* [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort
@ 2018-07-07 7:31 Lorenzo Colitti
2018-07-07 13:11 ` David Miller
` (3 more replies)
0 siblings, 4 replies; 20+ messages in thread
From: Lorenzo Colitti @ 2018-07-07 7:31 UTC (permalink / raw)
To: netdev
Cc: astrachan, subashab, eric.dumazet, davem, Lorenzo Colitti, David Ahern
When tcp_diag_destroy closes a TCP_NEW_SYN_RECV socket, it first
frees it by calling inet_csk_reqsk_queue_drop_and_and_put in
tcp_abort, and then frees it again by calling sock_gen_put.
Since tcp_abort only has one caller, and all the other codepaths
in tcp_abort don't free the socket, just remove the free in that
function.
Cc: David Ahern <dsa@cumulusnetworks.com>
Tested: passes Android sock_diag_test.py, which exercises this codepath
Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying socket")
Signed-off-by: Lorenzo Colitti <lorenzo@google.com>
---
net/ipv4/tcp.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index e7b53d2a97..c959bb6ea4 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -3720,8 +3720,7 @@ int tcp_abort(struct sock *sk, int err)
struct request_sock *req = inet_reqsk(sk);
local_bh_disable();
- inet_csk_reqsk_queue_drop_and_put(req->rsk_listener,
- req);
+ inet_csk_reqsk_queue_drop(req->rsk_listener, req);
local_bh_enable();
return 0;
}
--
2.18.0.203.gfac676dfb9-goog
^ permalink raw reply related [flat|nested] 20+ messages in thread* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 7:31 [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort Lorenzo Colitti @ 2018-07-07 13:11 ` David Miller 2018-07-07 13:29 ` Eric Dumazet 2018-07-07 13:33 ` David Ahern 2018-07-07 13:28 ` Eric Dumazet ` (2 subsequent siblings) 3 siblings, 2 replies; 20+ messages in thread From: David Miller @ 2018-07-07 13:11 UTC (permalink / raw) To: lorenzo; +Cc: netdev, astrachan, subashab, eric.dumazet, dsa From: Lorenzo Colitti <lorenzo@google.com> Date: Sat, 7 Jul 2018 16:31:40 +0900 > Tested: passes Android sock_diag_test.py, which exercises this codepath If this Android test case exercises this path, why didn't it trigger the double free and thus cause this bug to be found much sooner? Just curious. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:11 ` David Miller @ 2018-07-07 13:29 ` Eric Dumazet 2018-07-07 13:58 ` Eric Dumazet 2018-07-09 4:53 ` Lorenzo Colitti 2018-07-07 13:33 ` David Ahern 1 sibling, 2 replies; 20+ messages in thread From: Eric Dumazet @ 2018-07-07 13:29 UTC (permalink / raw) To: David Miller, lorenzo; +Cc: netdev, astrachan, subashab, eric.dumazet, dsa On 07/07/2018 06:11 AM, David Miller wrote: > From: Lorenzo Colitti <lorenzo@google.com> > Date: Sat, 7 Jul 2018 16:31:40 +0900 > >> Tested: passes Android sock_diag_test.py, which exercises this codepath > > If this Android test case exercises this path, why didn't it trigger > the double free and thus cause this bug to be found much sooner? > > Just curious. > Presumably android has not backported yet the refcount_t stuff in their kernels. That is a guess though... ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:29 ` Eric Dumazet @ 2018-07-07 13:58 ` Eric Dumazet 2018-07-09 4:53 ` Lorenzo Colitti 1 sibling, 0 replies; 20+ messages in thread From: Eric Dumazet @ 2018-07-07 13:58 UTC (permalink / raw) To: David Miller, lorenzo; +Cc: netdev, astrachan, subashab, dsa On 07/07/2018 06:29 AM, Eric Dumazet wrote: > > > On 07/07/2018 06:11 AM, David Miller wrote: >> From: Lorenzo Colitti <lorenzo@google.com> >> Date: Sat, 7 Jul 2018 16:31:40 +0900 >> >>> Tested: passes Android sock_diag_test.py, which exercises this codepath >> >> If this Android test case exercises this path, why didn't it trigger >> the double free and thus cause this bug to be found much sooner? >> >> Just curious. >> > > Presumably android has not backported yet the refcount_t stuff in their kernels. > > That is a guess though... > Also maybe the confusion comes from the fact that it is not a double free, but a use-after-free, which might cause a bug on kernels without refcount_t saturation. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:29 ` Eric Dumazet 2018-07-07 13:58 ` Eric Dumazet @ 2018-07-09 4:53 ` Lorenzo Colitti 2018-07-09 14:59 ` David Ahern 1 sibling, 1 reply; 20+ messages in thread From: Lorenzo Colitti @ 2018-07-09 4:53 UTC (permalink / raw) To: Eric Dumazet Cc: David Miller, netdev, Alistair Strachan, Subash Abhinov Kasiviswanathan, David Ahern On Sat, Jul 7, 2018 at 10:29 PM Eric Dumazet <eric.dumazet@gmail.com> wrote: > >> Tested: passes Android sock_diag_test.py, which exercises this codepath > > > > If this Android test case exercises this path, why didn't it trigger > > the double free and thus cause this bug to be found much sooner? > > > > Just curious. > > Presumably android has not backported yet the refcount_t stuff in their kernels. That's correct. We only started seeing this on 4.14, which is not yet in the field. Also, I think this failure does not appear in our continuous test runs (even on 4.14) because those uses ARCH=um, which is single-threaded. We're working on making it possible to run the tests on qemu in order to catch these threading issues, but we're not there yet. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-09 4:53 ` Lorenzo Colitti @ 2018-07-09 14:59 ` David Ahern 2018-07-09 15:17 ` Eric Dumazet 0 siblings, 1 reply; 20+ messages in thread From: David Ahern @ 2018-07-09 14:59 UTC (permalink / raw) To: Lorenzo Colitti, Eric Dumazet Cc: David Miller, netdev, Alistair Strachan, Subash Abhinov Kasiviswanathan On 7/8/18 10:53 PM, Lorenzo Colitti wrote: > On Sat, Jul 7, 2018 at 10:29 PM Eric Dumazet <eric.dumazet@gmail.com> wrote: >>>> Tested: passes Android sock_diag_test.py, which exercises this codepath >>> >>> If this Android test case exercises this path, why didn't it trigger >>> the double free and thus cause this bug to be found much sooner? >>> >>> Just curious. >> >> Presumably android has not backported yet the refcount_t stuff in their kernels. > > That's correct. We only started seeing this on 4.14, which is not yet > in the field. Prior to 4.12 syn-recv sockets did not show up in the list, so it could not be closed through the diag API. I did not chase it to a specific commit between 4.11 (no syn-recv in 'ss -ta') and 4.12 (syn-recv shows up in 'ss -ta'). ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-09 14:59 ` David Ahern @ 2018-07-09 15:17 ` Eric Dumazet 2018-07-09 16:14 ` David Ahern 0 siblings, 1 reply; 20+ messages in thread From: Eric Dumazet @ 2018-07-09 15:17 UTC (permalink / raw) To: David Ahern, Lorenzo Colitti, Eric Dumazet Cc: David Miller, netdev, Alistair Strachan, Subash Abhinov Kasiviswanathan On 07/09/2018 07:59 AM, David Ahern wrote: > On 7/8/18 10:53 PM, Lorenzo Colitti wrote: >> On Sat, Jul 7, 2018 at 10:29 PM Eric Dumazet <eric.dumazet@gmail.com> wrote: >>>>> Tested: passes Android sock_diag_test.py, which exercises this codepath >>>> >>>> If this Android test case exercises this path, why didn't it trigger >>>> the double free and thus cause this bug to be found much sooner? >>>> >>>> Just curious. >>> >>> Presumably android has not backported yet the refcount_t stuff in their kernels. >> >> That's correct. We only started seeing this on 4.14, which is not yet >> in the field. > > Prior to 4.12 syn-recv sockets did not show up in the list, so it could > not be closed through the diag API. I did not chase it to a specific > commit between 4.11 (no syn-recv in 'ss -ta') and 4.12 (syn-recv shows > up in 'ss -ta'). > I suggest you look more closely to tcp_abort(), the function you changed in commit d7226c7a4dd1 (linux-4.8) Then you will see it had support for syn-recv since linux-4.5 So I do not understand your 4.11/4.12 mentions at all. "ss -ta" always had dumped syn-recv request sockets. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-09 15:17 ` Eric Dumazet @ 2018-07-09 16:14 ` David Ahern 2018-07-09 16:21 ` Eric Dumazet 0 siblings, 1 reply; 20+ messages in thread From: David Ahern @ 2018-07-09 16:14 UTC (permalink / raw) To: Eric Dumazet, Lorenzo Colitti Cc: David Miller, netdev, Alistair Strachan, Subash Abhinov Kasiviswanathan On 7/9/18 9:17 AM, Eric Dumazet wrote: > > > On 07/09/2018 07:59 AM, David Ahern wrote: >> On 7/8/18 10:53 PM, Lorenzo Colitti wrote: >>> On Sat, Jul 7, 2018 at 10:29 PM Eric Dumazet <eric.dumazet@gmail.com> wrote: >>>>>> Tested: passes Android sock_diag_test.py, which exercises this codepath >>>>> >>>>> If this Android test case exercises this path, why didn't it trigger >>>>> the double free and thus cause this bug to be found much sooner? >>>>> >>>>> Just curious. >>>> >>>> Presumably android has not backported yet the refcount_t stuff in their kernels. >>> >>> That's correct. We only started seeing this on 4.14, which is not yet >>> in the field. >> >> Prior to 4.12 syn-recv sockets did not show up in the list, so it could >> not be closed through the diag API. I did not chase it to a specific >> commit between 4.11 (no syn-recv in 'ss -ta') and 4.12 (syn-recv shows >> up in 'ss -ta'). >> > > I suggest you look more closely to tcp_abort(), the function you changed > in commit d7226c7a4dd1 (linux-4.8) > > Then you will see it had support for syn-recv since linux-4.5 > > So I do not understand your 4.11/4.12 mentions at all. > > "ss -ta" always had dumped syn-recv request sockets. > > Perhaps it is something with my config, settings, ss version or test program, but I do not see it on 4.11: # ip addr sh dev eth1 3: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000 link/ether 02:e0:f9:1c:00:37 brd ff:ff:ff:ff:ff:ff inet 10.100.1.4/24 scope global eth1 valid_lft forever preferred_lft forever ... # uname -r 4.11.0 # iptables -A OUTPUT -p tcp --sport 12345 --tcp-flags SYN,ACK SYN,ACK -j DROP # vrf-test -s & [1] 823 --> connection attempt into this node from 10.100.1.254 # ss -ta | grep 1234 LISTEN 0 5 *:12345 *:* No, SYN-RECV in output. A local connection does show up (but I was not looking at that earlier): # vrf-test -r 10.100.1.4 & [2] 827 # ss -ta | grep 1234 LISTEN 0 5 *:12345 *:* SYN-RECV 0 0 10.100.1.4:12345 10.100.1.254:54276 SYN-RECV 0 0 10.100.1.4:12345 10.100.1.4:52316 SYN-SENT 0 1 10.100.1.4:52316 10.100.1.4:12345 Same commands on 4.12: # uname -r 4.12.0 # iptables -A OUTPUT -p tcp --sport 12345 --tcp-flags SYN,ACK SYN,ACK -j DROP # vrf-test -s & [1] 815 --> connection attempt into this node from 10.100.1.254 # ss -ta | grep 1234 LISTEN 0 5 *:12345 *:* SYN-RECV 0 0 10.100.1.4:12345 10.100.1.254:54272 So, SYN-RECV is there. However, in writing this response and repeating the steps over and over I have noticed inconsistencies even with 4.12. For example, I reboot 4.12 and try the steps again: # uname -r 4.12.0 # iptables -A OUTPUT -p tcp --sport 12345 --tcp-flags SYN,ACK SYN,ACK -j DROP # vrf-test -s & [1] 821 --> connection attempt into this node from 10.100.1.254 # ss -ta | grep 1234 LISTEN 0 5 *:12345 *:* no SYN-RECV. Local test: # vrf-test -r 10.100.1.4 & [2] 824 # ss -ta | grep 1234 LISTEN 0 5 *:12345 *:* SYN-SENT 0 1 10.100.1.4:59922 10.100.1.4:12345 No SYN-RECV. # ss --version ss utility, iproute2-ss150831 ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-09 16:14 ` David Ahern @ 2018-07-09 16:21 ` Eric Dumazet 0 siblings, 0 replies; 20+ messages in thread From: Eric Dumazet @ 2018-07-09 16:21 UTC (permalink / raw) To: David Ahern, Eric Dumazet, Lorenzo Colitti Cc: David Miller, netdev, Alistair Strachan, Subash Abhinov Kasiviswanathan On 07/09/2018 09:14 AM, David Ahern wrote: > Perhaps it is something with my config, settings, ss version or test > program, but I do not see it on 4.11: > Maybe some vrf issue, I dunno. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:11 ` David Miller 2018-07-07 13:29 ` Eric Dumazet @ 2018-07-07 13:33 ` David Ahern 2018-07-07 13:45 ` Eric Dumazet 1 sibling, 1 reply; 20+ messages in thread From: David Ahern @ 2018-07-07 13:33 UTC (permalink / raw) To: David Miller, lorenzo; +Cc: netdev, astrachan, subashab, eric.dumazet On 7/7/18 7:11 AM, David Miller wrote: > From: Lorenzo Colitti <lorenzo@google.com> > Date: Sat, 7 Jul 2018 16:31:40 +0900 > >> Tested: passes Android sock_diag_test.py, which exercises this codepath > > If this Android test case exercises this path, why didn't it trigger > the double free and thus cause this bug to be found much sooner? > wondering the same. How can I get access to sock_diag_test.py? ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:33 ` David Ahern @ 2018-07-07 13:45 ` Eric Dumazet 2018-07-07 13:51 ` Eric Dumazet 0 siblings, 1 reply; 20+ messages in thread From: Eric Dumazet @ 2018-07-07 13:45 UTC (permalink / raw) To: David Ahern, David Miller, lorenzo Cc: netdev, astrachan, subashab, eric.dumazet On 07/07/2018 06:33 AM, David Ahern wrote: > On 7/7/18 7:11 AM, David Miller wrote: >> From: Lorenzo Colitti <lorenzo@google.com> >> Date: Sat, 7 Jul 2018 16:31:40 +0900 >> >>> Tested: passes Android sock_diag_test.py, which exercises this codepath >> >> If this Android test case exercises this path, why didn't it trigger >> the double free and thus cause this bug to be found much sooner? >> > > wondering the same. How can I get access to sock_diag_test.py? > I would simply use ss -tKa src :443 command on a live web server ;) Note to readers : Do not try that unless you want to kill your server. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:45 ` Eric Dumazet @ 2018-07-07 13:51 ` Eric Dumazet 2018-07-07 13:56 ` David Ahern 0 siblings, 1 reply; 20+ messages in thread From: Eric Dumazet @ 2018-07-07 13:51 UTC (permalink / raw) To: David Ahern, David Miller, lorenzo; +Cc: netdev, astrachan, subashab On 07/07/2018 06:45 AM, Eric Dumazet wrote: > > > On 07/07/2018 06:33 AM, David Ahern wrote: >> On 7/7/18 7:11 AM, David Miller wrote: >>> From: Lorenzo Colitti <lorenzo@google.com> >>> Date: Sat, 7 Jul 2018 16:31:40 +0900 >>> >>>> Tested: passes Android sock_diag_test.py, which exercises this codepath >>> >>> If this Android test case exercises this path, why didn't it trigger >>> the double free and thus cause this bug to be found much sooner? >>> >> >> wondering the same. How can I get access to sock_diag_test.py? >> > > I would simply use ss -tKa src :443 command on a live web server ;) > > Note to readers : Do not try that unless you want to kill your server. > > Here is a packetdrill test : // Test SOCK_DESTROY on SYN_RECV request sockets // We use the "ss" socket statistics tool, which uses inet_diag sockets. // ss -K can be slow --tolerance_usecs=15000 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 +0 bind(3, ..., ...) = 0 +0 listen(3, 1) = 0 +0 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 2> +0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 8> // ss -K is scary ! Do not mess with the filter or risk killing a lot of flows +0 `ss -t -K -n state SYN-RECV src :8080 >/dev/null` +.1 < . 1:1(0) ack 1 win 32890 +0 > R 1:1(0) // The listener was not killed, but has no available child -> -1 EAGAIN +0 accept(3, ..., ...) = -1 EAGAIN (Resource temporarily unavailable) ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:51 ` Eric Dumazet @ 2018-07-07 13:56 ` David Ahern 2018-07-07 14:16 ` Eric Dumazet 2018-07-09 5:24 ` Lorenzo Colitti 0 siblings, 2 replies; 20+ messages in thread From: David Ahern @ 2018-07-07 13:56 UTC (permalink / raw) To: Eric Dumazet, David Miller, lorenzo; +Cc: netdev, astrachan, subashab On 7/7/18 7:51 AM, Eric Dumazet wrote: > > > On 07/07/2018 06:45 AM, Eric Dumazet wrote: >> >> >> On 07/07/2018 06:33 AM, David Ahern wrote: >>> On 7/7/18 7:11 AM, David Miller wrote: >>>> From: Lorenzo Colitti <lorenzo@google.com> >>>> Date: Sat, 7 Jul 2018 16:31:40 +0900 >>>> >>>>> Tested: passes Android sock_diag_test.py, which exercises this codepath >>>> >>>> If this Android test case exercises this path, why didn't it trigger >>>> the double free and thus cause this bug to be found much sooner? >>>> >>> >>> wondering the same. How can I get access to sock_diag_test.py? >>> >> >> I would simply use ss -tKa src :443 command on a live web server ;) >> >> Note to readers : Do not try that unless you want to kill your server. >> >> > > Here is a packetdrill test : So I have to either learn how to use packetdrill or install a web server and put load on it. If the Android tests are not publicly available then the reference should be removed from the commit log. > > // Test SOCK_DESTROY on SYN_RECV request sockets > // We use the "ss" socket statistics tool, which uses inet_diag sockets. > > // ss -K can be slow > --tolerance_usecs=15000 > > > 0 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 > +0 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 > +0 fcntl(3, F_SETFL, O_RDWR|O_NONBLOCK) = 0 > +0 bind(3, ..., ...) = 0 > +0 listen(3, 1) = 0 > > +0 < S 0:0(0) win 32792 <mss 1000,sackOK,nop,nop,nop,wscale 2> > +0 > S. 0:0(0) ack 1 <mss 1460,nop,nop,sackOK,nop,wscale 8> > > // ss -K is scary ! Do not mess with the filter or risk killing a lot of flows > +0 `ss -t -K -n state SYN-RECV src :8080 >/dev/null` > > +.1 < . 1:1(0) ack 1 win 32890 > +0 > R 1:1(0) > > // The listener was not killed, but has no available child -> -1 EAGAIN > +0 accept(3, ..., ...) = -1 EAGAIN (Resource temporarily unavailable) > I'll give this a try later. Thanks, ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:56 ` David Ahern @ 2018-07-07 14:16 ` Eric Dumazet 2018-07-07 14:19 ` Eric Dumazet 2018-07-09 5:24 ` Lorenzo Colitti 1 sibling, 1 reply; 20+ messages in thread From: Eric Dumazet @ 2018-07-07 14:16 UTC (permalink / raw) To: David Ahern, Eric Dumazet, David Miller, lorenzo Cc: netdev, astrachan, subashab On 07/07/2018 06:56 AM, David Ahern wrote: > > So I have to either learn how to use packetdrill or install a web server > and put load on it. If the Android tests are not publicly available then > the reference should be removed from the commit log. We see many Change-Id tags in changelogs, and other tags that help various teams, even if it makes little sense for others. Now back to week-end, I am not really impressed by your gratitude today. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 14:16 ` Eric Dumazet @ 2018-07-07 14:19 ` Eric Dumazet 0 siblings, 0 replies; 20+ messages in thread From: Eric Dumazet @ 2018-07-07 14:19 UTC (permalink / raw) To: David Ahern, David Miller, lorenzo; +Cc: netdev, astrachan, subashab On 07/07/2018 07:16 AM, Eric Dumazet wrote: > > > On 07/07/2018 06:56 AM, David Ahern wrote: > >> >> So I have to either learn how to use packetdrill or install a web server >> and put load on it. If the Android tests are not publicly available then >> the reference should be removed from the commit log. > ( A google search for sock_diag_test.py show plenty of git repos btw) ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 13:56 ` David Ahern 2018-07-07 14:16 ` Eric Dumazet @ 2018-07-09 5:24 ` Lorenzo Colitti 2018-07-09 15:00 ` David Ahern 1 sibling, 1 reply; 20+ messages in thread From: Lorenzo Colitti @ 2018-07-09 5:24 UTC (permalink / raw) To: David Ahern Cc: Eric Dumazet, David Miller, netdev, Alistair Strachan, Subash Abhinov Kasiviswanathan On Sat, Jul 7, 2018 at 10:56 PM David Ahern <dsa@cumulusnetworks.com> wrote: > > Here is a packetdrill test : > > So I have to either learn how to use packetdrill or install a web server > and put load on it. If the Android tests are not publicly available then > the reference should be removed from the commit log. It is publicly available. The test is at https://android.googlesource.com/kernel/tests/+/master/net/test/sock_diag_test.py . Documentation is at https://source.android.com/devices/architecture/kernel/network_tests . Note that not all the tests pass on upstream kernels. We do try to keep them working, but because they are also run as conformance tests for Android devices they must test out-of-tree behaviour, such as the fact that unlike upstream, Android kernels use RFC-compliant SHA256 truncation when the PF_KEY API is used. Again, I don't think you'll see this particular issue on the ARCH=um tests that run by default. But if you run sock_diag_test.py on a VM or physical machine as root, you should. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-09 5:24 ` Lorenzo Colitti @ 2018-07-09 15:00 ` David Ahern 0 siblings, 0 replies; 20+ messages in thread From: David Ahern @ 2018-07-09 15:00 UTC (permalink / raw) To: Lorenzo Colitti Cc: Eric Dumazet, David Miller, netdev, Alistair Strachan, Subash Abhinov Kasiviswanathan On 7/8/18 11:24 PM, Lorenzo Colitti wrote: > On Sat, Jul 7, 2018 at 10:56 PM David Ahern <dsa@cumulusnetworks.com> wrote: >>> Here is a packetdrill test : >> >> So I have to either learn how to use packetdrill or install a web server >> and put load on it. If the Android tests are not publicly available then >> the reference should be removed from the commit log. > > It is publicly available. The test is at > https://android.googlesource.com/kernel/tests/+/master/net/test/sock_diag_test.py > . Documentation is at > https://source.android.com/devices/architecture/kernel/network_tests . > > Note that not all the tests pass on upstream kernels. We do try to > keep them working, but because they are also run as conformance tests > for Android devices they must test out-of-tree behaviour, such as the > fact that unlike upstream, Android kernels use RFC-compliant SHA256 > truncation when the PF_KEY API is used. > > Again, I don't think you'll see this particular issue on the ARCH=um > tests that run by default. But if you run sock_diag_test.py on a VM or > physical machine as root, you should. > ok. thanks for reference. I general I am always looking for more easy to run tests to catch problems like this. ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 7:31 [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort Lorenzo Colitti 2018-07-07 13:11 ` David Miller @ 2018-07-07 13:28 ` Eric Dumazet 2018-07-07 22:07 ` David Ahern 2018-07-08 1:57 ` David Miller 3 siblings, 0 replies; 20+ messages in thread From: Eric Dumazet @ 2018-07-07 13:28 UTC (permalink / raw) To: Lorenzo Colitti, netdev Cc: astrachan, subashab, eric.dumazet, davem, David Ahern On 07/07/2018 12:31 AM, Lorenzo Colitti wrote: > When tcp_diag_destroy closes a TCP_NEW_SYN_RECV socket, it first > frees it by calling inet_csk_reqsk_queue_drop_and_and_put in > tcp_abort, and then frees it again by calling sock_gen_put. > > Since tcp_abort only has one caller, and all the other codepaths > in tcp_abort don't free the socket, just remove the free in that > function. > > Cc: David Ahern <dsa@cumulusnetworks.com> > Tested: passes Android sock_diag_test.py, which exercises this codepath > Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying socket") > Signed-off-by: Lorenzo Colitti <lorenzo@google.com> > --- Signed-off-by: Eric Dumazet <edumazet@google.com> Thanks ! ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 7:31 [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort Lorenzo Colitti 2018-07-07 13:11 ` David Miller 2018-07-07 13:28 ` Eric Dumazet @ 2018-07-07 22:07 ` David Ahern 2018-07-08 1:57 ` David Miller 3 siblings, 0 replies; 20+ messages in thread From: David Ahern @ 2018-07-07 22:07 UTC (permalink / raw) To: Lorenzo Colitti, netdev; +Cc: astrachan, subashab, eric.dumazet, davem On 7/7/18 1:31 AM, Lorenzo Colitti wrote: > When tcp_diag_destroy closes a TCP_NEW_SYN_RECV socket, it first > frees it by calling inet_csk_reqsk_queue_drop_and_and_put in > tcp_abort, and then frees it again by calling sock_gen_put. > > Since tcp_abort only has one caller, and all the other codepaths > in tcp_abort don't free the socket, just remove the free in that > function. > > Cc: David Ahern <dsa@cumulusnetworks.com> > Tested: passes Android sock_diag_test.py, which exercises this codepath > Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying socket") > Signed-off-by: Lorenzo Colitti <lorenzo@google.com> > --- > net/ipv4/tcp.c | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > Thanks for the bugfix. Reviewed-by: David Ahern <dsa@cumulusnetworks.com> Tested-by: David Ahern <dsa@cumulusnetworks.com> ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort 2018-07-07 7:31 [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort Lorenzo Colitti ` (2 preceding siblings ...) 2018-07-07 22:07 ` David Ahern @ 2018-07-08 1:57 ` David Miller 3 siblings, 0 replies; 20+ messages in thread From: David Miller @ 2018-07-08 1:57 UTC (permalink / raw) To: lorenzo; +Cc: netdev, astrachan, subashab, eric.dumazet, dsa From: Lorenzo Colitti <lorenzo@google.com> Date: Sat, 7 Jul 2018 16:31:40 +0900 > When tcp_diag_destroy closes a TCP_NEW_SYN_RECV socket, it first > frees it by calling inet_csk_reqsk_queue_drop_and_and_put in > tcp_abort, and then frees it again by calling sock_gen_put. > > Since tcp_abort only has one caller, and all the other codepaths > in tcp_abort don't free the socket, just remove the free in that > function. > > Cc: David Ahern <dsa@cumulusnetworks.com> > Tested: passes Android sock_diag_test.py, which exercises this codepath > Fixes: d7226c7a4dd1 ("net: diag: Fix refcnt leak in error path destroying socket") > Signed-off-by: Lorenzo Colitti <lorenzo@google.com> Applied and queued up for -stable, thanks! ^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2018-07-09 16:21 UTC | newest] Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2018-07-07 7:31 [PATCH net] net: diag: Don't double-free TCP_NEW_SYN_RECV sockets in tcp_abort Lorenzo Colitti 2018-07-07 13:11 ` David Miller 2018-07-07 13:29 ` Eric Dumazet 2018-07-07 13:58 ` Eric Dumazet 2018-07-09 4:53 ` Lorenzo Colitti 2018-07-09 14:59 ` David Ahern 2018-07-09 15:17 ` Eric Dumazet 2018-07-09 16:14 ` David Ahern 2018-07-09 16:21 ` Eric Dumazet 2018-07-07 13:33 ` David Ahern 2018-07-07 13:45 ` Eric Dumazet 2018-07-07 13:51 ` Eric Dumazet 2018-07-07 13:56 ` David Ahern 2018-07-07 14:16 ` Eric Dumazet 2018-07-07 14:19 ` Eric Dumazet 2018-07-09 5:24 ` Lorenzo Colitti 2018-07-09 15:00 ` David Ahern 2018-07-07 13:28 ` Eric Dumazet 2018-07-07 22:07 ` David Ahern 2018-07-08 1:57 ` David Miller
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.