| Message ID | 1516968856-900-1-git-send-email-alexey.kodanev@oracle.com |
|---|---|
| State | Accepted, archived |
| Delegated to: | David Miller |
| Headers | show |
| Series | [net,v2] dccp: don't restart ccid2_hc_tx_rto_expire() if sk in closed state | expand |
On Fri, 2018-01-26 at 15:14 +0300, Alexey Kodanev wrote: > ccid2_hc_tx_rto_expire() timer callback always restarts the timer > again and can run indefinitely (unless it is stopped outside), and after > commit 120e9dabaf55 ("dccp: defer ccid_hc_tx_delete() at dismantle time"), > which moved ccid_hc_tx_delete() (also includes sk_stop_timer()) from > dccp_destroy_sock() to sk_destruct(), this started to happen quite often. > The timer prevents releasing the socket, as a result, sk_destruct() won't > be called. > > Found with LTP/dccp_ipsec tests running on the bonding device, > which later couldn't be unloaded after the tests were completed: > > unregister_netdevice: waiting for bond0 to become free. Usage count = 148 > > Fixes: 2a91aa396739 ("[DCCP] CCID2: Initial CCID2 (TCP-Like) implementation") > Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> > --- Reviewed-by: Eric Dumazet <edumazet@google.com> Thanks Alexey.
From: Alexey Kodanev <alexey.kodanev@oracle.com> Date: Fri, 26 Jan 2018 15:14:16 +0300 > ccid2_hc_tx_rto_expire() timer callback always restarts the timer > again and can run indefinitely (unless it is stopped outside), and after > commit 120e9dabaf55 ("dccp: defer ccid_hc_tx_delete() at dismantle time"), > which moved ccid_hc_tx_delete() (also includes sk_stop_timer()) from > dccp_destroy_sock() to sk_destruct(), this started to happen quite often. > The timer prevents releasing the socket, as a result, sk_destruct() won't > be called. > > Found with LTP/dccp_ipsec tests running on the bonding device, > which later couldn't be unloaded after the tests were completed: > > unregister_netdevice: waiting for bond0 to become free. Usage count = 148 > > Fixes: 2a91aa396739 ("[DCCP] CCID2: Initial CCID2 (TCP-Like) implementation") > Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> > --- > > v2: * corrected bug origin commit id > * clarified commit message about sk_stop_timer() Applied and queued up for -stable.
diff --git a/net/dccp/ccids/ccid2.c b/net/dccp/ccids/ccid2.c index 1c75cd1..92d016e 100644 --- a/net/dccp/ccids/ccid2.c +++ b/net/dccp/ccids/ccid2.c @@ -140,6 +140,9 @@ static void ccid2_hc_tx_rto_expire(struct timer_list *t) ccid2_pr_debug("RTO_EXPIRE\n"); + if (sk->sk_state == DCCP_CLOSED) + goto out; + /* back-off timer */ hc->tx_rto <<= 1; if (hc->tx_rto > DCCP_RTO_MAX)
ccid2_hc_tx_rto_expire() timer callback always restarts the timer again and can run indefinitely (unless it is stopped outside), and after commit 120e9dabaf55 ("dccp: defer ccid_hc_tx_delete() at dismantle time"), which moved ccid_hc_tx_delete() (also includes sk_stop_timer()) from dccp_destroy_sock() to sk_destruct(), this started to happen quite often. The timer prevents releasing the socket, as a result, sk_destruct() won't be called. Found with LTP/dccp_ipsec tests running on the bonding device, which later couldn't be unloaded after the tests were completed: unregister_netdevice: waiting for bond0 to become free. Usage count = 148 Fixes: 2a91aa396739 ("[DCCP] CCID2: Initial CCID2 (TCP-Like) implementation") Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com> --- v2: * corrected bug origin commit id * clarified commit message about sk_stop_timer() net/dccp/ccids/ccid2.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-)