tipc: avoid packets leaking on socket receive queue

Message ID	1448178365-14827-1-git-send-email-ying.xue@windriver.com
State	Accepted, archived
Delegated to:	David Miller
Headers	show Return-Path: <netdev-owner@vger.kernel.org> From: Ying Xue <ying.xue@windriver.com> To: <davem@davemloft.net>, <jon.maloy@ericsson.com> CC: <netdev@vger.kernel.org>, <tipc-discussion@lists.sourceforge.net> Subject: [PATCH] tipc: avoid packets leaking on socket receive queue Date: Sun, 22 Nov 2015 15:46:05 +0800 Message-ID: <1448178365-14827-1-git-send-email-ying.xue@windriver.com> MIME-Version: 1.0 Content-Type: text/plain Sender: netdev-owner@vger.kernel.org Precedence: bulk

Message ID

1448178365-14827-1-git-send-email-ying.xue@windriver.com

State

Accepted, archived

Delegated to:

David Miller

Headers

From: Ying Xue <ying.xue@windriver.com>
To: <davem@davemloft.net>, <jon.maloy@ericsson.com>
CC: <netdev@vger.kernel.org>, <tipc-discussion@lists.sourceforge.net>
Subject: [PATCH] tipc: avoid packets leaking on socket receive queue
Date: Sun, 22 Nov 2015 15:46:05 +0800
Message-ID: <1448178365-14827-1-git-send-email-ying.xue@windriver.com>
MIME-Version: 1.0
Content-Type: text/plain
Sender: netdev-owner@vger.kernel.org
Precedence: bulk

Commit Message

Ying Xue Nov. 22, 2015, 7:46 a.m. UTC

Even if we drain receive queue thoroughly in tipc_release() after tipc
socket is removed from rhashtable, it is possible that some packets
are in flight because some CPU runs receiver and did rhashtable lookup
before we removed socket. They will achieve receive queue, but nobody
delete them at all. To avoid this leak, we register a private socket
destructor to purge receive queue, meaning releasing packets pending
on receive queue will be delayed until the last reference of tipc
socket will be released.

Signed-off-by: Ying Xue <ying.xue@windriver.com>
---
 net/tipc/socket.c |   10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

Comments

David Miller Nov. 24, 2015, 4:45 a.m. UTC | #1

From: Ying Xue <ying.xue@windriver.com>
Date: Sun, 22 Nov 2015 15:46:05 +0800

> Even if we drain receive queue thoroughly in tipc_release() after tipc
> socket is removed from rhashtable, it is possible that some packets
> are in flight because some CPU runs receiver and did rhashtable lookup
> before we removed socket. They will achieve receive queue, but nobody
> delete them at all. To avoid this leak, we register a private socket
> destructor to purge receive queue, meaning releasing packets pending
> on receive queue will be delayed until the last reference of tipc
> socket will be released.
> 
> Signed-off-by: Ying Xue <ying.xue@windriver.com>

Applied.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 552dbab..b53246f 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -105,6 +105,7 @@  struct tipc_sock {
 static int tipc_backlog_rcv(struct sock *sk, struct sk_buff *skb);
 static void tipc_data_ready(struct sock *sk);
 static void tipc_write_space(struct sock *sk);
+static void tipc_sock_destruct(struct sock *sk);
 static int tipc_release(struct socket *sock);
 static int tipc_accept(struct socket *sock, struct socket *new_sock, int flags);
 static int tipc_wait_for_sndmsg(struct socket *sock, long *timeo_p);
@@ -381,6 +382,7 @@  static int tipc_sk_create(struct net *net, struct socket *sock,
 	sk->sk_rcvbuf = sysctl_tipc_rmem[1];
 	sk->sk_data_ready = tipc_data_ready;
 	sk->sk_write_space = tipc_write_space;
+	sk->sk_destruct = tipc_sock_destruct;
 	tsk->conn_timeout = CONN_TIMEOUT_DEFAULT;
 	tsk->sent_unacked = 0;
 	atomic_set(&tsk->dupl_rcvcnt, 0);
@@ -470,9 +472,6 @@  static int tipc_release(struct socket *sock)
 		tipc_node_remove_conn(net, dnode, tsk->portid);
 	}
 
-	/* Discard any remaining (connection-based) messages in receive queue */
-	__skb_queue_purge(&sk->sk_receive_queue);
-
 	/* Reject any messages that accumulated in backlog queue */
 	sock->state = SS_DISCONNECTING;
 	release_sock(sk);
@@ -1515,6 +1514,11 @@  static void tipc_data_ready(struct sock *sk)
 	rcu_read_unlock();
 }
 
+static void tipc_sock_destruct(struct sock *sk)
+{
+	__skb_queue_purge(&sk->sk_receive_queue);
+}
+
 /**
  * filter_connect - Handle all incoming messages for a connection-based socket
  * @tsk: TIPC socket

tipc: avoid packets leaking on socket receive queue

Commit Message

Comments

Patch