[PATCH mptcp-net] mptcp: fix possible memory leak on syn_recv race

[PATCH mptcp-net] mptcp: fix possible memory leak on syn_recv race

[Paolo Abeni]

When subflow_syn_recv_sock() loses the inet hash insert race, the
newly created children will be released by inet_csk_complete_hashdance().

In that scenario, without any further hint, the ulp release callback
will keep the ulp context alive, expecting that the msk socket will
later free it.

Anyway the dying child is not linked to any msk socket, and the context
will be leaked, as reported by Christoph.

Address the issue explicitly releasing the context in the critical
scenario.

Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/356
Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
This patch is tested only vs the self tests, I have no actual proof
it really closes 356, but it should at least avoid some real leak
---
 net/mptcp/subflow.c | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index cda6dc4cc6a7..1ca8d30e9276 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -806,7 +806,7 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
 	child = listener->icsk_af_ops->syn_recv_sock(sk, skb, req, dst,
 						     req_unhash, own_req);
 
-	if (child && *own_req) {
+	if (likely(child && *own_req)) {
 		struct mptcp_subflow_context *ctx = mptcp_subflow_ctx(child);
 
 		tcp_rsk(req)->drop_req = false;
@@ -898,6 +898,12 @@ static struct sock *subflow_syn_recv_sock(const struct sock *sk,
 			SUBFLOW_REQ_INC_STATS(req, MPTCP_MIB_JOINACKRX);
 			tcp_rsk(req)->drop_req = true;
 		}
+	} else if (child) {
+		/* inet_csk_complete_hashdance() is going to drop the sock
+		 * soon, but context must be explicitly deleted or will be
+		 * leaked
+		 */
+		mptcp_subflow_drop_ctx(child);
 	}
 
 out:
-- 
2.39.2

Re: mptcp: fix possible memory leak on syn_recv race: Build Failure

[MPTCP CI]

Hi Paolo,

Thank you for your modifications, that's great!

But sadly, our CI spotted some issues with it when trying to build it.

You can find more details there:

  https://patchwork.kernel.org/project/mptcp/patch/869ca49933fc7983c50a88f2a8b4a680e5eedc5b.1677693276.git.pabeni@redhat.com/
  https://github.com/multipath-tcp/mptcp_net-next/actions/runs/4306566553

Status: failure
Initiator: MPTCPimporter
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/6b3b8fa6b068

Feel free to reply to this email if you cannot access logs, if you need
some support to fix the error, if this doesn't seem to be caused by your
modifications or if the error is a false positive one.

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (Tessares)

Re: mptcp: fix possible memory leak on syn_recv race: Tests Results

[MPTCP CI]

Hi Paolo,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join):
  - Script error! ❓:
  - Task: https://cirrus-ci.com/task/6362501890179072
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/6362501890179072/summary/summary.txt

- KVM Validation: debug (except selftest_mptcp_join):
  - Script error! ❓:
  - Task: https://cirrus-ci.com/task/6081026913468416
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/6081026913468416/summary/summary.txt

- KVM Validation: normal (only selftest_mptcp_join):
  - Script error! ❓:
  - Task: https://cirrus-ci.com/task/4955127006625792
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/4955127006625792/summary/summary.txt

- KVM Validation: debug (only selftest_mptcp_join):
  - Script error! ❓:
  - Task: https://cirrus-ci.com/task/5518076960047104
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/5518076960047104/summary/summary.txt

Initiator: Patchew Applier
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/6b3b8fa6b068


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-debug

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (Tessares)

Re: [PATCH mptcp-net] mptcp: fix possible memory leak on syn_recv race

[Matthieu Baerts]

Hi Paolo,

On 01/03/2023 18:56, Paolo Abeni wrote:
> When subflow_syn_recv_sock() loses the inet hash insert race, the
> newly created children will be released by inet_csk_complete_hashdance().
> 
> In that scenario, without any further hint, the ulp release callback
> will keep the ulp context alive, expecting that the msk socket will
> later free it.
> 
> Anyway the dying child is not linked to any msk socket, and the context
> will be leaked, as reported by Christoph.
> 
> Address the issue explicitly releasing the context in the critical
> scenario.
> 
> Reported-by: Christoph Paasch <cpaasch@apple.com>
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/356
> Fixes: cec37a6e41aa ("mptcp: Handle MP_CAPABLE options for outgoing connections")
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Thank you for the patch!

Looks good to me!

I just applied it in our tree (fixes for -net) with my RvB tag:

New patches for t/upstream-net and t/upstream:
- 12727556f008: mptcp: fix possible memory leak on syn_recv race
- Results: 6cf09218c6fa..74e097ee5448 (export-net)
- Results: 9a7404e5bb61..9bd792349d0b (export)

Tests are now in progress:

https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export-net/20230306T173558
https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20230306T173558

Cheers,
Matt
-- 
Tessares | Belgium | Hybrid Access Solutions
www.tessares.net

Re: mptcp: fix possible memory leak on syn_recv race: Tests Results

[MPTCP CI]

Hi Paolo,

Thank you for your modifications, that's great!

Our CI did some validations and here is its report:

- KVM Validation: normal (except selftest_mptcp_join):
  - Success! ✅:
  - Task: https://cirrus-ci.com/task/6243033163759616
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/6243033163759616/summary/summary.txt

- KVM Validation: normal (only selftest_mptcp_join):
  - Success! ✅:
  - Task: https://cirrus-ci.com/task/4835658280206336
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/4835658280206336/summary/summary.txt

- KVM Validation: debug (only selftest_mptcp_join):
  - Unstable: 1 failed test(s): selftest_mptcp_join 🔴:
  - Task: https://cirrus-ci.com/task/5398608233627648
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/5398608233627648/summary/summary.txt

- KVM Validation: debug (except selftest_mptcp_join):
  - Success! ✅:
  - Task: https://cirrus-ci.com/task/5961558187048960
  - Summary: https://api.cirrus-ci.com/v1/artifact/task/5961558187048960/summary/summary.txt

Initiator: Matthieu Baerts
Commits: https://github.com/multipath-tcp/mptcp_net-next/commits/6d51676e3805


If there are some issues, you can reproduce them using the same environment as
the one used by the CI thanks to a docker image, e.g.:

    $ cd [kernel source code]
    $ docker run -v "${PWD}:${PWD}:rw" -w "${PWD}" --privileged --rm -it \
        --pull always mptcp/mptcp-upstream-virtme-docker:latest \
        auto-debug

For more details:

    https://github.com/multipath-tcp/mptcp-upstream-virtme-docker


Please note that despite all the efforts that have been already done to have a
stable tests suite when executed on a public CI like here, it is possible some
reported issues are not due to your modifications. Still, do not hesitate to
help us improve that ;-)

Cheers,
MPTCP GH Action bot
Bot operated by Matthieu Baerts (Tessares)