Skip to content
This repository has been archived by the owner on Apr 18, 2024. It is now read-only.

Commit

Permalink
mptcp: mpcb-put when canceling a workqueue for closing subflows
Browse files Browse the repository at this point in the history 
Commit ece771f ("mptcp: Fully cleanup meta-socket in
mptcp_disconnect") added a refcount hold on the mpcb when closing
subflows (among other cases). We forgot to put the reference when the
work-queue is being canceled. Otherwise, we will end up leaking the
mpcb, and we get log-splashs like:

BUG: memory leak
unreferenced object 0xffff888053724000 (size 1056):
  comm "softirq", pid 0, jiffies 4295075668 (age 18.015s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    d1 d8 ee 60 d0 d8 ee 60 55 f5 51 cd 56 f5 51 cd  ...`...`U.Q.V.Q.
  backtrace:
    [<ffffffff8333b9b3>] kmem_cache_zalloc include/linux/slab.h:651 [inline]
    [<ffffffff8333b9b3>] mptcp_alloc_mpcb net/mptcp/mptcp_ctrl.c:1105 [inline]
    [<ffffffff8333b9b3>] mptcp_create_master_sk+0x203/0x2980 net/mptcp/mptcp_ctrl.c:1960
    [<ffffffff83368f50>] mptcp_rcv_synsent_state_process+0x580/0x1120 net/mptcp/mptcp_input.c:2300
    [<ffffffff83006345>] tcp_rcv_synsent_state_process+0x19b5/0x2d30 net/ipv4/tcp_input.c:5828
    [<ffffffff83007ef3>] tcp_rcv_state_process+0x833/0x2e43 net/ipv4/tcp_input.c:6074
    [<ffffffff832d09e9>] tcp_v6_do_rcv+0x789/0x12d0 net/ipv6/tcp_ipv6.c:1381
    [<ffffffff82d00088>] sk_backlog_rcv include/net/sock.h:913 [inline]
    [<ffffffff82d00088>] __release_sock+0x138/0x360 net/core/sock.c:2289
    [<ffffffff82d00350>] release_sock+0xa0/0x280 net/core/sock.c:2804
    [<ffffffff830a3951>] inet_wait_for_connect net/ipv4/af_inet.c:560 [inline]
    [<ffffffff830a3951>] __inet_stream_connect+0x621/0xe60 net/ipv4/af_inet.c:646
    [<ffffffff830a41e3>] inet_stream_connect+0x53/0xa0 net/ipv4/af_inet.c:685
    [<ffffffff82ce95a6>] SYSC_connect+0x1e6/0x420 net/socket.c:1655
    [<ffffffff8100693f>] do_syscall_64+0x23f/0x6f0 arch/x86/entry/common.c:292
    [<ffffffff83a00086>] entry_SYSCALL_64_after_hwframe+0x42/0xb7
    [<ffffffffffffffff>] 0xffffffffffffffff

Reported-by: Franz Schleindlhuber <Schleindlhuber@gmx.net>
Fixes: ece771f ("mptcp: Fully cleanup meta-socket in mptcp_disconnect")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit 528be74)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
  • Loading branch information
@cpaasch @matttbe
cpaasch authored and matttbe committed May 29, 2019
1 parent adeb477 commit ed39d2f
Showing 1 changed file with 1 addition and 0 deletions.
1 change: 1 addition & 0 deletions net/mptcp/mptcp_ctrl.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1707,6 +1707,7 @@ void mptcp_sub_close(struct sock *sk, unsigned long delay)
if (!cancel_delayed_work(work))
return;
sock_put(sk);
mptcp_mpcb_put(tp->mpcb);
}

if (!delay) {
Expand Down

0 comments on commit ed39d2f

Please sign in to comment.