mptcp: fix splat when closing unaccepted socket

Message ID	20210503100224.22433-1-fw@strlen.de
State	Accepted, archived
Commit	eb518521336895f5577fd03e5b319c70d82efb27
Delegated to:	Matthieu Baerts
Headers	show Return-Path: <mptcp+bounces-483-incoming=patchwork.ozlabs.org@lists.linux.dev> From: Florian Westphal <fw@strlen.de> To: <mptcp@lists.linux.dev> Cc: Paolo Abeni <pabeni@redhat.com>, Florian Westphal <fw@strlen.de> Subject: [PATCH] mptcp: fix splat when closing unaccepted socket Date: Mon, 3 May 2021 12:02:24 +0200 Message-Id: <20210503100224.22433-1-fw@strlen.de> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit
Series	mptcp: fix splat when closing unaccepted socket \| expand mptcp: fix splat when closing unaccepted socket

Message ID

20210503100224.22433-1-fw@strlen.de

State

Accepted, archived

Commit

eb518521336895f5577fd03e5b319c70d82efb27

Delegated to:

Matthieu Baerts

Headers

show

Return-Path: <mptcp+bounces-483-incoming=patchwork.ozlabs.org@lists.linux.dev>
X-Original-To: incoming@patchwork.ozlabs.org
Delivered-To: patchwork-incoming@bilbo.ozlabs.org
Authentication-Results: ozlabs.org;
 spf=pass (sender SPF authorized) smtp.mailfrom=lists.linux.dev
 (client-ip=2604:1380:1:3600::1; helo=ewr.edge.kernel.org;
 envelope-from=mptcp+bounces-483-incoming=patchwork.ozlabs.org@lists.linux.dev;
 receiver=<UNKNOWN>)
Received: from ewr.edge.kernel.org (ewr.edge.kernel.org
 [IPv6:2604:1380:1:3600::1])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ozlabs.org (Postfix) with ESMTPS id 4FYdnf1wz9z9rx6
	for <incoming@patchwork.ozlabs.org>; Mon,  3 May 2021 20:02:45 +1000 (AEST)
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ewr.edge.kernel.org (Postfix) with ESMTPS id 421AA1C0D66
	for <incoming@patchwork.ozlabs.org>; Mon,  3 May 2021 10:02:41 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 8708A2F80;
	Mon,  3 May 2021 10:02:39 +0000 (UTC)
X-Original-To: mptcp@lists.linux.dev
Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc
 [193.142.43.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 4CEA772
	for <mptcp@lists.linux.dev>; Mon,  3 May 2021 10:02:38 +0000 (UTC)
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92)
	(envelope-from <fw@breakpoint.cc>)
	id 1ldVPL-0004ic-6i; Mon, 03 May 2021 12:02:31 +0200
From: Florian Westphal <fw@strlen.de>
To: <mptcp@lists.linux.dev>
Cc: Paolo Abeni <pabeni@redhat.com>,
	Florian Westphal <fw@strlen.de>
Subject: [PATCH] mptcp: fix splat when closing unaccepted socket
Date: Mon,  3 May 2021 12:02:24 +0200
Message-Id: <20210503100224.22433-1-fw@strlen.de>
X-Mailer: git-send-email 2.26.3
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit

Series

mptcp: fix splat when closing unaccepted socket | expand

Commit Message

Florian Westphal May 3, 2021, 10:02 a.m. UTC

From: Paolo Abeni <pabeni@redhat.com>

If userspace exits before calling accept() on a listener that had at least
one new connection ready, we get:

   Attempt to release TCP socket in state 8

This happens because the mptcp socket gets cloned when the TCP connection
is ready, but the socket is never exposed to userspace.

The client additionally sends a DATA_FIN, which brings connection into
CLOSE_WAIT state.  This in turn prevents the orphan+state reset fixup
in mptcp_sock_destruct() from doing its job.

Fixes: 3721b9b64676b ("mptcp: Track received DATA_FIN sequence number and add related helpers")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/185
Tested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
---
 net/mptcp/subflow.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

Comments

Mat Martineau May 3, 2021, 7:04 p.m. UTC | #1

On Mon, 3 May 2021, Florian Westphal wrote:

> From: Paolo Abeni <pabeni@redhat.com>
>
> If userspace exits before calling accept() on a listener that had at least
> one new connection ready, we get:
>
>   Attempt to release TCP socket in state 8
>
> This happens because the mptcp socket gets cloned when the TCP connection
> is ready, but the socket is never exposed to userspace.
>
> The client additionally sends a DATA_FIN, which brings connection into
> CLOSE_WAIT state.  This in turn prevents the orphan+state reset fixup
> in mptcp_sock_destruct() from doing its job.
>
> Fixes: 3721b9b64676b ("mptcp: Track received DATA_FIN sequence number and add related helpers")
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/185
> Tested-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> ---
> net/mptcp/subflow.c | 3 +--
> 1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
> index 15620bafc544..01f30f8ea710 100644
> --- a/net/mptcp/subflow.c
> +++ b/net/mptcp/subflow.c
> @@ -546,8 +546,7 @@ static void mptcp_sock_destruct(struct sock *sk)
> 	 * ESTABLISHED state and will not have the SOCK_DEAD flag.
> 	 * Both result in warnings from inet_sock_destruct.
> 	 */
> -
> -	if (sk->sk_state == TCP_ESTABLISHED) {
> +	if ((1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) {
> 		sk->sk_state = TCP_CLOSE;
> 		WARN_ON_ONCE(sk->sk_socket);
> 		sock_orphan(sk);
> -- 
> 2.26.3

Thanks Paolo and Florian. Patch looks good - should go to -net right?

Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>


--
Mat Martineau
Intel

Florian Westphal May 3, 2021, 8:09 p.m. UTC | #2

Mat Martineau <mathew.j.martineau@linux.intel.com> wrote:
> Thanks Paolo and Florian. Patch looks good - should go to -net right?

Yes, this needs to go to -net.

Thanks!

Matthieu Baerts May 4, 2021, 6:50 a.m. UTC | #3

Hi Florian, Paolo, Mat,

On 03/05/2021 12:02, Florian Westphal wrote:
> From: Paolo Abeni <pabeni@redhat.com>
> 
> If userspace exits before calling accept() on a listener that had at least
> one new connection ready, we get:
> 
>    Attempt to release TCP socket in state 8
> 
> This happens because the mptcp socket gets cloned when the TCP connection
> is ready, but the socket is never exposed to userspace.
> 
> The client additionally sends a DATA_FIN, which brings connection into
> CLOSE_WAIT state.  This in turn prevents the orphan+state reset fixup
> in mptcp_sock_destruct() from doing its job.
> 
> Fixes: 3721b9b64676b ("mptcp: Track received DATA_FIN sequence number and add related helpers")
> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/185
> Tested-by: Florian Westphal <fw@strlen.de>
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>

Thank you for the patch and the review.

Now in our tree with Mat's RvB tag:

- eb5185213368: mptcp: fix splat when closing unaccepted socket
- Results: f6df9e9d3336..9c59ba276e75

Builds and tests are now in progress:

https://cirrus-ci.com/github/multipath-tcp/mptcp_net-next/export/20210504T064955
https://github.com/multipath-tcp/mptcp_net-next/actions/workflows/build-validation.yml?query=branch:export/20210504T064955

Cheers,
Matt

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 15620bafc544..01f30f8ea710 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -546,8 +546,7 @@  static void mptcp_sock_destruct(struct sock *sk)
 	 * ESTABLISHED state and will not have the SOCK_DEAD flag.
 	 * Both result in warnings from inet_sock_destruct.
 	 */
-
-	if (sk->sk_state == TCP_ESTABLISHED) {
+	if ((1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) {
 		sk->sk_state = TCP_CLOSE;
 		WARN_ON_ONCE(sk->sk_socket);
 		sock_orphan(sk);