| Message ID | 20210211234245.31961-2-fw@strlen.de |
|---|---|
| State | Accepted, archived |
| Commit | 24c84fc55050b9f7e8f28630164225b85cd582ae |
| Delegated to: | Matthieu Baerts |
| Headers | show |
| Series | [1/2] mptcp: reset last_snd on subflow close | expand |
On Fri, 2021-02-12 at 00:42 +0100, Florian Westphal wrote: > Christoph Paasch reported following crash: > dst_release underflow > WARNING: CPU: 0 PID: 1319 at net/core/dst.c:175 dst_release+0xc1/0xd0 net/core/dst.c:175 > CPU: 0 PID: 1319 Comm: syz-executor217 Not tainted 5.11.0-rc6af8e85128b4d0d24083c5cac646e891227052e0c #70 > Call Trace: > rt_cache_route+0x12e/0x140 net/ipv4/route.c:1503 > rt_set_nexthop.constprop.0+0x1fc/0x590 net/ipv4/route.c:1612 > __mkroute_output net/ipv4/route.c:2484 [inline] > ... > > The worker leaves msk->subflow alone even when it > happened to close the subflow ssk associated with it. > > v2: fix helper function name > > Fixes: 866f26f2a9c33b ("mptcp: always graft subflow socket to parent") > Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/157 > Reported-by: Christoph Paasch <cpaasch@apple.com> > Suggested-by: Paolo Abeni <pabeni@redhat.com> > Signed-off-by: Florian Westphal <fw@strlen.de> Both patches LGTM, thanks! perhaps we can drop the changelog info for upstream submission? (in any case no need for a v3, I guess commit messages can shaped at submission time) Cheers, Paolo
Hi Florian, Paolo, On 12/02/2021 11:04, Paolo Abeni wrote: > On Fri, 2021-02-12 at 00:42 +0100, Florian Westphal wrote: >> Christoph Paasch reported following crash: >> dst_release underflow >> WARNING: CPU: 0 PID: 1319 at net/core/dst.c:175 dst_release+0xc1/0xd0 net/core/dst.c:175 >> CPU: 0 PID: 1319 Comm: syz-executor217 Not tainted 5.11.0-rc6af8e85128b4d0d24083c5cac646e891227052e0c #70 >> Call Trace: >> rt_cache_route+0x12e/0x140 net/ipv4/route.c:1503 >> rt_set_nexthop.constprop.0+0x1fc/0x590 net/ipv4/route.c:1612 >> __mkroute_output net/ipv4/route.c:2484 [inline] >> ... >> >> The worker leaves msk->subflow alone even when it >> happened to close the subflow ssk associated with it. >> >> v2: fix helper function name >> >> Fixes: 866f26f2a9c33b ("mptcp: always graft subflow socket to parent") >> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/157 >> Reported-by: Christoph Paasch <cpaasch@apple.com> >> Suggested-by: Paolo Abeni <pabeni@redhat.com> >> Signed-off-by: Florian Westphal <fw@strlen.de> Thank you for the patches and the reviews! > Both patches LGTM, thanks! > > perhaps we can drop the changelog info for upstream submission? (in any > case no need for a v3, I guess commit messages can shaped at submission > time) I can sure do that! Cheers, Matt
Hi Florian, Paolo, On 12/02/2021 18:18, Matthieu Baerts wrote: > Hi Florian, Paolo, > > On 12/02/2021 11:04, Paolo Abeni wrote: >> On Fri, 2021-02-12 at 00:42 +0100, Florian Westphal wrote: >>> Christoph Paasch reported following crash: >>> dst_release underflow >>> WARNING: CPU: 0 PID: 1319 at net/core/dst.c:175 dst_release+0xc1/0xd0 >>> net/core/dst.c:175 >>> CPU: 0 PID: 1319 Comm: syz-executor217 Not tainted >>> 5.11.0-rc6af8e85128b4d0d24083c5cac646e891227052e0c #70 >>> Call Trace: >>> rt_cache_route+0x12e/0x140 net/ipv4/route.c:1503 >>> rt_set_nexthop.constprop.0+0x1fc/0x590 net/ipv4/route.c:1612 >>> __mkroute_output net/ipv4/route.c:2484 [inline] >>> ... >>> >>> The worker leaves msk->subflow alone even when it >>> happened to close the subflow ssk associated with it. >>> >>> v2: fix helper function name >>> >>> Fixes: 866f26f2a9c33b ("mptcp: always graft subflow socket to parent") >>> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/157 >>> Reported-by: Christoph Paasch <cpaasch@apple.com> >>> Suggested-by: Paolo Abeni <pabeni@redhat.com> >>> Signed-off-by: Florian Westphal <fw@strlen.de> > > Thank you for the patches and the reviews! > >> Both patches LGTM, thanks! >> >> perhaps we can drop the changelog info for upstream submission? (in any >> case no need for a v3, I guess commit messages can shaped at submission >> time) > > I can sure do that! Patch 1 was placed at the bottom with Paolo's Ack, my RvB tag and a declared 'msk': - 114aa23af898: mptcp: reset last_snd on subflow close - Results: 7bd6ce758374..c09ee43e88b6 Patch 2 was placed just before your netlink series with Paolo's Ack: - 24c84fc55050: mptcp: dispose initial struct socket when its subflow is closed - Results: c09ee43e88b6..8ea9c48639fd Tests + export are in progress! Cheers, Matt
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index fdd6b3cb0bf5..19faa43be2f8 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2106,6 +2106,14 @@ static struct sock *mptcp_subflow_get_retrans(const struct mptcp_sock *msk) return backup; } +static void mptcp_dispose_initial_subflow(struct mptcp_sock *msk) +{ + if (msk->subflow) { + iput(SOCK_INODE(msk->subflow)); + msk->subflow = NULL; + } +} + /* subflow sockets can be either outgoing (connect) or incoming * (accept). * @@ -2117,6 +2125,8 @@ static struct sock *mptcp_subflow_get_retrans(const struct mptcp_sock *msk) static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk, struct mptcp_subflow_context *subflow) { + struct mptcp_sock *msk = mptcp_sk(sk); + list_del(&subflow->node); lock_sock_nested(ssk, SINGLE_DEPTH_NESTING); @@ -2148,6 +2158,9 @@ static void __mptcp_close_ssk(struct sock *sk, struct sock *ssk, if (ssk == msk->last_snd) msk->last_snd = NULL; + + if (msk->subflow && ssk == msk->subflow->sk) + mptcp_dispose_initial_subflow(msk); } void mptcp_close_ssk(struct sock *sk, struct sock *ssk, @@ -2529,12 +2542,6 @@ static void __mptcp_destroy_sock(struct sock *sk) might_sleep(); - /* dispose the ancillatory tcp socket, if any */ - if (msk->subflow) { - iput(SOCK_INODE(msk->subflow)); - msk->subflow = NULL; - } - /* be sure to always acquire the join list lock, to sync vs * mptcp_finish_join(). */ @@ -2559,6 +2566,7 @@ static void __mptcp_destroy_sock(struct sock *sk) sk_stream_kill_queues(sk); xfrm_sk_free_policy(sk); sk_refcnt_debug_release(sk); + mptcp_dispose_initial_subflow(msk); sock_put(sk); }
Christoph Paasch reported following crash: dst_release underflow WARNING: CPU: 0 PID: 1319 at net/core/dst.c:175 dst_release+0xc1/0xd0 net/core/dst.c:175 CPU: 0 PID: 1319 Comm: syz-executor217 Not tainted 5.11.0-rc6af8e85128b4d0d24083c5cac646e891227052e0c #70 Call Trace: rt_cache_route+0x12e/0x140 net/ipv4/route.c:1503 rt_set_nexthop.constprop.0+0x1fc/0x590 net/ipv4/route.c:1612 __mkroute_output net/ipv4/route.c:2484 [inline] ... The worker leaves msk->subflow alone even when it happened to close the subflow ssk associated with it. v2: fix helper function name Fixes: 866f26f2a9c33b ("mptcp: always graft subflow socket to parent") Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/157 Reported-by: Christoph Paasch <cpaasch@apple.com> Suggested-by: Paolo Abeni <pabeni@redhat.com> Signed-off-by: Florian Westphal <fw@strlen.de> --- net/mptcp/protocol.c | 20 ++++++++++++++------ 1 file changed, 14 insertions(+), 6 deletions(-)