (const struct sockaddr *)&srvaddr, sizeof(srvaddr)) < 0) {
			perror("connect");
		} else {
			printf("Connect %d\n", i);
			close(fd);
		}
	}

	return 0;
}

Re: Demonstration code on how to trigger tcp6_sock leak

[YOSHIFUJI Hideaki / 吉藤英明]

In article <20040124131307.GB2666@bender.home.hensema.net> (at Sat, 24 Jan 2004 14:13:07 +0100), Erik Hensema <erik@hensema.net> says:

> I wrote some quick&dirty code showing the tcp6_sock leak in Linux 2.6.x.
> The server part listens for incoming connections and accept()'s them. The
> client will simply connect() to the server and close the connection.

Okay, I confirm that there're something wrong with tcp6 socket.
I'll look into it as soon as possible.

--yoshfuji

FIX (was Re: Demonstration code on how to trigger tcp6_sock leak)

[David S. Miller]

Ok, I've figured out the bug.  Arnaldo only fixed one of the
two incorrect calls to sk_add_node() which should both be
__sk_add_node().

Erik give this a spin.

# This is a BitKeeper generated patch for the following project:
# Project Name: Linux kernel tree
# This patch format is intended for GNU patch command version 2.5 or higher.
# This patch includes the following deltas:
#	           ChangeSet	1.1520  -> 1.1521 
#	 net/ipv6/tcp_ipv6.c	1.76    -> 1.77   
#
# The following is the BitKeeper ChangeSet Log
# --------------------------------------------
# 04/01/26	davem@nuts.ninka.net	1.1521
# [IPV6]: Fix TCP socket leak, do not grab socket reference when adding to main hashes.
# --------------------------------------------
#
diff -Nru a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
--- a/net/ipv6/tcp_ipv6.c	Mon Jan 26 12:34:20 2004
+++ b/net/ipv6/tcp_ipv6.c	Mon Jan 26 12:34:20 2004
@@ -485,7 +485,7 @@
 
 unique:
 	BUG_TRAP(sk_unhashed(sk));
-	sk_add_node(sk, &head->chain);
+	__sk_add_node(sk, &head->chain);
 	sk->sk_hashent = hash;
 	sock_prot_inc_use(sk->sk_prot);
 	write_unlock_bh(&head->lock);

Re: FIX

[YOSHIFUJI Hideaki / 吉藤英明]

In article <20040126.123042.104046496.davem@redhat.com> (at Mon, 26 Jan 2004 12:30:42 -0800 (PST)), "David S. Miller" <davem@redhat.com> says:

> 
> Ok, I've figured out the bug.  Arnaldo only fixed one of the
> two incorrect calls to sk_add_node() which should both be
> __sk_add_node().

Thanks you!

-- 
Hideaki YOSHIFUJI @ USAGI Project <yoshfuji@linux-ipv6.org>
GPG FP: 9022 65EB 1ECF 3AD1 0BDF  80D8 4807 F894 E062 0EEA

Re: FIX

[Arnaldo Carvalho de Melo]

Em Tue, Jan 27, 2004 at 07:01:42AM +0900, YOSHIFUJI Hideaki / ?$B5HF#1QL@ escreveu:
> In article <20040126.123042.104046496.davem@redhat.com> (at Mon, 26 Jan 2004 12:30:42 -0800 (PST)), "David S. Miller" <davem@redhat.com> says:
> 
> > 
> > Ok, I've figured out the bug.  Arnaldo only fixed one of the
> > two incorrect calls to sk_add_node() which should both be
> > __sk_add_node().
> 
> Thanks you!

Great! Thanks!

- Arnaldo